From ae4dad898bfd30befe998a7002276f09512a7649 Mon Sep 17 00:00:00 2001 From: Vladimir Kozhukalov Date: Mon, 30 Mar 2026 12:41:45 -0500 Subject: [PATCH] Remove unused charts - Falco (Falco community provides its own well maintained chart) - Daemonjob-controller (unused) - Lockdown (unused) - Metacontroller (unused) For details see the mailing thread: https://lists.openstack.org/archives/list/openstack-discuss@lists.openstack.org/thread/27MWCXADBFHWLALH4CZF6K4UVHLLOJ2M/ Signed-off-by: Vladimir Kozhukalov Change-Id: I5fc21946f23bf7b1e3b057ebc0eeb51b0fb1e955 --- daemonjob-controller/Chart.yaml | 24 - .../templates/bin/_sync-hook.py.tpl | 106 - .../templates/composite-controller.yaml | 33 - .../templates/configmap-bin.yaml | 25 - daemonjob-controller/templates/crd.yaml | 4124 ----------------- .../templates/deployment.yaml | 63 - .../templates/extra-manifests.yaml | 8 - .../templates/job-image-repo-sync.yaml | 18 - .../templates/secret-registry.yaml | 17 - daemonjob-controller/templates/service.yaml | 28 - daemonjob-controller/values.yaml | 164 - doc/source/chart/infra_charts.rst | 4 - falco/Chart.yaml | 36 - falco/templates/bin/_falco.sh.tpl | 18 - falco/templates/configmap-bin.yaml | 25 - falco/templates/configmap-etc.yaml | 26 - falco/templates/configmap-rules.yaml | 24 - falco/templates/daemonset.yaml | 149 - falco/templates/extra-manifests.yaml | 8 - falco/templates/job-image-repo-sync.yaml | 18 - falco/templates/secret-registry.yaml | 17 - falco/values.yaml | 1417 ------ lockdown/Chart.yaml | 21 - lockdown/templates/extra-manifests.yaml | 8 - lockdown/templates/network_policy.yaml | 35 - lockdown/values.yaml | 51 - metacontroller/Chart.yaml | 31 - metacontroller/templates/crds.yaml | 333 -- metacontroller/templates/extra-manifests.yaml | 8 - .../templates/job-image-repo-sync.yaml | 18 - metacontroller/templates/secret-registry.yaml | 17 - metacontroller/templates/service.yaml | 32 - metacontroller/templates/statefulset.yaml | 94 - metacontroller/values.yaml | 162 - releasenotes/config.yaml | 4 - releasenotes/notes/daemonjob-controller.yaml | 13 - releasenotes/notes/falco.yaml | 16 - releasenotes/notes/lockdown.yaml | 7 - releasenotes/notes/metacontroller.yaml | 13 - .../deployment/common/daemonjob-controller.sh | 117 - tools/deployment/common/falco.sh | 24 - tools/deployment/common/lockdown-netpol.sh | 28 - tools/deployment/common/metacontroller.sh | 65 - .../daemonjob-controller/apparmor.yaml | 9 - values_overrides/metacontroller/apparmor.yaml | 9 - zuul.d/infra_jobs.yaml | 16 - zuul.d/project.yaml | 2 - 47 files changed, 7485 deletions(-) delete mode 100644 daemonjob-controller/Chart.yaml delete mode 100644 daemonjob-controller/templates/bin/_sync-hook.py.tpl delete mode 100644 daemonjob-controller/templates/composite-controller.yaml delete mode 100644 daemonjob-controller/templates/configmap-bin.yaml delete mode 100644 daemonjob-controller/templates/crd.yaml delete mode 100644 daemonjob-controller/templates/deployment.yaml delete mode 100644 daemonjob-controller/templates/extra-manifests.yaml delete mode 100644 daemonjob-controller/templates/job-image-repo-sync.yaml delete mode 100644 daemonjob-controller/templates/secret-registry.yaml delete mode 100644 daemonjob-controller/templates/service.yaml delete mode 100644 daemonjob-controller/values.yaml delete mode 100644 falco/Chart.yaml delete mode 100644 falco/templates/bin/_falco.sh.tpl delete mode 100644 falco/templates/configmap-bin.yaml delete mode 100644 falco/templates/configmap-etc.yaml delete mode 100644 falco/templates/configmap-rules.yaml delete mode 100644 falco/templates/daemonset.yaml delete mode 100644 falco/templates/extra-manifests.yaml delete mode 100644 falco/templates/job-image-repo-sync.yaml delete mode 100644 falco/templates/secret-registry.yaml delete mode 100644 falco/values.yaml delete mode 100644 lockdown/Chart.yaml delete mode 100644 lockdown/templates/extra-manifests.yaml delete mode 100644 lockdown/templates/network_policy.yaml delete mode 100644 lockdown/values.yaml delete mode 100644 metacontroller/Chart.yaml delete mode 100644 metacontroller/templates/crds.yaml delete mode 100644 metacontroller/templates/extra-manifests.yaml delete mode 100644 metacontroller/templates/job-image-repo-sync.yaml delete mode 100644 metacontroller/templates/secret-registry.yaml delete mode 100644 metacontroller/templates/service.yaml delete mode 100644 metacontroller/templates/statefulset.yaml delete mode 100644 metacontroller/values.yaml delete mode 100644 releasenotes/notes/daemonjob-controller.yaml delete mode 100644 releasenotes/notes/falco.yaml delete mode 100644 releasenotes/notes/lockdown.yaml delete mode 100644 releasenotes/notes/metacontroller.yaml delete mode 100755 tools/deployment/common/daemonjob-controller.sh delete mode 100755 tools/deployment/common/falco.sh delete mode 100755 tools/deployment/common/lockdown-netpol.sh delete mode 100755 tools/deployment/common/metacontroller.sh delete mode 100644 values_overrides/daemonjob-controller/apparmor.yaml delete mode 100644 values_overrides/metacontroller/apparmor.yaml diff --git a/daemonjob-controller/Chart.yaml b/daemonjob-controller/Chart.yaml deleted file mode 100644 index 204a81c13f..0000000000 --- a/daemonjob-controller/Chart.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -apiVersion: v2 -appVersion: v1.0.0 -description: A Helm chart for DaemonjobController -name: daemonjob-controller -version: 2025.2.0 -home: https://opendev.org/openstack -dependencies: - - name: helm-toolkit - repository: file://../helm-toolkit - version: ">= 0.1.0" -... diff --git a/daemonjob-controller/templates/bin/_sync-hook.py.tpl b/daemonjob-controller/templates/bin/_sync-hook.py.tpl deleted file mode 100644 index 546f0dd061..0000000000 --- a/daemonjob-controller/templates/bin/_sync-hook.py.tpl +++ /dev/null @@ -1,106 +0,0 @@ -#!/usr/bin/env python -{{/* -Copyright 2019 Google Inc. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -import copy -from http.server import BaseHTTPRequestHandler, HTTPServer -import io -import json - - -def is_job_finished(job): - if 'status' in job: - desiredNumberScheduled = job['status'].get('desiredNumberScheduled', 1) - numberReady = job['status'].get('numberReady', 0) - if (desiredNumberScheduled == numberReady and - desiredNumberScheduled > 0): - return True - return False - - -def new_daemon(job): - pause_image = {{ .Values.images.tags.pause | quote }} - daemon = copy.deepcopy(job) - daemon['apiVersion'] = 'apps/v1' - daemon['kind'] = 'DaemonSet' - daemon['metadata'] = {} - daemon['metadata']['name'] = '%s-dj' % (job['metadata']['name']) - daemon['metadata']['labels'] = copy.deepcopy( - job['spec']['template']['metadata']['labels']) - daemon['spec'] = {} - daemon['spec']['template'] = copy.deepcopy(job['spec']['template']) - daemon['spec']['template']['spec']['initContainers'] = copy.deepcopy( - job['spec']['template']['spec']['containers']) - daemon['spec']['template']['spec']['containers'] = [ - {'name': "pause", 'image': job['spec'].get( - 'pauseImage', pause_image), - 'resources': {'requests': {'cpu': '10m'}}}] - daemon['spec']['selector'] = {'matchLabels': copy.deepcopy( - job['spec']['template']['metadata']['labels'])} - - return daemon - - -class Controller(BaseHTTPRequestHandler): - def sync(self, job, children): - desired_status = {} - child = '%s-dj' % (job['metadata']['name']) - - # If the job already finished at some point, freeze the status, - # delete children, and take no further action. - if is_job_finished(job): - desired_status = copy.deepcopy(job['status']) - desired_status['conditions'] = [ - {'type': 'Complete', 'status': 'True'}] - return {'status': desired_status, 'children': []} - - # Compute status based on what we observed, - # before building desired state. - # Our .status is just a copy of the DaemonSet . - # status with extra fields. - desired_status = copy.deepcopy( - children['DaemonSet.apps/v1'].get(child, {}).get('status', {})) - if is_job_finished(children['DaemonSet.apps/v1'].get(child, {})): - desired_status['conditions'] = [ - {'type': 'Complete', 'status': 'True'}] - else: - desired_status['conditions'] = [ - {'type': 'Complete', 'status': 'False'}] - - # Always generate desired state for child if we reach this point. - # We should not delete children until after we know we've recorded - # completion in our status, which was the first check we did above. - desired_child = new_daemon(job) - return {'status': desired_status, 'children': [desired_child]} - - def do_POST(self): - observed = json.loads(self.rfile.read( - int(self.headers.get('Content-Length')))) - desired = self.sync(observed['parent'], observed['children']) - self.send_response(200) - self.send_header('Content-type', 'application/json') - self.end_headers() - out = io.TextIOWrapper( - self.wfile, - encoding='utf-8', - line_buffering=False, - write_through=True, - ) - out.write(json.dumps(desired)) - out.detach() - - -HTTPServer(('', 80), Controller).serve_forever() diff --git a/daemonjob-controller/templates/composite-controller.yaml b/daemonjob-controller/templates/composite-controller.yaml deleted file mode 100644 index b3a2523cae..0000000000 --- a/daemonjob-controller/templates/composite-controller.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{ $groupName := .Values.crds.group_name }} -{{ $groupVersion := .Values.crds.group_version }} -{{ $groupVersionFormat := printf "%s/%s" $groupName $groupVersion }} -apiVersion: metacontroller.k8s.io/v1alpha1 -kind: CompositeController -metadata: - name: daemonjob-controller -spec: - generateSelector: true - parentResource: - apiVersion: {{ $groupVersionFormat }} - resource: daemonjobs - childResources: - - apiVersion: apps/v1 - resource: daemonsets - hooks: - sync: - webhook: - url: http://daemonjob-controller.metacontroller/sync diff --git a/daemonjob-controller/templates/configmap-bin.yaml b/daemonjob-controller/templates/configmap-bin.yaml deleted file mode 100644 index 01fd461f8a..0000000000 --- a/daemonjob-controller/templates/configmap-bin.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.configmap_bin }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: daemonjob-controller-bin - namespace: {{ .Release.Namespace }} -data: - sync.py: | -{{ tuple "bin/_sync-hook.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} -{{- end }} diff --git a/daemonjob-controller/templates/crd.yaml b/daemonjob-controller/templates/crd.yaml deleted file mode 100644 index 7e44cfa0e7..0000000000 --- a/daemonjob-controller/templates/crd.yaml +++ /dev/null @@ -1,4124 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.crds_create }} -{{ $groupName := .Values.crds.group_name }} -{{ $groupVersion := .Values.crds.group_version }} -{{ $groupVersionFormat := printf "%s/%s" $groupName $groupVersion }} -{{ $crdName := printf "%s.%s" "daemonjobs" $groupName }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: {{ $crdName }} -spec: - group: {{ $groupName }} - versions: - - name: {{ $groupVersion }} - served: true - storage: true - schema: - openAPIV3Schema: - description: DaemonJob is the Schema for the daemonjobs API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: DaemonJobSpec defines the desired state of DaemonJob - properties: - selector: - description: Foo is an example field of DaemonJob. Edit DaemonJob_types.go - to remove/update - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to a - set of values. Valid operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator is - "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - template: - description: PodTemplateSpec describes the data a pod should have when - created from a template - properties: - metadata: - type: object - properties: - annotations: - type: object - additionalProperties: - type: string - labels: - type: object - additionalProperties: - type: string - spec: - description: 'Specification of the desired behavior of the pod. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - properties: - activeDeadlineSeconds: - description: Optional duration in seconds the pod may be active - on the node relative to StartTime before the system will actively - try to mark it failed and kill associated containers. Value - must be a positive integer. - format: int64 - type: integer - affinity: - description: If specified, the pod's scheduling constraints - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for - the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most preferred. - items: - description: An empty preferred scheduling term matches - all objects with implicit weight 0 (i.e. it's a - no-op). A null preferred scheduling term matches - no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated - with the corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: A node selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: The label key that the - selector applies to. - type: string - operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If - the operator is Exists or DoesNotExist, - the values array must be empty. If - the operator is Gt or Lt, the values - array must have a single element, - which will be interpreted as an integer. - This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: A node selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: The label key that the - selector applies to. - type: string - operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If - the operator is Exists or DoesNotExist, - the values array must be empty. If - the operator is Gt or Lt, the values - array must have a single element, - which will be interpreted as an integer. - This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - description: Weight associated with matching the - corresponding nodeSelectorTerm, in the range - 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified - by this field are not met at scheduling time, the - pod will not be scheduled onto the node. If the affinity - requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an - update), the system may or may not try to eventually - evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. - The terms are ORed. - items: - description: A null or empty node selector term - matches no objects. The requirements of them - are ANDed. The TopologySelectorTerm type implements - a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: A node selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: The label key that the - selector applies to. - type: string - operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If - the operator is Exists or DoesNotExist, - the values array must be empty. If - the operator is Gt or Lt, the values - array must have a single element, - which will be interpreted as an integer. - This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: A node selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: The label key that the - selector applies to. - type: string - operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If - the operator is Exists or DoesNotExist, - the values array must be empty. If - the operator is Gt or Lt, the values - array must have a single element, - which will be interpreted as an integer. - This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. - co-locate this pod in the same node, zone, etc. as some - other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the - corresponding podAffinityTerm; the node(s) with the - highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: A label query over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - namespaces: - description: namespaces specifies which namespaces - the labelSelector applies to (matches against); - null or empty list means "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should be co-located - (affinity) or not co-located (anti-affinity) - with the pods matching the labelSelector - in the specified namespaces, where co-located - is defined as running on a node whose value - of the label with key topologyKey matches - that of any node on which any of the selected - pods is running. Empty topologyKey is not - allowed. - type: string - required: - - topologyKey - type: object - weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range - 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified - by this field are not met at scheduling time, the - pod will not be scheduled onto the node. If the affinity - requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a - pod label update), the system may or may not try to - eventually evict the pod from its node. When there - are multiple elements, the lists of nodes corresponding - to each podAffinityTerm are intersected, i.e. all - terms must be satisfied. - items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or - not co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any - node on which a pod of the set of pods is running - properties: - labelSelector: - description: A label query over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - namespaces: - description: namespaces specifies which namespaces - the labelSelector applies to (matches against); - null or empty list means "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified - namespaces, where co-located is defined as running - on a node whose value of the label with key - topologyKey matches that of any node on which - any of the selected pods is running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules - (e.g. avoid putting this pod in the same node, zone, etc. - as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the anti-affinity expressions - specified by this field, but it may choose a node - that violates one or more of the expressions. The - node that is most preferred is the one with the greatest - sum of weights, i.e. for each node that meets all - of the scheduling requirements (resource request, - requiredDuringScheduling anti-affinity expressions, - etc.), compute a sum by iterating through the elements - of this field and adding "weight" to the sum if the - node has pods which matches the corresponding podAffinityTerm; - the node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: A label query over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - namespaces: - description: namespaces specifies which namespaces - the labelSelector applies to (matches against); - null or empty list means "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should be co-located - (affinity) or not co-located (anti-affinity) - with the pods matching the labelSelector - in the specified namespaces, where co-located - is defined as running on a node whose value - of the label with key topologyKey matches - that of any node on which any of the selected - pods is running. Empty topologyKey is not - allowed. - type: string - required: - - topologyKey - type: object - weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range - 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified - by this field are not met at scheduling time, the - pod will not be scheduled onto the node. If the anti-affinity - requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a - pod label update), the system may or may not try to - eventually evict the pod from its node. When there - are multiple elements, the lists of nodes corresponding - to each podAffinityTerm are intersected, i.e. all - terms must be satisfied. - items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or - not co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any - node on which a pod of the set of pods is running - properties: - labelSelector: - description: A label query over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - namespaces: - description: namespaces specifies which namespaces - the labelSelector applies to (matches against); - null or empty list means "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified - namespaces, where co-located is defined as running - on a node whose value of the label with key - topologyKey matches that of any node on which - any of the selected pods is running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - automountServiceAccountToken: - description: AutomountServiceAccountToken indicates whether - a service account token should be automatically mounted. - type: boolean - containers: - description: List of containers belonging to the pod. Containers - cannot currently be added or removed. There must be at least - one container in a Pod. Cannot be updated. - items: - description: A single application container that you want - to run within a pod. - properties: - args: - description: 'Arguments to the entrypoint. The docker - image''s CMD is used if this is not provided. Variable - references $(VAR_NAME) are expanded using the container''s - environment. If a variable cannot be resolved, the reference - in the input string will be unchanged. The $(VAR_NAME) - syntax can be escaped with a double $$, ie: $$(VAR_NAME). - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - items: - type: string - type: array - command: - description: 'Entrypoint array. Not executed within a - shell. The docker image''s ENTRYPOINT is used if this - is not provided. Variable references $(VAR_NAME) are - expanded using the container''s environment. If a variable - cannot be resolved, the reference in the input string - will be unchanged. The $(VAR_NAME) syntax can be escaped - with a double $$, ie: $$(VAR_NAME). Escaped references - will never be expanded, regardless of whether the variable - exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - items: - type: string - type: array - env: - description: List of environment variables to set in the - container. Cannot be updated. - items: - description: EnvVar represents an environment variable - present in a Container. - properties: - name: - description: Name of the environment variable. Must - be a C_IDENTIFIER. - type: string - value: - description: 'Variable references $(VAR_NAME) are - expanded using the previous defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, the - reference in the input string will be unchanged. - The $(VAR_NAME) syntax can be escaped with a double - $$, ie: $$(VAR_NAME). Escaped references will - never be expanded, regardless of whether the variable - exists or not. Defaults to "".' - type: string - valueFrom: - description: Source for the environment variable's - value. Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - fieldRef: - description: 'Selects a field of the pod: supports - metadata.name, metadata.namespace, metadata.labels, - metadata.annotations, spec.nodeName, spec.serviceAccountName, - status.hostIP, status.podIP, status.podIPs.' - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select - in the specified API version. - type: string - required: - - fieldPath - type: object - resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' - properties: - containerName: - description: 'Container name: required for - volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format - of the exposed resources, defaults to - "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - secretKeyRef: - description: Selects a key of a secret in the - pod's namespace - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - type: object - required: - - name - type: object - type: array - envFrom: - description: List of sources to populate environment variables - in the container. The keys defined within a source must - be a C_IDENTIFIER. All invalid keys will be reported - as an event when the container is starting. When a key - exists in multiple sources, the value associated with - the last source will take precedence. Values defined - by an Env with a duplicate key will take precedence. - Cannot be updated. - items: - description: EnvFromSource represents the source of - a set of ConfigMaps - properties: - configMapRef: - description: The ConfigMap to select from - properties: - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap must - be defined - type: boolean - type: object - prefix: - description: An optional identifier to prepend to - each key in the ConfigMap. Must be a C_IDENTIFIER. - type: string - secretRef: - description: The Secret to select from - properties: - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: Specify whether the Secret must - be defined - type: boolean - type: object - type: object - type: array - image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config - management to default or override container images in - workload controllers like Deployments and StatefulSets.' - type: string - imagePullPolicy: - description: 'Image pull policy. One of Always, Never, - IfNotPresent. Defaults to Always if :latest tag is specified, - or IfNotPresent otherwise. Cannot be updated. More info: - https://kubernetes.io/docs/concepts/containers/images#updating-images' - type: string - lifecycle: - description: Actions that the management system should - take in response to container lifecycle events. Cannot - be updated. - properties: - postStart: - description: 'PostStart is called immediately after - a container is created. If the handler fails, the - container is terminated and restarted according - to its restart policy. Other management of the container - blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' - properties: - exec: - description: One and only one of the following - should be specified. Exec specifies the action - to take. - properties: - command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') - in the container's filesystem. The command - is simply exec'd, it is not run inside a - shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, you - need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy - and non-zero is unhealthy. - items: - type: string - type: array - type: object - httpGet: - description: HTTPGet specifies the http request - to perform. - properties: - host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port to - access on the container. Number must be - in the range 1 to 65535. Name must be an - IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. - type: string - required: - - port - type: object - tcpSocket: - description: 'TCPSocket specifies an action involving - a TCP port. TCP hooks not yet supported TODO: - implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port to - access on the container. Number must be - in the range 1 to 65535. Name must be an - IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - preStop: - description: 'PreStop is called immediately before - a container is terminated due to an API request - or management event such as liveness/startup probe - failure, preemption, resource contention, etc. The - handler is not called if the container crashes or - exits. The reason for termination is passed to the - handler. The Pod''s termination grace period countdown - begins before the PreStop hooked is executed. Regardless - of the outcome of the handler, the container will - eventually terminate within the Pod''s termination - grace period. Other management of the container - blocks until the hook completes or until the termination - grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' - properties: - exec: - description: One and only one of the following - should be specified. Exec specifies the action - to take. - properties: - command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') - in the container's filesystem. The command - is simply exec'd, it is not run inside a - shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, you - need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy - and non-zero is unhealthy. - items: - type: string - type: array - type: object - httpGet: - description: HTTPGet specifies the http request - to perform. - properties: - host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port to - access on the container. Number must be - in the range 1 to 65535. Name must be an - IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. - type: string - required: - - port - type: object - tcpSocket: - description: 'TCPSocket specifies an action involving - a TCP port. TCP hooks not yet supported TODO: - implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port to - access on the container. Number must be - in the range 1 to 65535. Name must be an - IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - type: object - name: - description: Name of the container specified as a DNS_LABEL. - Each container in a pod must have a unique name (DNS_LABEL). - Cannot be updated. - type: string - ports: - description: List of ports to expose from the container. - Exposing a port here gives the system additional information - about the network connections a container uses, but - is primarily informational. Not specifying a port here - DOES NOT prevent that port from being exposed. Any port - which is listening on the default "0.0.0.0" address - inside a container will be accessible from the network. - Cannot be updated. - items: - description: ContainerPort represents a network port - in a single container. - properties: - containerPort: - description: Number of port to expose on the pod's - IP address. This must be a valid port number, - 0 < x < 65536. - format: int32 - type: integer - hostIP: - description: What host IP to bind the external port - to. - type: string - hostPort: - description: Number of port to expose on the host. - If specified, this must be a valid port number, - 0 < x < 65536. If HostNetwork is specified, this - must match ContainerPort. Most containers do not - need this. - format: int32 - type: integer - name: - description: If specified, this must be an IANA_SVC_NAME - and unique within the pod. Each named port in - a pod must have a unique name. Name for the port - that can be referred to by services. - type: string - protocol: - description: Protocol for port. Must be UDP, TCP, - or SCTP. Defaults to "TCP". - type: string - default: "TCP" - required: - - containerPort - type: object - type: array - x-kubernetes-list-map-keys: - - containerPort - - protocol - x-kubernetes-list-type: map - resources: - description: 'Compute Resources required by this container. - Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount - of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount - of compute resources required. If Requests is omitted - for a container, it defaults to Limits if that is - explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' - type: object - type: object - securityContext: - description: 'Security options the pod should run with. - More info: https://kubernetes.io/docs/concepts/policy/security-context/ - More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' - properties: - allowPrivilegeEscalation: - description: 'AllowPrivilegeEscalation controls whether - a process can gain more privileges than its parent - process. This bool directly controls if the no_new_privs - flag will be set on the container process. AllowPrivilegeEscalation - is true always when the container is: 1) run as - Privileged 2) has CAP_SYS_ADMIN' - type: boolean - capabilities: - description: The capabilities to add/drop when running - containers. Defaults to the default set of capabilities - granted by the container runtime. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - type: object - privileged: - description: Run container in privileged mode. Processes - in privileged containers are essentially equivalent - to root on the host. Defaults to false. - type: boolean - procMount: - description: procMount denotes the type of proc mount - to use for the containers. The default is DefaultProcMount - which uses the container runtime defaults for readonly - paths and masked paths. This requires the ProcMountType - feature flag to be enabled. - type: string - readOnlyRootFilesystem: - description: Whether this container has a read-only - root filesystem. Default is false. - type: boolean - runAsGroup: - description: The GID to run the entrypoint of the - container process. Uses runtime default if unset. - May also be set in PodSecurityContext. If set in - both SecurityContext and PodSecurityContext, the - value specified in SecurityContext takes precedence. - format: int64 - type: integer - runAsNonRoot: - description: Indicates that the container must run - as a non-root user. If true, the Kubelet will validate - the image at runtime to ensure that it does not - run as UID 0 (root) and fail to start the container - if it does. If unset or false, no such validation - will be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: The UID to run the entrypoint of the - container process. Defaults to user specified in - image metadata if unspecified. May also be set in - PodSecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in SecurityContext - takes precedence. - format: int64 - type: integer - seLinuxOptions: - description: The SELinux context to be applied to - the container. If unspecified, the container runtime - will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - properties: - level: - description: Level is SELinux level label that - applies to the container. - type: string - role: - description: Role is a SELinux role label that - applies to the container. - type: string - type: - description: Type is a SELinux type label that - applies to the container. - type: string - user: - description: User is a SELinux user label that - applies to the container. - type: string - type: object - windowsOptions: - description: The Windows specific settings applied - to all containers. If unspecified, the options from - the PodSecurityContext will be used. If set in both - SecurityContext and PodSecurityContext, the value - specified in SecurityContext takes precedence. - properties: - gmsaCredentialSpec: - description: GMSACredentialSpec is where the GMSA - admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) - inlines the contents of the GMSA credential - spec named by the GMSACredentialSpecName field. - This field is alpha-level and is only honored - by servers that enable the WindowsGMSA feature - flag. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name - of the GMSA credential spec to use. This field - is alpha-level and is only honored by servers - that enable the WindowsGMSA feature flag. - type: string - runAsUserName: - description: The UserName in Windows to run the - entrypoint of the container process. Defaults - to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set - in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. This field is beta-level and may - be disabled with the WindowsRunAsUserName feature - flag. - type: string - type: object - type: object - stdin: - description: Whether this container should allocate a - buffer for stdin in the container runtime. If this is - not set, reads from stdin in the container will always - result in EOF. Default is false. - type: boolean - stdinOnce: - description: Whether the container runtime should close - the stdin channel after it has been opened by a single - attach. When stdin is true the stdin stream will remain - open across multiple attach sessions. If stdinOnce is - set to true, stdin is opened on container start, is - empty until the first client attaches to stdin, and - then remains open and accepts data until the client - disconnects, at which time stdin is closed and remains - closed until the container is restarted. If this flag - is false, a container processes that reads from stdin - will never receive an EOF. Default is false - type: boolean - terminationMessagePath: - description: 'Optional: Path at which the file to which - the container''s termination message will be written - is mounted into the container''s filesystem. Message - written is intended to be brief final status, such as - an assertion failure message. Will be truncated by the - node if greater than 4096 bytes. The total message length - across all containers will be limited to 12kb. Defaults - to /dev/termination-log. Cannot be updated.' - type: string - terminationMessagePolicy: - description: Indicate how the termination message should - be populated. File will use the contents of terminationMessagePath - to populate the container status message on both success - and failure. FallbackToLogsOnError will use the last - chunk of container log output if the termination message - file is empty and the container exited with an error. - The log output is limited to 2048 bytes or 80 lines, - whichever is smaller. Defaults to File. Cannot be updated. - type: string - tty: - description: Whether this container should allocate a - TTY for itself, also requires 'stdin' to be true. Default - is false. - type: boolean - volumeDevices: - description: volumeDevices is the list of block devices - to be used by the container. This is a beta feature. - items: - description: volumeDevice describes a mapping of a raw - block device within a container. - properties: - devicePath: - description: devicePath is the path inside of the - container that the device will be mapped to. - type: string - name: - description: name must match the name of a persistentVolumeClaim - in the pod - type: string - required: - - devicePath - - name - type: object - type: array - volumeMounts: - description: Pod volumes to mount into the container's - filesystem. Cannot be updated. - items: - description: VolumeMount describes a mounting of a Volume - within a container. - properties: - mountPath: - description: Path within the container at which - the volume should be mounted. Must not contain - ':'. - type: string - mountPropagation: - description: mountPropagation determines how mounts - are propagated from the host to container and - the other way around. When not set, MountPropagationNone - is used. This field is beta in 1.10. - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: Mounted read-only if true, read-write - otherwise (false or unspecified). Defaults to - false. - type: boolean - subPath: - description: Path within the volume from which the - container's volume should be mounted. Defaults - to "" (volume's root). - type: string - subPathExpr: - description: Expanded path within the volume from - which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable - references $(VAR_NAME) are expanded using the - container's environment. Defaults to "" (volume's - root). SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - workingDir: - description: Container's working directory. If not specified, - the container runtime's default will be used, which - might be configured in the container image. Cannot be - updated. - type: string - required: - - name - type: object - type: array - dnsConfig: - description: Specifies the DNS parameters of a pod. Parameters - specified here will be merged to the generated DNS configuration - based on DNSPolicy. - properties: - nameservers: - description: A list of DNS name server IP addresses. This - will be appended to the base nameservers generated from - DNSPolicy. Duplicated nameservers will be removed. - items: - type: string - type: array - options: - description: A list of DNS resolver options. This will be - merged with the base options generated from DNSPolicy. - Duplicated entries will be removed. Resolution options - given in Options will override those that appear in the - base DNSPolicy. - items: - description: PodDNSConfigOption defines DNS resolver options - of a pod. - properties: - name: - description: Required. - type: string - value: - type: string - type: object - type: array - searches: - description: A list of DNS search domains for host-name - lookup. This will be appended to the base search paths - generated from DNSPolicy. Duplicated search paths will - be removed. - items: - type: string - type: array - type: object - dnsPolicy: - description: Set DNS policy for the pod. Defaults to "ClusterFirst". - Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', - 'Default' or 'None'. DNS parameters given in DNSConfig will - be merged with the policy selected with DNSPolicy. To have - DNS options set along with hostNetwork, you have to specify - DNS policy explicitly to 'ClusterFirstWithHostNet'. - type: string - enableServiceLinks: - description: 'EnableServiceLinks indicates whether information - about services should be injected into pod''s environment - variables, matching the syntax of Docker links. Optional: - Defaults to true.' - type: boolean - ephemeralContainers: - description: List of ephemeral containers run in this pod. Ephemeral - containers may be run in an existing pod to perform user-initiated - actions such as debugging. This list cannot be specified when - creating a pod, and it cannot be modified by updating the - pod spec. In order to add an ephemeral container to an existing - pod, use the pod's ephemeralcontainers subresource. This field - is alpha-level and is only honored by servers that enable - the EphemeralContainers feature. - items: - description: An EphemeralContainer is a container that may - be added temporarily to an existing pod for user-initiated - activities such as debugging. Ephemeral containers have - no resource or scheduling guarantees, and they will not - be restarted when they exit or when a pod is removed or - restarted. If an ephemeral container causes a pod to exceed - its resource allocation, the pod may be evicted. Ephemeral - containers may not be added by directly updating the pod - spec. They must be added via the pod's ephemeralcontainers - subresource, and they will appear in the pod spec once added. - This is an alpha feature enabled by the EphemeralContainers - feature flag. - properties: - args: - description: 'Arguments to the entrypoint. The docker - image''s CMD is used if this is not provided. Variable - references $(VAR_NAME) are expanded using the container''s - environment. If a variable cannot be resolved, the reference - in the input string will be unchanged. The $(VAR_NAME) - syntax can be escaped with a double $$, ie: $$(VAR_NAME). - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - items: - type: string - type: array - command: - description: 'Entrypoint array. Not executed within a - shell. The docker image''s ENTRYPOINT is used if this - is not provided. Variable references $(VAR_NAME) are - expanded using the container''s environment. If a variable - cannot be resolved, the reference in the input string - will be unchanged. The $(VAR_NAME) syntax can be escaped - with a double $$, ie: $$(VAR_NAME). Escaped references - will never be expanded, regardless of whether the variable - exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - items: - type: string - type: array - env: - description: List of environment variables to set in the - container. Cannot be updated. - items: - description: EnvVar represents an environment variable - present in a Container. - properties: - name: - description: Name of the environment variable. Must - be a C_IDENTIFIER. - type: string - value: - description: 'Variable references $(VAR_NAME) are - expanded using the previous defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, the - reference in the input string will be unchanged. - The $(VAR_NAME) syntax can be escaped with a double - $$, ie: $$(VAR_NAME). Escaped references will - never be expanded, regardless of whether the variable - exists or not. Defaults to "".' - type: string - valueFrom: - description: Source for the environment variable's - value. Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - fieldRef: - description: 'Selects a field of the pod: supports - metadata.name, metadata.namespace, metadata.labels, - metadata.annotations, spec.nodeName, spec.serviceAccountName, - status.hostIP, status.podIP, status.podIPs.' - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select - in the specified API version. - type: string - required: - - fieldPath - type: object - resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' - properties: - containerName: - description: 'Container name: required for - volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format - of the exposed resources, defaults to - "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - secretKeyRef: - description: Selects a key of a secret in the - pod's namespace - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - type: object - required: - - name - type: object - type: array - envFrom: - description: List of sources to populate environment variables - in the container. The keys defined within a source must - be a C_IDENTIFIER. All invalid keys will be reported - as an event when the container is starting. When a key - exists in multiple sources, the value associated with - the last source will take precedence. Values defined - by an Env with a duplicate key will take precedence. - Cannot be updated. - items: - description: EnvFromSource represents the source of - a set of ConfigMaps - properties: - configMapRef: - description: The ConfigMap to select from - properties: - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap must - be defined - type: boolean - type: object - prefix: - description: An optional identifier to prepend to - each key in the ConfigMap. Must be a C_IDENTIFIER. - type: string - secretRef: - description: The Secret to select from - properties: - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: Specify whether the Secret must - be defined - type: boolean - type: object - type: object - type: array - image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images' - type: string - imagePullPolicy: - description: 'Image pull policy. One of Always, Never, - IfNotPresent. Defaults to Always if :latest tag is specified, - or IfNotPresent otherwise. Cannot be updated. More info: - https://kubernetes.io/docs/concepts/containers/images#updating-images' - type: string - lifecycle: - description: Lifecycle is not allowed for ephemeral containers. - properties: - postStart: - description: 'PostStart is called immediately after - a container is created. If the handler fails, the - container is terminated and restarted according - to its restart policy. Other management of the container - blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' - properties: - exec: - description: One and only one of the following - should be specified. Exec specifies the action - to take. - properties: - command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') - in the container's filesystem. The command - is simply exec'd, it is not run inside a - shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, you - need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy - and non-zero is unhealthy. - items: - type: string - type: array - type: object - httpGet: - description: HTTPGet specifies the http request - to perform. - properties: - host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port to - access on the container. Number must be - in the range 1 to 65535. Name must be an - IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. - type: string - required: - - port - type: object - tcpSocket: - description: 'TCPSocket specifies an action involving - a TCP port. TCP hooks not yet supported TODO: - implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port to - access on the container. Number must be - in the range 1 to 65535. Name must be an - IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - preStop: - description: 'PreStop is called immediately before - a container is terminated due to an API request - or management event such as liveness/startup probe - failure, preemption, resource contention, etc. The - handler is not called if the container crashes or - exits. The reason for termination is passed to the - handler. The Pod''s termination grace period countdown - begins before the PreStop hooked is executed. Regardless - of the outcome of the handler, the container will - eventually terminate within the Pod''s termination - grace period. Other management of the container - blocks until the hook completes or until the termination - grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' - properties: - exec: - description: One and only one of the following - should be specified. Exec specifies the action - to take. - properties: - command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') - in the container's filesystem. The command - is simply exec'd, it is not run inside a - shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, you - need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy - and non-zero is unhealthy. - items: - type: string - type: array - type: object - httpGet: - description: HTTPGet specifies the http request - to perform. - properties: - host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port to - access on the container. Number must be - in the range 1 to 65535. Name must be an - IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. - type: string - required: - - port - type: object - tcpSocket: - description: 'TCPSocket specifies an action involving - a TCP port. TCP hooks not yet supported TODO: - implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port to - access on the container. Number must be - in the range 1 to 65535. Name must be an - IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - type: object - name: - description: Name of the ephemeral container specified - as a DNS_LABEL. This name must be unique among all containers, - init containers and ephemeral containers. - type: string - ports: - description: Ports are not allowed for ephemeral containers. - items: - description: ContainerPort represents a network port - in a single container. - properties: - containerPort: - description: Number of port to expose on the pod's - IP address. This must be a valid port number, - 0 < x < 65536. - format: int32 - type: integer - hostIP: - description: What host IP to bind the external port - to. - type: string - hostPort: - description: Number of port to expose on the host. - If specified, this must be a valid port number, - 0 < x < 65536. If HostNetwork is specified, this - must match ContainerPort. Most containers do not - need this. - format: int32 - type: integer - name: - description: If specified, this must be an IANA_SVC_NAME - and unique within the pod. Each named port in - a pod must have a unique name. Name for the port - that can be referred to by services. - type: string - protocol: - description: Protocol for port. Must be UDP, TCP, - or SCTP. Defaults to "TCP". - type: string - required: - - containerPort - type: object - type: array - resources: - description: Resources are not allowed for ephemeral containers. - Ephemeral containers use spare resources already allocated - to the pod. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount - of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount - of compute resources required. If Requests is omitted - for a container, it defaults to Limits if that is - explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' - type: object - type: object - securityContext: - description: SecurityContext is not allowed for ephemeral - containers. - properties: - allowPrivilegeEscalation: - description: 'AllowPrivilegeEscalation controls whether - a process can gain more privileges than its parent - process. This bool directly controls if the no_new_privs - flag will be set on the container process. AllowPrivilegeEscalation - is true always when the container is: 1) run as - Privileged 2) has CAP_SYS_ADMIN' - type: boolean - capabilities: - description: The capabilities to add/drop when running - containers. Defaults to the default set of capabilities - granted by the container runtime. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - type: object - privileged: - description: Run container in privileged mode. Processes - in privileged containers are essentially equivalent - to root on the host. Defaults to false. - type: boolean - procMount: - description: procMount denotes the type of proc mount - to use for the containers. The default is DefaultProcMount - which uses the container runtime defaults for readonly - paths and masked paths. This requires the ProcMountType - feature flag to be enabled. - type: string - readOnlyRootFilesystem: - description: Whether this container has a read-only - root filesystem. Default is false. - type: boolean - runAsGroup: - description: The GID to run the entrypoint of the - container process. Uses runtime default if unset. - May also be set in PodSecurityContext. If set in - both SecurityContext and PodSecurityContext, the - value specified in SecurityContext takes precedence. - format: int64 - type: integer - runAsNonRoot: - description: Indicates that the container must run - as a non-root user. If true, the Kubelet will validate - the image at runtime to ensure that it does not - run as UID 0 (root) and fail to start the container - if it does. If unset or false, no such validation - will be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: The UID to run the entrypoint of the - container process. Defaults to user specified in - image metadata if unspecified. May also be set in - PodSecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in SecurityContext - takes precedence. - format: int64 - type: integer - seLinuxOptions: - description: The SELinux context to be applied to - the container. If unspecified, the container runtime - will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - properties: - level: - description: Level is SELinux level label that - applies to the container. - type: string - role: - description: Role is a SELinux role label that - applies to the container. - type: string - type: - description: Type is a SELinux type label that - applies to the container. - type: string - user: - description: User is a SELinux user label that - applies to the container. - type: string - type: object - windowsOptions: - description: The Windows specific settings applied - to all containers. If unspecified, the options from - the PodSecurityContext will be used. If set in both - SecurityContext and PodSecurityContext, the value - specified in SecurityContext takes precedence. - properties: - gmsaCredentialSpec: - description: GMSACredentialSpec is where the GMSA - admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) - inlines the contents of the GMSA credential - spec named by the GMSACredentialSpecName field. - This field is alpha-level and is only honored - by servers that enable the WindowsGMSA feature - flag. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name - of the GMSA credential spec to use. This field - is alpha-level and is only honored by servers - that enable the WindowsGMSA feature flag. - type: string - runAsUserName: - description: The UserName in Windows to run the - entrypoint of the container process. Defaults - to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set - in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. This field is beta-level and may - be disabled with the WindowsRunAsUserName feature - flag. - type: string - type: object - type: object - stdin: - description: Whether this container should allocate a - buffer for stdin in the container runtime. If this is - not set, reads from stdin in the container will always - result in EOF. Default is false. - type: boolean - stdinOnce: - description: Whether the container runtime should close - the stdin channel after it has been opened by a single - attach. When stdin is true the stdin stream will remain - open across multiple attach sessions. If stdinOnce is - set to true, stdin is opened on container start, is - empty until the first client attaches to stdin, and - then remains open and accepts data until the client - disconnects, at which time stdin is closed and remains - closed until the container is restarted. If this flag - is false, a container processes that reads from stdin - will never receive an EOF. Default is false - type: boolean - targetContainerName: - description: If set, the name of the container from PodSpec - that this ephemeral container targets. The ephemeral - container will be run in the namespaces (IPC, PID, etc) - of this container. If not set then the ephemeral container - is run in whatever namespaces are shared for the pod. - Note that the container runtime must support this feature. - type: string - terminationMessagePath: - description: 'Optional: Path at which the file to which - the container''s termination message will be written - is mounted into the container''s filesystem. Message - written is intended to be brief final status, such as - an assertion failure message. Will be truncated by the - node if greater than 4096 bytes. The total message length - across all containers will be limited to 12kb. Defaults - to /dev/termination-log. Cannot be updated.' - type: string - terminationMessagePolicy: - description: Indicate how the termination message should - be populated. File will use the contents of terminationMessagePath - to populate the container status message on both success - and failure. FallbackToLogsOnError will use the last - chunk of container log output if the termination message - file is empty and the container exited with an error. - The log output is limited to 2048 bytes or 80 lines, - whichever is smaller. Defaults to File. Cannot be updated. - type: string - tty: - description: Whether this container should allocate a - TTY for itself, also requires 'stdin' to be true. Default - is false. - type: boolean - volumeDevices: - description: volumeDevices is the list of block devices - to be used by the container. This is a beta feature. - items: - description: volumeDevice describes a mapping of a raw - block device within a container. - properties: - devicePath: - description: devicePath is the path inside of the - container that the device will be mapped to. - type: string - name: - description: name must match the name of a persistentVolumeClaim - in the pod - type: string - required: - - devicePath - - name - type: object - type: array - volumeMounts: - description: Pod volumes to mount into the container's - filesystem. Cannot be updated. - items: - description: VolumeMount describes a mounting of a Volume - within a container. - properties: - mountPath: - description: Path within the container at which - the volume should be mounted. Must not contain - ':'. - type: string - mountPropagation: - description: mountPropagation determines how mounts - are propagated from the host to container and - the other way around. When not set, MountPropagationNone - is used. This field is beta in 1.10. - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: Mounted read-only if true, read-write - otherwise (false or unspecified). Defaults to - false. - type: boolean - subPath: - description: Path within the volume from which the - container's volume should be mounted. Defaults - to "" (volume's root). - type: string - subPathExpr: - description: Expanded path within the volume from - which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable - references $(VAR_NAME) are expanded using the - container's environment. Defaults to "" (volume's - root). SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - workingDir: - description: Container's working directory. If not specified, - the container runtime's default will be used, which - might be configured in the container image. Cannot be - updated. - type: string - required: - - name - type: object - type: array - hostAliases: - description: HostAliases is an optional list of hosts and IPs - that will be injected into the pod's hosts file if specified. - This is only valid for non-hostNetwork pods. - items: - description: HostAlias holds the mapping between IP and hostnames - that will be injected as an entry in the pod's hosts file. - properties: - hostnames: - description: Hostnames for the above IP address. - items: - type: string - type: array - ip: - description: IP address of the host file entry. - type: string - type: object - type: array - hostIPC: - description: 'Use the host''s ipc namespace. Optional: Default - to false.' - type: boolean - hostNetwork: - description: Host networking requested for this pod. Use the - host's network namespace. If this option is set, the ports - that will be used must be specified. Default to false. - type: boolean - hostPID: - description: 'Use the host''s pid namespace. Optional: Default - to false.' - type: boolean - hostname: - description: Specifies the hostname of the Pod If not specified, - the pod's hostname will be set to a system-defined value. - type: string - imagePullSecrets: - description: 'ImagePullSecrets is an optional list of references - to secrets in the same namespace to use for pulling any of - the images used by this PodSpec. If specified, these secrets - will be passed to individual puller implementations for them - to use. For example, in the case of docker, only DockerConfig - type secrets are honored. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' - items: - description: LocalObjectReference contains enough information - to let you locate the referenced object inside the same - namespace. - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - type: object - type: array - nodeName: - description: NodeName is a request to schedule this pod onto - a specific node. If it is non-empty, the scheduler simply - schedules this pod onto that node, assuming that it fits resource - requirements. - type: string - nodeSelector: - additionalProperties: - type: string - description: 'NodeSelector is a selector which must be true - for the pod to fit on a node. Selector which must match a - node''s labels for the pod to be scheduled on that node. More - info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - overhead: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Overhead represents the resource overhead associated - with running a pod for a given RuntimeClass. This field will - be autopopulated at admission time by the RuntimeClass admission - controller. If the RuntimeClass admission controller is enabled, - overhead must not be set in Pod create requests. The RuntimeClass - admission controller will reject Pod create requests which - have the overhead already set. If RuntimeClass is configured - and selected in the PodSpec, Overhead will be set to the value - defined in the corresponding RuntimeClass, otherwise it will - remain unset and treated as zero. More info: https://git.k8s.io/enhancements/keps/sig-node/20190226-pod-overhead.md - This field is alpha-level as of Kubernetes v1.16, and is only - honored by servers that enable the PodOverhead feature.' - type: object - preemptionPolicy: - description: PreemptionPolicy is the Policy for preempting pods - with lower priority. One of Never, PreemptLowerPriority. Defaults - to PreemptLowerPriority if unset. This field is alpha-level - and is only honored by servers that enable the NonPreemptingPriority - feature. - type: string - priority: - description: The priority value. Various system components use - this field to find the priority of the pod. When Priority - Admission Controller is enabled, it prevents users from setting - this field. The admission controller populates this field - from PriorityClassName. The higher the value, the higher the - priority. - format: int32 - type: integer - priorityClassName: - description: If specified, indicates the pod's priority. "system-node-critical" - and "system-cluster-critical" are two special keywords which - indicate the highest priorities with the former being the - highest priority. Any other name must be defined by creating - a PriorityClass object with that name. If not specified, the - pod priority will be default or zero if there is no default. - type: string - restartPolicy: - description: 'Restart policy for all containers within the pod. - One of Always, OnFailure, Never. Default to Always. More info: - https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy' - type: string - runtimeClassName: - description: 'RuntimeClassName refers to a RuntimeClass object - in the node.k8s.io group, which should be used to run this - pod. If no RuntimeClass resource matches the named class, - the pod will not be run. If unset or empty, the "legacy" RuntimeClass - will be used, which is an implicit class with an empty definition - that uses the default runtime handler. More info: https://git.k8s.io/enhancements/keps/sig-node/runtime-class.md - This is a beta feature as of Kubernetes v1.14.' - type: string - schedulerName: - description: If specified, the pod will be dispatched by specified - scheduler. If not specified, the pod will be dispatched by - default scheduler. - type: string - securityContext: - description: 'SecurityContext holds pod-level security attributes - and common container settings. Optional: Defaults to empty. See - type description for default values of each field.' - properties: - fsGroup: - description: "A special supplemental group that applies - to all containers in a pod. Some volume types allow the - Kubelet to change the ownership of that volume to be owned - by the pod: \n 1. The owning GID will be the FSGroup 2. - The setgid bit is set (new files created in the volume - will be owned by FSGroup) 3. The permission bits are OR'd - with rw-rw---- \n If unset, the Kubelet will not modify - the ownership and permissions of any volume." - format: int64 - type: integer - runAsGroup: - description: The GID to run the entrypoint of the container - process. Uses runtime default if unset. May also be set - in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. - format: int64 - type: integer - runAsNonRoot: - description: Indicates that the container must run as a - non-root user. If true, the Kubelet will validate the - image at runtime to ensure that it does not run as UID - 0 (root) and fail to start the container if it does. If - unset or false, no such validation will be performed. - May also be set in SecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in SecurityContext - takes precedence. - type: boolean - runAsUser: - description: The UID to run the entrypoint of the container - process. Defaults to user specified in image metadata - if unspecified. May also be set in SecurityContext. If - set in both SecurityContext and PodSecurityContext, the - value specified in SecurityContext takes precedence for - that container. - format: int64 - type: integer - seLinuxOptions: - description: The SELinux context to be applied to all containers. - If unspecified, the container runtime will allocate a - random SELinux context for each container. May also be - set in SecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. - properties: - level: - description: Level is SELinux level label that applies - to the container. - type: string - role: - description: Role is a SELinux role label that applies - to the container. - type: string - type: - description: Type is a SELinux type label that applies - to the container. - type: string - user: - description: User is a SELinux user label that applies - to the container. - type: string - type: object - supplementalGroups: - description: A list of groups applied to the first process - run in each container, in addition to the container's - primary GID. If unspecified, no groups will be added - to any container. - items: - format: int64 - type: integer - type: array - sysctls: - description: Sysctls hold a list of namespaced sysctls used - for the pod. Pods with unsupported sysctls (by the container - runtime) might fail to launch. - items: - description: Sysctl defines a kernel parameter to be set - properties: - name: - description: Name of a property to set - type: string - value: - description: Value of a property to set - type: string - required: - - name - - value - type: object - type: array - windowsOptions: - description: The Windows specific settings applied to all - containers. If unspecified, the options within a container's - SecurityContext will be used. If set in both SecurityContext - and PodSecurityContext, the value specified in SecurityContext - takes precedence. - properties: - gmsaCredentialSpec: - description: GMSACredentialSpec is where the GMSA admission - webhook (https://github.com/kubernetes-sigs/windows-gmsa) - inlines the contents of the GMSA credential spec named - by the GMSACredentialSpecName field. This field is - alpha-level and is only honored by servers that enable - the WindowsGMSA feature flag. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the - GMSA credential spec to use. This field is alpha-level - and is only honored by servers that enable the WindowsGMSA - feature flag. - type: string - runAsUserName: - description: The UserName in Windows to run the entrypoint - of the container process. Defaults to the user specified - in image metadata if unspecified. May also be set - in PodSecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in SecurityContext - takes precedence. This field is beta-level and may - be disabled with the WindowsRunAsUserName feature - flag. - type: string - type: object - type: object - serviceAccount: - description: 'DeprecatedServiceAccount is a depreciated alias - for ServiceAccountName. Deprecated: Use serviceAccountName - instead.' - type: string - serviceAccountName: - description: 'ServiceAccountName is the name of the ServiceAccount - to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' - type: string - shareProcessNamespace: - description: 'Share a single process namespace between all of - the containers in a pod. When this is set containers will - be able to view and signal processes from other containers - in the same pod, and the first process in each container will - not be assigned PID 1. HostPID and ShareProcessNamespace cannot - both be set. Optional: Default to false.' - type: boolean - subdomain: - description: If specified, the fully qualified Pod hostname - will be "...svc.". If not specified, the pod will not have a domainname - at all. - type: string - terminationGracePeriodSeconds: - description: Optional duration in seconds the pod needs to terminate - gracefully. May be decreased in delete request. Value must - be non-negative integer. The value zero indicates delete immediately. - If this value is nil, the default grace period will be used - instead. The grace period is the duration in seconds after - the processes running in the pod are sent a termination signal - and the time when the processes are forcibly halted with a - kill signal. Set this value longer than the expected cleanup - time for your process. Defaults to 30 seconds. - format: int64 - type: integer - tolerations: - description: If specified, the pod's tolerations. - items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . - properties: - effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule and - NoExecute. - type: string - key: - description: Key is the taint key that the toleration - applies to. Empty means match all taint keys. If the - key is empty, operator must be Exists; this combination - means to match all values and all keys. - type: string - operator: - description: Operator represents a key's relationship - to the value. Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent to wildcard - for value, so that a pod can tolerate all taints of - a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period of - time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the - taint forever (do not evict). Zero and negative values - will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. - type: string - type: object - type: array - topologySpreadConstraints: - description: TopologySpreadConstraints describes how a group - of pods ought to spread across topology domains. Scheduler - will schedule pods in a way which abides by the constraints. - This field is alpha-level and is only honored by clusters - that enables the EvenPodsSpread feature. All topologySpreadConstraints - are ANDed. - items: - description: TopologySpreadConstraint specifies how to spread - matching pods among the given topology. - properties: - labelSelector: - description: LabelSelector is used to find matching pods. - Pods that match this label selector are counted to determine - the number of pods in their corresponding topology domain. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, - NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. - If the operator is In or NotIn, the values - array must be non-empty. If the operator is - Exists or DoesNotExist, the values array must - be empty. This array is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field - is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. - type: object - type: object - maxSkew: - description: 'MaxSkew describes the degree to which pods - may be unevenly distributed. It''s the maximum permitted - difference between the number of matching pods in any - two topology domains of a given topology type. For example, - in a 3-zone cluster, MaxSkew is set to 1, and pods with - the same labelSelector spread as 1/1/0: | zone1 | zone2 - | zone3 | | P | P | | - if MaxSkew is - 1, incoming pod can only be scheduled to zone3 to become - 1/1/1; scheduling it onto zone1(zone2) would make the - ActualSkew(2-0) on zone1(zone2) violate MaxSkew(1). - - if MaxSkew is 2, incoming pod can be scheduled onto - any zone. It''s a required field. Default value is 1 - and 0 is not allowed.' - format: int32 - type: integer - topologyKey: - description: TopologyKey is the key of node labels. Nodes - that have a label with this key and identical values - are considered to be in the same topology. We consider - each as a "bucket", and try to put balanced - number of pods into each bucket. It's a required field. - type: string - whenUnsatisfiable: - description: 'WhenUnsatisfiable indicates how to deal - with a pod if it doesn''t satisfy the spread constraint. - - DoNotSchedule (default) tells the scheduler not to - schedule it - ScheduleAnyway tells the scheduler to - still schedule it It''s considered as "Unsatisfiable" - if and only if placing incoming pod on any topology - violates "MaxSkew". For example, in a 3-zone cluster, - MaxSkew is set to 1, and pods with the same labelSelector - spread as 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P | - If WhenUnsatisfiable is set to DoNotSchedule, incoming - pod can only be scheduled to zone2(zone3) to become - 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies - MaxSkew(1). In other words, the cluster can still be - imbalanced, but scheduler won''t make it *more* imbalanced. - It''s a required field.' - type: string - required: - - maxSkew - - topologyKey - - whenUnsatisfiable - type: object - type: array - x-kubernetes-list-map-keys: - - topologyKey - - whenUnsatisfiable - x-kubernetes-list-type: map - volumes: - description: 'List of volumes that can be mounted by containers - belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes' - items: - description: Volume represents a named volume in a pod that - may be accessed by any container in the pod. - properties: - awsElasticBlockStore: - description: 'AWSElasticBlockStore represents an AWS Disk - resource that is attached to a kubelet''s host machine - and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' - properties: - fsType: - description: 'Filesystem type of the volume that you - want to mount. Tip: Ensure that the filesystem type - is supported by the host operating system. Examples: - "ext4", "xfs", "ntfs". Implicitly inferred to be - "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - TODO: how do we prevent errors in the filesystem - from compromising the machine' - type: string - partition: - description: 'The partition in the volume that you - want to mount. If omitted, the default is to mount - by volume name. Examples: For volume /dev/sda1, - you specify the partition as "1". Similarly, the - volume partition for /dev/sda is "0" (or you can - leave the property empty).' - format: int32 - type: integer - readOnly: - description: 'Specify "true" to force and set the - ReadOnly property in VolumeMounts to "true". If - omitted, the default is "false". More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' - type: boolean - volumeID: - description: 'Unique ID of the persistent disk resource - in AWS (Amazon EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' - type: string - required: - - volumeID - type: object - azureDisk: - description: AzureDisk represents an Azure Data Disk mount - on the host and bind mount to the pod. - properties: - cachingMode: - description: 'Host Caching mode: None, Read Only, - Read Write.' - type: string - diskName: - description: The Name of the data disk in the blob - storage - type: string - diskURI: - description: The URI the data disk in the blob storage - type: string - fsType: - description: Filesystem type to mount. Must be a filesystem - type supported by the host operating system. Ex. - "ext4", "xfs", "ntfs". Implicitly inferred to be - "ext4" if unspecified. - type: string - kind: - description: 'Expected values Shared: multiple blob - disks per storage account Dedicated: single blob - disk per storage account Managed: azure managed - data disk (only in managed availability set). defaults - to shared' - type: string - readOnly: - description: Defaults to false (read/write). ReadOnly - here will force the ReadOnly setting in VolumeMounts. - type: boolean - required: - - diskName - - diskURI - type: object - azureFile: - description: AzureFile represents an Azure File Service - mount on the host and bind mount to the pod. - properties: - readOnly: - description: Defaults to false (read/write). ReadOnly - here will force the ReadOnly setting in VolumeMounts. - type: boolean - secretName: - description: the name of secret that contains Azure - Storage Account Name and Key - type: string - shareName: - description: Share Name - type: string - required: - - secretName - - shareName - type: object - cephfs: - description: CephFS represents a Ceph FS mount on the - host that shares a pod's lifetime - properties: - monitors: - description: 'Required: Monitors is a collection of - Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' - items: - type: string - type: array - path: - description: 'Optional: Used as the mounted root, - rather than the full Ceph tree, default is /' - type: string - readOnly: - description: 'Optional: Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in - VolumeMounts. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' - type: boolean - secretFile: - description: 'Optional: SecretFile is the path to - key ring for User, default is /etc/ceph/user.secret - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' - type: string - secretRef: - description: 'Optional: SecretRef is reference to - the authentication secret for User, default is empty. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' - properties: - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - type: object - user: - description: 'Optional: User is the rados user name, - default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' - type: string - required: - - monitors - type: object - cinder: - description: 'Cinder represents a cinder volume attached - and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' - properties: - fsType: - description: 'Filesystem type to mount. Must be a - filesystem type supported by the host operating - system. Examples: "ext4", "xfs", "ntfs". Implicitly - inferred to be "ext4" if unspecified. More info: - https://examples.k8s.io/mysql-cinder-pd/README.md' - type: string - readOnly: - description: 'Optional: Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in - VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' - type: boolean - secretRef: - description: 'Optional: points to a secret object - containing parameters used to connect to OpenStack.' - properties: - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - type: object - volumeID: - description: 'volume id used to identify the volume - in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' - type: string - required: - - volumeID - type: object - configMap: - description: ConfigMap represents a configMap that should - populate this volume - properties: - defaultMode: - description: 'Optional: mode bits to use on created - files by default. Must be a value between 0 and - 0777. Defaults to 0644. Directories within the path - are not affected by this setting. This might be - in conflict with other options that affect the file - mode, like fsGroup, and the result can be other - mode bits set.' - format: int32 - type: integer - items: - description: If unspecified, each key-value pair in - the Data field of the referenced ConfigMap will - be projected into the volume as a file whose name - is the key and content is the value. If specified, - the listed keys will be projected into the specified - paths, and unlisted keys will not be present. If - a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked - optional. Paths must be relative and may not contain - the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: The key to project. - type: string - mode: - description: 'Optional: mode bits to use on - this file, must be a value between 0 and 0777. - If not specified, the volume defaultMode will - be used. This might be in conflict with other - options that affect the file mode, like fsGroup, - and the result can be other mode bits set.' - format: int32 - type: integer - path: - description: The relative path of the file to - map the key to. May not be an absolute path. - May not contain the path element '..'. May - not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - optional: - description: Specify whether the ConfigMap or its - keys must be defined - type: boolean - type: object - csi: - description: CSI (Container Storage Interface) represents - storage that is handled by an external CSI driver (Alpha - feature). - properties: - driver: - description: Driver is the name of the CSI driver - that handles this volume. Consult with your admin - for the correct name as registered in the cluster. - type: string - fsType: - description: Filesystem type to mount. Ex. "ext4", - "xfs", "ntfs". If not provided, the empty value - is passed to the associated CSI driver which will - determine the default filesystem to apply. - type: string - nodePublishSecretRef: - description: NodePublishSecretRef is a reference to - the secret object containing sensitive information - to pass to the CSI driver to complete the CSI NodePublishVolume - and NodeUnpublishVolume calls. This field is optional, - and may be empty if no secret is required. If the - secret object contains more than one secret, all - secret references are passed. - properties: - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - type: object - readOnly: - description: Specifies a read-only configuration for - the volume. Defaults to false (read/write). - type: boolean - volumeAttributes: - additionalProperties: - type: string - description: VolumeAttributes stores driver-specific - properties that are passed to the CSI driver. Consult - your driver's documentation for supported values. - type: object - required: - - driver - type: object - downwardAPI: - description: DownwardAPI represents downward API about - the pod that should populate this volume - properties: - defaultMode: - description: 'Optional: mode bits to use on created - files by default. Must be a value between 0 and - 0777. Defaults to 0644. Directories within the path - are not affected by this setting. This might be - in conflict with other options that affect the file - mode, like fsGroup, and the result can be other - mode bits set.' - format: int32 - type: integer - items: - description: Items is a list of downward API volume - file - items: - description: DownwardAPIVolumeFile represents information - to create the file containing the pod field - properties: - fieldRef: - description: 'Required: Selects a field of the - pod: only annotations, labels, name and namespace - are supported.' - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select - in the specified API version. - type: string - required: - - fieldPath - type: object - mode: - description: 'Optional: mode bits to use on - this file, must be a value between 0 and 0777. - If not specified, the volume defaultMode will - be used. This might be in conflict with other - options that affect the file mode, like fsGroup, - and the result can be other mode bits set.' - format: int32 - type: integer - path: - description: 'Required: Path is the relative - path name of the file to be created. Must - not be absolute or contain the ''..'' path. - Must be utf-8 encoded. The first item of the - relative path must not start with ''..''' - type: string - resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, requests.cpu and requests.memory) - are currently supported.' - properties: - containerName: - description: 'Container name: required for - volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format - of the exposed resources, defaults to - "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - required: - - path - type: object - type: array - type: object - emptyDir: - description: 'EmptyDir represents a temporary directory - that shares a pod''s lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' - properties: - medium: - description: 'What type of storage medium should back - this directory. The default is "" which means to - use the node''s default medium. Must be an empty - string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - description: 'Total amount of local storage required - for this EmptyDir volume. The size limit is also - applicable for memory medium. The maximum usage - on memory medium EmptyDir would be the minimum value - between the SizeLimit specified here and the sum - of memory limits of all containers in a pod. The - default is nil which means that the limit is undefined. - More info: http://kubernetes.io/docs/user-guide/volumes#emptydir' - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - fc: - description: FC represents a Fibre Channel resource that - is attached to a kubelet's host machine and then exposed - to the pod. - properties: - fsType: - description: 'Filesystem type to mount. Must be a - filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. TODO: how do we prevent - errors in the filesystem from compromising the machine' - type: string - lun: - description: 'Optional: FC target lun number' - format: int32 - type: integer - readOnly: - description: 'Optional: Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in - VolumeMounts.' - type: boolean - targetWWNs: - description: 'Optional: FC target worldwide names - (WWNs)' - items: - type: string - type: array - wwids: - description: 'Optional: FC volume world wide identifiers - (wwids) Either wwids or combination of targetWWNs - and lun must be set, but not both simultaneously.' - items: - type: string - type: array - type: object - flexVolume: - description: FlexVolume represents a generic volume resource - that is provisioned/attached using an exec based plugin. - properties: - driver: - description: Driver is the name of the driver to use - for this volume. - type: string - fsType: - description: Filesystem type to mount. Must be a filesystem - type supported by the host operating system. Ex. - "ext4", "xfs", "ntfs". The default filesystem depends - on FlexVolume script. - type: string - options: - additionalProperties: - type: string - description: 'Optional: Extra command options if any.' - type: object - readOnly: - description: 'Optional: Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in - VolumeMounts.' - type: boolean - secretRef: - description: 'Optional: SecretRef is reference to - the secret object containing sensitive information - to pass to the plugin scripts. This may be empty - if no secret object is specified. If the secret - object contains more than one secret, all secrets - are passed to the plugin scripts.' - properties: - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - type: object - required: - - driver - type: object - flocker: - description: Flocker represents a Flocker volume attached - to a kubelet's host machine. This depends on the Flocker - control service being running - properties: - datasetName: - description: Name of the dataset stored as metadata - -> name on the dataset for Flocker should be considered - as deprecated - type: string - datasetUUID: - description: UUID of the dataset. This is unique identifier - of a Flocker dataset - type: string - type: object - gcePersistentDisk: - description: 'GCEPersistentDisk represents a GCE Disk - resource that is attached to a kubelet''s host machine - and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' - properties: - fsType: - description: 'Filesystem type of the volume that you - want to mount. Tip: Ensure that the filesystem type - is supported by the host operating system. Examples: - "ext4", "xfs", "ntfs". Implicitly inferred to be - "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - TODO: how do we prevent errors in the filesystem - from compromising the machine' - type: string - partition: - description: 'The partition in the volume that you - want to mount. If omitted, the default is to mount - by volume name. Examples: For volume /dev/sda1, - you specify the partition as "1". Similarly, the - volume partition for /dev/sda is "0" (or you can - leave the property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' - format: int32 - type: integer - pdName: - description: 'Unique name of the PD resource in GCE. - Used to identify the disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' - type: string - readOnly: - description: 'ReadOnly here will force the ReadOnly - setting in VolumeMounts. Defaults to false. More - info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' - type: boolean - required: - - pdName - type: object - gitRepo: - description: 'GitRepo represents a git repository at a - particular revision. DEPRECATED: GitRepo is deprecated. - To provision a container with a git repo, mount an EmptyDir - into an InitContainer that clones the repo using git, - then mount the EmptyDir into the Pod''s container.' - properties: - directory: - description: Target directory name. Must not contain - or start with '..'. If '.' is supplied, the volume - directory will be the git repository. Otherwise, - if specified, the volume will contain the git repository - in the subdirectory with the given name. - type: string - repository: - description: Repository URL - type: string - revision: - description: Commit hash for the specified revision. - type: string - required: - - repository - type: object - glusterfs: - description: 'Glusterfs represents a Glusterfs mount on - the host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md' - properties: - endpoints: - description: 'EndpointsName is the endpoint name that - details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' - type: string - path: - description: 'Path is the Glusterfs volume path. More - info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' - type: string - readOnly: - description: 'ReadOnly here will force the Glusterfs - volume to be mounted with read-only permissions. - Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' - type: boolean - required: - - endpoints - - path - type: object - hostPath: - description: 'HostPath represents a pre-existing file - or directory on the host machine that is directly exposed - to the container. This is generally used for system - agents or other privileged things that are allowed to - see the host machine. Most containers will NOT need - this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - --- TODO(jonesdl) We need to restrict who can use host - directory mounts and who can/can not mount host directories - as read/write.' - properties: - path: - description: 'Path of the directory on the host. If - the path is a symlink, it will follow the link to - the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' - type: string - type: - description: 'Type for HostPath Volume Defaults to - "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' - type: string - required: - - path - type: object - iscsi: - description: 'ISCSI represents an ISCSI Disk resource - that is attached to a kubelet''s host machine and then - exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' - properties: - chapAuthDiscovery: - description: whether support iSCSI Discovery CHAP - authentication - type: boolean - chapAuthSession: - description: whether support iSCSI Session CHAP authentication - type: boolean - fsType: - description: 'Filesystem type of the volume that you - want to mount. Tip: Ensure that the filesystem type - is supported by the host operating system. Examples: - "ext4", "xfs", "ntfs". Implicitly inferred to be - "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi - TODO: how do we prevent errors in the filesystem - from compromising the machine' - type: string - initiatorName: - description: Custom iSCSI Initiator Name. If initiatorName - is specified with iscsiInterface simultaneously, - new iSCSI interface : - will be created for the connection. - type: string - iqn: - description: Target iSCSI Qualified Name. - type: string - iscsiInterface: - description: iSCSI Interface Name that uses an iSCSI - transport. Defaults to 'default' (tcp). - type: string - lun: - description: iSCSI Target Lun number. - format: int32 - type: integer - portals: - description: iSCSI Target Portal List. The portal - is either an IP or ip_addr:port if the port is other - than default (typically TCP ports 860 and 3260). - items: - type: string - type: array - readOnly: - description: ReadOnly here will force the ReadOnly - setting in VolumeMounts. Defaults to false. - type: boolean - secretRef: - description: CHAP Secret for iSCSI target and initiator - authentication - properties: - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - type: object - targetPortal: - description: iSCSI Target Portal. The Portal is either - an IP or ip_addr:port if the port is other than - default (typically TCP ports 860 and 3260). - type: string - required: - - iqn - - lun - - targetPortal - type: object - name: - description: 'Volume''s name. Must be a DNS_LABEL and - unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - nfs: - description: 'NFS represents an NFS mount on the host - that shares a pod''s lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' - properties: - path: - description: 'Path that is exported by the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' - type: string - readOnly: - description: 'ReadOnly here will force the NFS export - to be mounted with read-only permissions. Defaults - to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' - type: boolean - server: - description: 'Server is the hostname or IP address - of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' - type: string - required: - - path - - server - type: object - persistentVolumeClaim: - description: 'PersistentVolumeClaimVolumeSource represents - a reference to a PersistentVolumeClaim in the same namespace. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' - properties: - claimName: - description: 'ClaimName is the name of a PersistentVolumeClaim - in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' - type: string - readOnly: - description: Will force the ReadOnly setting in VolumeMounts. - Default false. - type: boolean - required: - - claimName - type: object - photonPersistentDisk: - description: PhotonPersistentDisk represents a PhotonController - persistent disk attached and mounted on kubelets host - machine - properties: - fsType: - description: Filesystem type to mount. Must be a filesystem - type supported by the host operating system. Ex. - "ext4", "xfs", "ntfs". Implicitly inferred to be - "ext4" if unspecified. - type: string - pdID: - description: ID that identifies Photon Controller - persistent disk - type: string - required: - - pdID - type: object - portworxVolume: - description: PortworxVolume represents a portworx volume - attached and mounted on kubelets host machine - properties: - fsType: - description: FSType represents the filesystem type - to mount Must be a filesystem type supported by - the host operating system. Ex. "ext4", "xfs". Implicitly - inferred to be "ext4" if unspecified. - type: string - readOnly: - description: Defaults to false (read/write). ReadOnly - here will force the ReadOnly setting in VolumeMounts. - type: boolean - volumeID: - description: VolumeID uniquely identifies a Portworx - volume - type: string - required: - - volumeID - type: object - projected: - description: Items for all in one resources secrets, configmaps, - and downward API - properties: - defaultMode: - description: Mode bits to use on created files by - default. Must be a value between 0 and 0777. Directories - within the path are not affected by this setting. - This might be in conflict with other options that - affect the file mode, like fsGroup, and the result - can be other mode bits set. - format: int32 - type: integer - sources: - description: list of volume projections - items: - description: Projection that may be projected along - with other supported volume types - properties: - configMap: - description: information about the configMap - data to project - properties: - items: - description: If unspecified, each key-value - pair in the Data field of the referenced - ConfigMap will be projected into the volume - as a file whose name is the key and content - is the value. If specified, the listed - keys will be projected into the specified - paths, and unlisted keys will not be present. - If a key is specified which is not present - in the ConfigMap, the volume setup will - error unless it is marked optional. Paths - must be relative and may not contain the - '..' path or start with '..'. - items: - description: Maps a string key to a path - within a volume. - properties: - key: - description: The key to project. - type: string - mode: - description: 'Optional: mode bits - to use on this file, must be a value - between 0 and 0777. If not specified, - the volume defaultMode will be used. - This might be in conflict with other - options that affect the file mode, - like fsGroup, and the result can - be other mode bits set.' - format: int32 - type: integer - path: - description: The relative path of - the file to map the key to. May - not be an absolute path. May not - contain the path element '..'. May - not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap - or its keys must be defined - type: boolean - type: object - downwardAPI: - description: information about the downwardAPI - data to project - properties: - items: - description: Items is a list of DownwardAPIVolume - file - items: - description: DownwardAPIVolumeFile represents - information to create the file containing - the pod field - properties: - fieldRef: - description: 'Required: Selects a - field of the pod: only annotations, - labels, name and namespace are supported.' - properties: - apiVersion: - description: Version of the schema - the FieldPath is written in - terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field - to select in the specified API - version. - type: string - required: - - fieldPath - type: object - mode: - description: 'Optional: mode bits - to use on this file, must be a value - between 0 and 0777. If not specified, - the volume defaultMode will be used. - This might be in conflict with other - options that affect the file mode, - like fsGroup, and the result can - be other mode bits set.' - format: int32 - type: integer - path: - description: 'Required: Path is the - relative path name of the file to - be created. Must not be absolute - or contain the ''..'' path. Must - be utf-8 encoded. The first item - of the relative path must not start - with ''..''' - type: string - resourceFieldRef: - description: 'Selects a resource of - the container: only resources limits - and requests (limits.cpu, limits.memory, - requests.cpu and requests.memory) - are currently supported.' - properties: - containerName: - description: 'Container name: - required for volumes, optional - for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output - format of the exposed resources, - defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource - to select' - type: string - required: - - resource - type: object - required: - - path - type: object - type: array - type: object - secret: - description: information about the secret data - to project - properties: - items: - description: If unspecified, each key-value - pair in the Data field of the referenced - Secret will be projected into the volume - as a file whose name is the key and content - is the value. If specified, the listed - keys will be projected into the specified - paths, and unlisted keys will not be present. - If a key is specified which is not present - in the Secret, the volume setup will error - unless it is marked optional. Paths must - be relative and may not contain the '..' - path or start with '..'. - items: - description: Maps a string key to a path - within a volume. - properties: - key: - description: The key to project. - type: string - mode: - description: 'Optional: mode bits - to use on this file, must be a value - between 0 and 0777. If not specified, - the volume defaultMode will be used. - This might be in conflict with other - options that affect the file mode, - like fsGroup, and the result can - be other mode bits set.' - format: int32 - type: integer - path: - description: The relative path of - the file to map the key to. May - not be an absolute path. May not - contain the path element '..'. May - not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - type: object - serviceAccountToken: - description: information about the serviceAccountToken - data to project - properties: - audience: - description: Audience is the intended audience - of the token. A recipient of a token must - identify itself with an identifier specified - in the audience of the token, and otherwise - should reject the token. The audience - defaults to the identifier of the apiserver. - type: string - expirationSeconds: - description: ExpirationSeconds is the requested - duration of validity of the service account - token. As the token approaches expiration, - the kubelet volume plugin will proactively - rotate the service account token. The - kubelet will start trying to rotate the - token if the token is older than 80 percent - of its time to live or if the token is - older than 24 hours.Defaults to 1 hour - and must be at least 10 minutes. - format: int64 - type: integer - path: - description: Path is the path relative to - the mount point of the file to project - the token into. - type: string - required: - - path - type: object - type: object - type: array - required: - - sources - type: object - quobyte: - description: Quobyte represents a Quobyte mount on the - host that shares a pod's lifetime - properties: - group: - description: Group to map volume access to Default - is no group - type: string - readOnly: - description: ReadOnly here will force the Quobyte - volume to be mounted with read-only permissions. - Defaults to false. - type: boolean - registry: - description: Registry represents a single or multiple - Quobyte Registry services specified as a string - as host:port pair (multiple entries are separated - with commas) which acts as the central registry - for volumes - type: string - tenant: - description: Tenant owning the given Quobyte volume - in the Backend Used with dynamically provisioned - Quobyte volumes, value is set by the plugin - type: string - user: - description: User to map volume access to Defaults - to serivceaccount user - type: string - volume: - description: Volume is a string that references an - already created Quobyte volume by name. - type: string - required: - - registry - - volume - type: object - rbd: - description: 'RBD represents a Rados Block Device mount - on the host that shares a pod''s lifetime. More info: - https://examples.k8s.io/volumes/rbd/README.md' - properties: - fsType: - description: 'Filesystem type of the volume that you - want to mount. Tip: Ensure that the filesystem type - is supported by the host operating system. Examples: - "ext4", "xfs", "ntfs". Implicitly inferred to be - "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd - TODO: how do we prevent errors in the filesystem - from compromising the machine' - type: string - image: - description: 'The rados image name. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' - type: string - keyring: - description: 'Keyring is the path to key ring for - RBDUser. Default is /etc/ceph/keyring. More info: - https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' - type: string - monitors: - description: 'A collection of Ceph monitors. More - info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' - items: - type: string - type: array - pool: - description: 'The rados pool name. Default is rbd. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' - type: string - readOnly: - description: 'ReadOnly here will force the ReadOnly - setting in VolumeMounts. Defaults to false. More - info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' - type: boolean - secretRef: - description: 'SecretRef is name of the authentication - secret for RBDUser. If provided overrides keyring. - Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' - properties: - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - type: object - user: - description: 'The rados user name. Default is admin. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' - type: string - required: - - image - - monitors - type: object - scaleIO: - description: ScaleIO represents a ScaleIO persistent volume - attached and mounted on Kubernetes nodes. - properties: - fsType: - description: Filesystem type to mount. Must be a filesystem - type supported by the host operating system. Ex. - "ext4", "xfs", "ntfs". Default is "xfs". - type: string - gateway: - description: The host address of the ScaleIO API Gateway. - type: string - protectionDomain: - description: The name of the ScaleIO Protection Domain - for the configured storage. - type: string - readOnly: - description: Defaults to false (read/write). ReadOnly - here will force the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: SecretRef references to the secret for - ScaleIO user and other sensitive information. If - this is not provided, Login operation will fail. - properties: - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - type: object - sslEnabled: - description: Flag to enable/disable SSL communication - with Gateway, default false - type: boolean - storageMode: - description: Indicates whether the storage for a volume - should be ThickProvisioned or ThinProvisioned. Default - is ThinProvisioned. - type: string - storagePool: - description: The ScaleIO Storage Pool associated with - the protection domain. - type: string - system: - description: The name of the storage system as configured - in ScaleIO. - type: string - volumeName: - description: The name of a volume already created - in the ScaleIO system that is associated with this - volume source. - type: string - required: - - gateway - - secretRef - - system - type: object - secret: - description: 'Secret represents a secret that should populate - this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' - properties: - defaultMode: - description: 'Optional: mode bits to use on created - files by default. Must be a value between 0 and - 0777. Defaults to 0644. Directories within the path - are not affected by this setting. This might be - in conflict with other options that affect the file - mode, like fsGroup, and the result can be other - mode bits set.' - format: int32 - type: integer - items: - description: If unspecified, each key-value pair in - the Data field of the referenced Secret will be - projected into the volume as a file whose name is - the key and content is the value. If specified, - the listed keys will be projected into the specified - paths, and unlisted keys will not be present. If - a key is specified which is not present in the Secret, - the volume setup will error unless it is marked - optional. Paths must be relative and may not contain - the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: The key to project. - type: string - mode: - description: 'Optional: mode bits to use on - this file, must be a value between 0 and 0777. - If not specified, the volume defaultMode will - be used. This might be in conflict with other - options that affect the file mode, like fsGroup, - and the result can be other mode bits set.' - format: int32 - type: integer - path: - description: The relative path of the file to - map the key to. May not be an absolute path. - May not contain the path element '..'. May - not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - optional: - description: Specify whether the Secret or its keys - must be defined - type: boolean - secretName: - description: 'Name of the secret in the pod''s namespace - to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' - type: string - type: object - storageos: - description: StorageOS represents a StorageOS volume attached - and mounted on Kubernetes nodes. - properties: - fsType: - description: Filesystem type to mount. Must be a filesystem - type supported by the host operating system. Ex. - "ext4", "xfs", "ntfs". Implicitly inferred to be - "ext4" if unspecified. - type: string - readOnly: - description: Defaults to false (read/write). ReadOnly - here will force the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: SecretRef specifies the secret to use - for obtaining the StorageOS API credentials. If - not specified, default values will be attempted. - properties: - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - type: object - volumeName: - description: VolumeName is the human-readable name - of the StorageOS volume. Volume names are only - unique within a namespace. - type: string - volumeNamespace: - description: VolumeNamespace specifies the scope of - the volume within StorageOS. If no namespace is - specified then the Pod's namespace will be used. This - allows the Kubernetes name scoping to be mirrored - within StorageOS for tighter integration. Set VolumeName - to any name to override the default behaviour. Set - to "default" if you are not using namespaces within - StorageOS. Namespaces that do not pre-exist within - StorageOS will be created. - type: string - type: object - vsphereVolume: - description: VsphereVolume represents a vSphere volume - attached and mounted on kubelets host machine - properties: - fsType: - description: Filesystem type to mount. Must be a filesystem - type supported by the host operating system. Ex. - "ext4", "xfs", "ntfs". Implicitly inferred to be - "ext4" if unspecified. - type: string - storagePolicyID: - description: Storage Policy Based Management (SPBM) - profile ID associated with the StoragePolicyName. - type: string - storagePolicyName: - description: Storage Policy Based Management (SPBM) - profile name. - type: string - volumePath: - description: Path that identifies vSphere volume vmdk - type: string - required: - - volumePath - type: object - required: - - name - type: object - type: array - required: - - containers - type: object - type: object - required: - - selector - - template - type: object - status: - description: DaemonJobStatus defines the observed state of DaemonJob - properties: - collisionCount: - description: Count of hash collisions for the DaemonSet. The DaemonSet - controller uses this field as a collision avoidance mechanism - when it needs to create the name for the newest ControllerRevision. - format: int32 - type: integer - conditions: - description: Represents the latest available observations of a DaemonSet's - current state. - items: - type: object - properties: - lastTransitionTime: - description: Last time the condition transitioned from one - status to another. - format: date-time - type: string - message: - description: A human readable message indicating details about - the transition. - type: string - reason: - description: The reason for the condition's last transition. - type: string - status: - description: Status of the condition, one of True, False, - Unknown. - type: string - type: - description: Type of DaemonSet condition. - type: string - type: array - currentNumberScheduled: - description: 'The number of nodes that are running at least 1 daemon - pod and are supposed to run the daemon pod. More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/' - format: int32 - type: integer - desiredNumberScheduled: - description: 'The total number of nodes that should be running the - daemon pod (including nodes correctly running the daemon pod). - More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/' - format: int32 - type: integer - numberAvailable: - description: The number of nodes that should be running the daemon - pod and have one or more of the daemon pod running and available - (ready for at least spec.minReadySeconds) - format: int32 - type: integer - numberMisscheduled: - description: 'The number of nodes that are running the daemon pod, - but are not supposed to run the daemon pod. More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/' - format: int32 - type: integer - numberReady: - description: The number of nodes that should be running the daemon - pod and have one or more of the daemon pod running and ready. - format: int32 - type: integer - numberUnavailable: - description: The number of nodes that should be running the daemon - pod and have none of the daemon pod running and available (ready - for at least spec.minReadySeconds) - format: int32 - type: integer - observedGeneration: - description: The most recent generation observed by the daemon set - controller. - format: int64 - type: integer - updatedNumberScheduled: - description: The total number of nodes that are running updated - daemon pod - format: int32 - type: integer - type: object - type: object - subresources: - status: {} - scope: Namespaced - names: - plural: daemonjobs - singular: daemonjob - kind: DaemonJob - shortNames: ["dj"] -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] -{{- end }} diff --git a/daemonjob-controller/templates/deployment.yaml b/daemonjob-controller/templates/deployment.yaml deleted file mode 100644 index 177ed0f4c7..0000000000 --- a/daemonjob-controller/templates/deployment.yaml +++ /dev/null @@ -1,63 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.deployment }} -{{- $envAll := . }} - -{{- $serviceAccountName := "daemonjob-controller-serviceaccount" }} -{{ tuple $envAll "daemonjob_controller" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: daemonjob-controller - annotations: -{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 4 }} - namespace: {{ .Release.Namespace }} - labels: -{{ tuple $envAll "daemonjob-controller" "controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} -spec: - replicas: {{ .Values.pod.replicas.daemonjob_controller }} - selector: - matchLabels: -{{ tuple $envAll "daemonjob-controller" "controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} - template: - metadata: - annotations: -{{ dict "envAll" $envAll "podName" "daemonjob-controller" "containerNames" (list "controller") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} - configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} - labels: -{{ tuple $envAll "daemonjob-controller" "controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} - spec: - serviceAccountName: {{ $serviceAccountName }} - nodeSelector: - {{ .Values.labels.daemonjob_controller.node_selector_key }}: {{ .Values.labels.daemonjob_controller.node_selector_value | quote }} - containers: - - name: controller -{{ tuple $envAll "python" | include "helm-toolkit.snippets.image" | indent 8 }} -{{ tuple $envAll $envAll.Values.pod.resources.daemonjob_controller | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }} -{{ dict "envAll" $envAll "application" "daemonjob_controller" "container" "controller" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }} - command: - - python - - /hooks/sync.py - volumeMounts: - - name: hooks - mountPath: /hooks - readOnly: true - volumes: - - name: hooks - configMap: - name: daemonjob-controller-bin - defaultMode: 0555 -{{- end }} diff --git a/daemonjob-controller/templates/extra-manifests.yaml b/daemonjob-controller/templates/extra-manifests.yaml deleted file mode 100644 index fc9a76b885..0000000000 --- a/daemonjob-controller/templates/extra-manifests.yaml +++ /dev/null @@ -1,8 +0,0 @@ -{{ range .Values.extraObjects }} ---- -{{ if typeIs "string" . }} - {{- tpl . $ }} -{{- else }} - {{- tpl (toYaml .) $ }} -{{- end }} -{{ end }} diff --git a/daemonjob-controller/templates/job-image-repo-sync.yaml b/daemonjob-controller/templates/job-image-repo-sync.yaml deleted file mode 100644 index b8a37270c6..0000000000 --- a/daemonjob-controller/templates/job-image-repo-sync.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }} -{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "daemonjob-controller" -}} -{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }} -{{- end }} \ No newline at end of file diff --git a/daemonjob-controller/templates/secret-registry.yaml b/daemonjob-controller/templates/secret-registry.yaml deleted file mode 100644 index da979b3223..0000000000 --- a/daemonjob-controller/templates/secret-registry.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }} -{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }} -{{- end }} diff --git a/daemonjob-controller/templates/service.yaml b/daemonjob-controller/templates/service.yaml deleted file mode 100644 index 2e87db9596..0000000000 --- a/daemonjob-controller/templates/service.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.service }} -{{- $envAll := . }} ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ tuple "daemonjob_controller" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} - namespace: {{ .Release.Namespace }} -spec: - ports: - - port: 80 - selector: -{{ tuple $envAll "daemonjob-controller" "controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} -{{- end }} \ No newline at end of file diff --git a/daemonjob-controller/values.yaml b/daemonjob-controller/values.yaml deleted file mode 100644 index 9ea29f758d..0000000000 --- a/daemonjob-controller/values.yaml +++ /dev/null @@ -1,164 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Default values for elasticsearch -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - ---- -release_group: null - -images: - tags: - python: docker.io/library/python:3.7-slim - pause: registry.k8s.io/pause:latest - image_repo_sync: quay.io/airshipit/docker:27.5.0 - pullPolicy: IfNotPresent - local_registry: - active: false - exclude: - - dep_check - - image_repo_sync - -labels: - daemonjob_controller: - node_selector_key: openstack-control-plane - node_selector_value: enabled - -crds: - group_name: ctl.example.com - group_version: v1 - -pod: - lifecycle: - upgrades: - deployments: - pod_replacement_strategy: RollingUpdate - revision_history: 3 - rolling_update: - max_surge: 3 - max_unavailable: 1 - resources: - enabled: false - daemonjob_controller: - limits: - memory: "1024Mi" - cpu: "2000m" - requests: - memory: "128Mi" - cpu: "500m" - replicas: - daemonjob_controller: 1 - security_context: - daemonjob_controller: - pod: - runAsUser: 34356 - runAsNonRoot: true - container: - controller: - runAsUser: 0 - readOnlyRootFilesystem: true -secrets: - oci_image_registry: - daemonjob-controller: daemonjob-controller-oci-image-registry-key -endpoints: - cluster_domain_suffix: cluster.local - local_image_registry: - name: docker-registry - namespace: docker-registry - hosts: - default: localhost - internal: docker-registry - node: localhost - host_fqdn_override: - default: null - port: - registry: - node: 5000 - oci_image_registry: - name: oci-image-registry - namespace: oci-image-registry - auth: - enabled: false - daemonjob-controller: - username: daemonjob-controller - password: password - hosts: - default: localhost - host_fqdn_override: - default: null - port: - registry: - default: null - daemonjob_controller: - hosts: - default: daemonjob-controller - host_fqdn_override: - default: null - port: - http: - default: 80 - -dependencies: - dynamic: - common: - local_image_registry: - jobs: - - daemonjob-controller-image-repo-sync - services: - - endpoint: node - service: local_image_registry - static: - image_repo_sync: - services: - - endpoint: internal - service: local_image_registry - daemonjob_controller: - services: null - -manifests: - deployment: true - crds_create: true - job_image_repo_sync: true - configmap_bin: true - secret_registry: true - service: true - -# -- Array of extra K8s manifests to deploy -## Note: Supports use of custom Helm templates -extraObjects: [] - # - apiVersion: secrets-store.csi.x-k8s.io/v1 - # kind: SecretProviderClass - # metadata: - # name: osh-secrets-store - # spec: - # provider: aws - # parameters: - # objects: | - # - objectName: "osh" - # objectType: "secretsmanager" - # jmesPath: - # - path: "client_id" - # objectAlias: "client_id" - # - path: "client_secret" - # objectAlias: "client_secret" - # secretObjects: - # - data: - # - key: client_id - # objectName: client_id - # - key: client_secret - # objectName: client_secret - # secretName: osh-secrets-store - # type: Opaque - # labels: - # app.kubernetes.io/part-of: osh -... diff --git a/doc/source/chart/infra_charts.rst b/doc/source/chart/infra_charts.rst index 24abf55f7e..a347d34d3c 100644 --- a/doc/source/chart/infra_charts.rst +++ b/doc/source/chart/infra_charts.rst @@ -13,14 +13,12 @@ Infra charts options ceph-provisioners ceph-rgw cert-rotation - daemonjob-controller elastic-apm-server elastic-filebeat elastic-metricbeat elastic-packetbeat elasticsearch etcd - falco flannel fluentbit fluentd @@ -35,12 +33,10 @@ Infra charts options libvirt local-storage local-volume-provisioner - lockdown mariadb mariadb-backup mariadb-cluster memcached - metacontroller mongodb nagios namespace-config diff --git a/falco/Chart.yaml b/falco/Chart.yaml deleted file mode 100644 index 87500a3048..0000000000 --- a/falco/Chart.yaml +++ /dev/null @@ -1,36 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -apiVersion: v2 -name: falco -version: 2025.2.0 -appVersion: 0.11.1 -description: Sysdig Falco -keywords: - - monitoring - - security - - alerting - - metric - - troubleshooting - - run-time -home: https://www.sysdig.com/opensource/falco/ -icon: https://sysdig.com/wp-content/uploads/2016/08/falco_blog_480.jpg -sources: - - https://github.com/draios/falco -maintainers: - - name: OpenStack-Helm Authors -dependencies: - - name: helm-toolkit - repository: file://../helm-toolkit - version: ">= 0.1.0" -... diff --git a/falco/templates/bin/_falco.sh.tpl b/falco/templates/bin/_falco.sh.tpl deleted file mode 100644 index d1ec7bec6a..0000000000 --- a/falco/templates/bin/_falco.sh.tpl +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -set -ex - -exec /usr/bin/falco -K /var/run/secrets/kubernetes.io/serviceaccount/token -k https://kubernetes.default -pk diff --git a/falco/templates/configmap-bin.yaml b/falco/templates/configmap-bin.yaml deleted file mode 100644 index 4950bcb026..0000000000 --- a/falco/templates/configmap-bin.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.configmap_bin }} -{{- $envAll := . }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: falco-bin -data: - falco.sh: | -{{ tuple "bin/_falco.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} -{{- end }} diff --git a/falco/templates/configmap-etc.yaml b/falco/templates/configmap-etc.yaml deleted file mode 100644 index ae23e6d414..0000000000 --- a/falco/templates/configmap-etc.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.configmap_etc }} -{{- $envAll := . }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: falco -data: - falco.yaml: {{ toYaml .Values.conf.config | b64enc }} - falco_rules.yaml: {{ .Values.conf.rules.falco_rules | b64enc }} - falco_rules.local.yaml: {{ .Values.conf.rules.falco_rules_local | b64enc }} -{{- end }} diff --git a/falco/templates/configmap-rules.yaml b/falco/templates/configmap-rules.yaml deleted file mode 100644 index ab208cd204..0000000000 --- a/falco/templates/configmap-rules.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if and .Values.conf.rules.custom_rules .Values.manifests.configmap_custom_rules }} -apiVersion: v1 -kind: Secret -metadata: - name: falco-rules -data: -{{- range $file, $content := .Values.conf.rules.custom_rules }} - {{ $file }}: {{ $content | b64enc }} -{{- end }} -{{- end }} diff --git a/falco/templates/daemonset.yaml b/falco/templates/daemonset.yaml deleted file mode 100644 index dbb0df31c7..0000000000 --- a/falco/templates/daemonset.yaml +++ /dev/null @@ -1,149 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.daemonset }} -{{- $envAll := . }} - -{{- $serviceAccountName := "falcon-service" }} -{{ tuple $envAll "falco" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ $serviceAccountName }} -rules: - - apiGroups: - - "" - resources: - - nodes - - namespaces - - pods - - replicationcontrollers - - services - - events - - configmaps - verbs: - - get - - list - - watch - - nonResourceURLs: - - /healthz - - /healthz/* - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ $serviceAccountName }} -roleRef: - kind: ClusterRole - name: {{ $serviceAccountName }} - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: {{ $serviceAccountName }} - namespace: {{ $envAll.Release.Namespace }} ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: falco-agent - labels: -{{ tuple $envAll "falco" "falco-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} -spec: - selector: - matchLabels: -{{ tuple $envAll "falco" "falco-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} -{{ tuple $envAll "falco" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }} - template: - metadata: - labels: -{{ tuple $envAll "falco" "falco-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} - annotations: -{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} - configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} - configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} - spec: - serviceAccountName: {{ $serviceAccountName }} -{{ tuple $envAll "falco" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} - containers: - - name: falco -{{ tuple $envAll "falco" | include "helm-toolkit.snippets.image" | indent 10 }} -{{ tuple $envAll $envAll.Values.pod.resources.falco | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - privileged: true - args: - - /tmp/falco.sh - volumeMounts: - - name: pod-tmp - mountPath: /tmp - - mountPath: /tmp/falco.sh - name: falco-bin - subPath: falco.sh - readOnly: true - - mountPath: /host/dev - name: dev-fs - - mountPath: /host/proc - name: proc-fs - readOnly: true - - mountPath: /host/boot - name: boot-fs - readOnly: true - - mountPath: /host/lib/modules - name: lib-modules - readOnly: true - - mountPath: /host/usr - name: usr-fs - readOnly: true - - mountPath: /etc/falco - name: config-volume - {{- if .Values.conf.rules.custom_rules }} - - mountPath: /etc/falco/rules.d - name: rules-volume - {{- end }} - volumes: - - name: pod-tmp - emptyDir: {} - - name: falco-bin - configMap: - name: falco-bin - defaultMode: 0555 - - name: dshm - emptyDir: - medium: Memory - - name: dev-fs - hostPath: - path: /dev - - name: proc-fs - hostPath: - path: /proc - - name: boot-fs - hostPath: - path: /boot - - name: lib-modules - hostPath: - path: /lib/modules - - name: usr-fs - hostPath: - path: /usr - - name: config-volume - secret: - secretName: falco - {{- if .Values.conf.rules.custom_rules }} - - name: rules-volume - secret: - secretName: falco-rules - {{- end }} -{{- end }} diff --git a/falco/templates/extra-manifests.yaml b/falco/templates/extra-manifests.yaml deleted file mode 100644 index fc9a76b885..0000000000 --- a/falco/templates/extra-manifests.yaml +++ /dev/null @@ -1,8 +0,0 @@ -{{ range .Values.extraObjects }} ---- -{{ if typeIs "string" . }} - {{- tpl . $ }} -{{- else }} - {{- tpl (toYaml .) $ }} -{{- end }} -{{ end }} diff --git a/falco/templates/job-image-repo-sync.yaml b/falco/templates/job-image-repo-sync.yaml deleted file mode 100644 index e6adca13af..0000000000 --- a/falco/templates/job-image-repo-sync.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }} -{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "falco" -}} -{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }} -{{- end }} diff --git a/falco/templates/secret-registry.yaml b/falco/templates/secret-registry.yaml deleted file mode 100644 index da979b3223..0000000000 --- a/falco/templates/secret-registry.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }} -{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }} -{{- end }} diff --git a/falco/values.yaml b/falco/values.yaml deleted file mode 100644 index ac7ebfe22e..0000000000 --- a/falco/values.yaml +++ /dev/null @@ -1,1417 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -images: - pull_policy: IfNotPresent - tags: - dep_check: quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_jammy - falco: docker.io/sysdig/falco:0.12.1 - image_repo_sync: quay.io/airshipit/docker:27.5.0 - local_registry: - active: false - exclude: - - dep_check - - image_repo_sync - -secrets: - oci_image_registry: - falco: falco-oci-image-registry-key - -endpoints: - cluster_domain_suffix: cluster.local - oci_image_registry: - name: oci-image-registry - namespace: oci-image-registry - auth: - enabled: false - falco: - username: falco - password: password - hosts: - default: localhost - host_fqdn_override: - default: null - port: - registry: - default: null - -pod: - resources: - enabled: false - falco: - requests: - memory: "128Mi" - cpu: "20m" - limits: - memory: "128Mi" - cpu: "30m" - jobs: - image_repo_sync: - requests: - memory: "128Mi" - cpu: "20m" - limits: - memory: "128Mi" - cpu: "30m" - lifecycle: - upgrades: - daemonsets: - pod_replacement_strategy: RollingUpdate - falco: - enabled: true - min_ready_seconds: 0 - max_unavailable: 1 - tolerations: - falco: - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/master - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - - -conf: - config: - # The location of the rules file(s). This can contain one or more paths to - # separate rules files. - rules_file: - - /etc/falco/falco_rules.yaml - - /etc/falco/falco_rules.local.yaml - - /etc/falco/rules.d - - # Whether to output events in json or text - json_output: false - - # When using json output, whether or not to include the "output" property - # itself (e.g. "File below a known binary directory opened for writing - # (user=root ....") in the json output. - json_include_output_property: true - - # Send information logs to stderr and/or syslog Note these are *not* security - # notification logs! These are just Falco lifecycle (and possibly error) logs. - log_stderr: true - log_syslog: true - - # Minimum log level to include in logs. Note: these levels are - # separate from the priority field of rules. This refers only to the - # log level of falco's internal logging. Can be one of "emergency", - # "alert", "critical", "error", "warning", "notice", "info", "debug". - log_level: info - - # Minimum rule priority level to load and run. All rules having a - # priority more severe than this level will be loaded/run. Can be one - # of "emergency", "alert", "critical", "error", "warning", "notice", - # "info", "debug". - priority: debug - - # Whether or not output to any of the output channels below is - # buffered. - buffered_outputs: false - - # A throttling mechanism implemented as a token bucket limits the - # rate of falco notifications. This throttling is controlled by the following configuration - # options: - # - rate: the number of tokens (i.e. right to send a notification) - # gained per second. Defaults to 1. - # - max_burst: the maximum number of tokens outstanding. Defaults to 1000. - # - # With these defaults, falco could send up to 1000 notifications after - # an initial quiet period, and then up to 1 notification per second - # afterward. It would gain the full burst back after 1000 seconds of - # no activity. - outputs: - rate: 1 - max_burst: 1000 - - # Where security notifications should go. - # Multiple outputs can be enabled. - syslog_output: - enabled: true - - # If keep_alive is set to true, the file will be opened once and - # continuously written to, with each output message on its own - # line. If keep_alive is set to false, the file will be re-opened - # for each output message. - # - # Also, the file will be closed and reopened if falco is signaled with - # SIGUSR1. - file_output: - enabled: false - keep_alive: false - filename: ./events.txt - - stdout_output: - enabled: true - - # Possible additional things you might want to do with program output: - # - send to a slack webhook: - # program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX" - # - logging (alternate method than syslog): - # program: logger -t falco-test - # - send over a network connection: - # program: nc host.example.com 80 - - # If keep_alive is set to true, the program will be started once and - # continuously written to, with each output message on its own - # line. If keep_alive is set to false, the program will be re-spawned - # for each output message. - # - # Also, the program will be closed and reopened if falco is signaled with - # SIGUSR1. - program_output: - enabled: false - keep_alive: false - program: mail -s "Falco Notification" someone@example.com - rules: - falco_rules: | - - macro: open_write - condition: (evt.type=open or evt.type=openat) and evt.is_open_write=true and fd.typechar='f' and fd.num>=0 - - macro: open_read - condition: (evt.type=open or evt.type=openat) and evt.is_open_read=true and fd.typechar='f' and fd.num>=0 - - macro: never_true - condition: (evt.num=0) - - macro: always_true - condition: (evt.num=>0) - - macro: proc_name_exists - condition: (proc.name!="") - - macro: rename - condition: evt.type in (rename, renameat) - - macro: mkdir - condition: evt.type = mkdir - - macro: remove - condition: evt.type in (rmdir, unlink, unlinkat) - - macro: modify - condition: rename or remove - - macro: spawned_process - condition: evt.type = execve and evt.dir=< - - macro: bin_dir - condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) - - macro: bin_dir_mkdir - condition: > - (evt.arg[1] startswith /bin/ or - evt.arg[1] startswith /sbin/ or - evt.arg[1] startswith /usr/bin/ or - evt.arg[1] startswith /usr/sbin/) - - macro: bin_dir_rename - condition: > - evt.arg[1] startswith /bin/ or - evt.arg[1] startswith /sbin/ or - evt.arg[1] startswith /usr/bin/ or - evt.arg[1] startswith /usr/sbin/ - - macro: etc_dir - condition: fd.name startswith /etc/ - - macro: root_dir - condition: ((fd.directory=/ or fd.name startswith /root) and fd.name contains "/") - - list: shell_binaries - items: [bash, csh, ksh, sh, tcsh, zsh, dash] - - list: shell_mgmt_binaries - items: [add-shell, remove-shell] - - macro: shell_procs - condition: (proc.name in (shell_binaries)) - - list: coreutils_binaries - items: [ - truncate, sha1sum, numfmt, fmt, fold, uniq, cut, who, - groups, csplit, sort, expand, printf, printenv, unlink, tee, chcon, stat, - basename, split, nice, "yes", whoami, sha224sum, hostid, users, stdbuf, - base64, unexpand, cksum, od, paste, nproc, pathchk, sha256sum, wc, test, - comm, arch, du, factor, sha512sum, md5sum, tr, runcon, env, dirname, - tsort, join, shuf, install, logname, pinky, nohup, expr, pr, tty, timeout, - tail, "[", seq, sha384sum, nl, head, id, mkfifo, sum, dircolors, ptx, shred, - tac, link, chroot, vdir, chown, touch, ls, dd, uname, "true", pwd, date, - chgrp, chmod, mktemp, cat, mknod, sync, ln, "false", rm, mv, cp, echo, - readlink, sleep, stty, mkdir, df, dir, rmdir, touch - ] - - list: login_binaries - items: [ - login, systemd, '"(systemd)"', systemd-logind, su, - nologin, faillog, lastlog, newgrp, sg - ] - - list: passwd_binaries - items: [ - shadowconfig, grpck, pwunconv, grpconv, pwck, - groupmod, vipw, pwconv, useradd, newusers, cppw, chpasswd, usermod, - groupadd, groupdel, grpunconv, chgpasswd, userdel, chage, chsh, - gpasswd, chfn, expiry, passwd, vigr, cpgr - ] - - list: shadowutils_binaries - items: [ - chage, gpasswd, lastlog, newgrp, sg, adduser, deluser, chpasswd, - groupadd, groupdel, addgroup, delgroup, groupmems, groupmod, grpck, grpconv, grpunconv, - newusers, pwck, pwconv, pwunconv, useradd, userdel, usermod, vigr, vipw, unix_chkpwd - ] - - list: sysdigcloud_binaries - items: [setup-backend, dragent, sdchecks] - - list: docker_binaries - items: [docker, dockerd, exe, docker-compose, docker-entrypoi, docker-runc-cur, docker-current] - - list: k8s_binaries - items: [hyperkube, skydns, kube2sky, exechealthz] - - list: lxd_binaries - items: [lxd, lxcfs] - - list: http_server_binaries - items: [nginx, httpd, httpd-foregroun, lighttpd, apache, apache2] - - list: db_server_binaries - items: [mysqld, postgres, sqlplus] - - list: mysql_mgmt_binaries - items: [mysql_install_d, mysql_ssl_rsa_s] - - list: postgres_mgmt_binaries - items: [pg_dumpall, pg_ctl, pg_lsclusters, pg_ctlcluster] - - list: db_mgmt_binaries - items: [mysql_mgmt_binaries, postgres_mgmt_binaries] - - list: nosql_server_binaries - items: [couchdb, memcached, redis-server, rabbitmq-server, mongod] - - list: gitlab_binaries - items: [gitlab-shell, gitlab-mon, gitlab-runner-b, git] - - macro: server_procs - condition: proc.name in (http_server_binaries, db_server_binaries, docker_binaries, sshd) - - list: rpm_binaries - items: [dnf, rpm, rpmkey, yum, '"75-system-updat"', rhsmcertd-worke, subscription-ma, - repoquery, rpmkeys, rpmq, yum-cron, yum-config-mana, yum-debug-dump, - abrt-action-sav, rpmdb_stat, microdnf] - - macro: rpm_procs - condition: proc.name in (rpm_binaries) or proc.name in (salt-minion) - - list: deb_binaries - items: [dpkg, dpkg-preconfigu, dpkg-reconfigur, dpkg-divert, apt, apt-get, aptitude, - frontend, preinst, add-apt-reposit, apt-auto-remova, apt-key, - apt-listchanges, unattended-upgr, apt-add-reposit - ] - - list: package_mgmt_binaries - items: [rpm_binaries, deb_binaries, update-alternat, gem, pip, pip3, sane-utils.post, alternatives, chef-client] - - macro: package_mgmt_procs - condition: proc.name in (package_mgmt_binaries) - - macro: coreos_write_ssh_dir - condition: (proc.name=update-ssh-keys and fd.name startswith /home/core/.ssh) - - macro: run_by_package_mgmt_binaries - condition: proc.aname in (package_mgmt_binaries, needrestart) - - list: ssl_mgmt_binaries - items: [ca-certificates] - - list: dhcp_binaries - items: [dhclient, dhclient-script] - - list: userexec_binaries - items: [sudo, su, suexec] - - list: known_setuid_binaries - items: [ - sshd, dbus-daemon-lau, ping, ping6, critical-stack-, pmmcli, - filemng, PassengerAgent, bwrap, osdetect, nginxmng, sw-engine-fpm, - start-stop-daem - ] - - list: user_mgmt_binaries - items: [login_binaries, passwd_binaries, shadowutils_binaries] - - list: dev_creation_binaries - items: [blkid, rename_device, update_engine, sgdisk] - - list: hids_binaries - items: [aide] - - list: vpn_binaries - items: [openvpn] - - list: nomachine_binaries - items: [nxexec, nxnode.bin, nxserver.bin, nxclient.bin] - - macro: system_procs - condition: proc.name in (coreutils_binaries, user_mgmt_binaries) - - list: mail_binaries - items: [ - sendmail, sendmail-msp, postfix, procmail, exim4, - pickup, showq, mailq, dovecot, imap-login, imap, - mailmng-core, pop3-login, dovecot-lda, pop3 - ] - - list: mail_config_binaries - items: [ - update_conf, parse_mc, makemap_hash, newaliases, update_mk, update_tlsm4, - update_db, update_mc, ssmtp.postinst, mailq, postalias, postfix.config., - postfix.config, postfix-script - ] - - list: sensitive_file_names - items: [/etc/shadow, /etc/sudoers, /etc/pam.conf] - - macro: sensitive_files - condition: > - fd.name startswith /etc and - (fd.name in (sensitive_file_names) - or fd.directory in (/etc/sudoers.d, /etc/pam.d)) - - macro: proc_is_new - condition: proc.duration <= 5000000000 - - macro: inbound - condition: > - (((evt.type in (accept,listen) and evt.dir=<)) or - (fd.typechar = 4 or fd.typechar = 6) and - (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and - (evt.rawres >= 0 or evt.res = EINPROGRESS)) - - macro: outbound - condition: > - (((evt.type = connect and evt.dir=<)) or - (fd.typechar = 4 or fd.typechar = 6) and - (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and - (evt.rawres >= 0 or evt.res = EINPROGRESS)) - - macro: inbound_outbound - condition: > - (((evt.type in (accept,listen,connect) and evt.dir=<)) or - (fd.typechar = 4 or fd.typechar = 6) and - (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and - (evt.rawres >= 0 or evt.res = EINPROGRESS)) - - macro: ssh_port - condition: fd.sport=22 - - macro: allowed_ssh_hosts - condition: ssh_port - - rule: Disallowed SSH Connection - desc: Detect any new ssh connection to a host other than those in an allowed group of hosts - condition: (inbound_outbound) and ssh_port and not allowed_ssh_hosts - output: Disallowed SSH Connection (command=%proc.cmdline connection=%fd.name user=%user.name) - priority: NOTICE - tags: [network] - - macro: container - condition: container.id != host - - macro: interactive - condition: > - ((proc.aname=sshd and proc.name != sshd) or - proc.name=systemd-logind or proc.name=login) - - list: cron_binaries - items: [anacron, cron, crond, crontab] - - list: needrestart_binaries - items: [needrestart, 10-dpkg, 20-rpm, 30-pacman] - - list: sshkit_script_binaries - items: [10_etc_sudoers., 10_passwd_group] - - list: plesk_binaries - items: [sw-engine, sw-engine-fpm, sw-engine-kv, filemng, f2bmng] - - macro: system_users - condition: user.name in (bin, daemon, games, lp, mail, nobody, sshd, sync, uucp, www-data) - - macro: parent_ansible_running_python - condition: (proc.pname in (python, pypy) and proc.pcmdline contains ansible) - - macro: parent_bro_running_python - condition: (proc.pname=python and proc.cmdline contains /usr/share/broctl) - - macro: parent_python_running_denyhosts - condition: > - (proc.cmdline startswith "denyhosts.py /usr/bin/denyhosts.py" or - (proc.pname=python and - (proc.pcmdline contains /usr/sbin/denyhosts or - proc.pcmdline contains /usr/local/bin/denyhosts.py))) - - macro: parent_python_running_sdchecks - condition: > - (proc.pname in (python, python2.7) and - (proc.pcmdline contains /opt/draios/bin/sdchecks)) - - macro: parent_linux_image_upgrade_script - condition: proc.pname startswith linux-image- - - macro: parent_java_running_echo - condition: (proc.pname=java and proc.cmdline startswith "sh -c echo") - - macro: parent_scripting_running_builds - condition: > - (proc.pname in (php,php5-fpm,php-fpm7.1,python,ruby,ruby2.3,ruby2.1,node,conda) and ( - proc.cmdline startswith "sh -c git" or - proc.cmdline startswith "sh -c date" or - proc.cmdline startswith "sh -c /usr/bin/g++" or - proc.cmdline startswith "sh -c /usr/bin/gcc" or - proc.cmdline startswith "sh -c gcc" or - proc.cmdline startswith "sh -c if type gcc" or - proc.cmdline startswith "sh -c cd '/var/www/edi/';LC_ALL=en_US.UTF-8 git" or - proc.cmdline startswith "sh -c /var/www/edi/bin/sftp.sh" or - proc.cmdline startswith "sh -c /usr/src/app/crxlsx/bin/linux/crxlsx" or - proc.cmdline startswith "sh -c make parent" or - proc.cmdline startswith "node /jenkins/tools" or - proc.cmdline startswith "sh -c '/usr/bin/node'" or - proc.cmdline startswith "sh -c stty -a |" or - proc.pcmdline startswith "node /opt/nodejs/bin/yarn" or - proc.pcmdline startswith "node /usr/local/bin/yarn" or - proc.pcmdline startswith "node /root/.config/yarn" or - proc.pcmdline startswith "node /opt/yarn/bin/yarn.js")) - - macro: httpd_writing_ssl_conf - condition: > - (proc.pname=run-httpd and - (proc.cmdline startswith "sed -ri" or proc.cmdline startswith "sed -i") and - (fd.name startswith /etc/httpd/conf.d/ or fd.name startswith /etc/httpd/conf)) - - macro: userhelper_writing_etc_security - condition: (proc.name=userhelper and fd.name startswith /etc/security) - - macro: parent_Xvfb_running_xkbcomp - condition: (proc.pname=Xvfb and proc.cmdline startswith 'sh -c "/usr/bin/xkbcomp"') - - macro: parent_nginx_running_serf - condition: (proc.pname=nginx and proc.cmdline startswith "sh -c serf") - - macro: parent_node_running_npm - condition: (proc.pcmdline startswith "node /usr/local/bin/npm" or - proc.pcmdline startswith "node /usr/local/nodejs/bin/npm" or - proc.pcmdline startswith "node /opt/rh/rh-nodejs6/root/usr/bin/npm") - - macro: parent_java_running_sbt - condition: (proc.pname=java and proc.pcmdline contains sbt-launch.jar) - - list: known_container_shell_spawn_cmdlines - items: [] - - list: known_shell_spawn_binaries - items: [] - - macro: ansible_running_python - condition: (proc.name in (python, pypy) and proc.cmdline contains ansible) - - macro: python_running_chef - condition: (proc.name=python and (proc.cmdline contains yum-dump.py or proc.cmdline="python /usr/bin/chef-monitor.py")) - - macro: python_running_denyhosts - condition: > - (proc.name=python and - (proc.cmdline contains /usr/sbin/denyhosts or - proc.cmdline contains /usr/local/bin/denyhosts.py)) - - macro: run_by_qualys - condition: > - (proc.pname=qualys-cloud-ag or - proc.aname[2]=qualys-cloud-ag or - proc.aname[3]=qualys-cloud-ag or - proc.aname[4]=qualys-cloud-ag) - - macro: run_by_sumologic_securefiles - condition: > - ((proc.cmdline="usermod -a -G sumologic_collector" or - proc.cmdline="groupadd sumologic_collector") and - (proc.pname=secureFiles.sh and proc.aname[2]=java)) - - macro: run_by_yum - condition: ((proc.pname=sh and proc.aname[2]=yum) or - (proc.aname[2]=sh and proc.aname[3]=yum)) - - macro: run_by_ms_oms - condition: > - (proc.aname[3] startswith omsagent- or - proc.aname[3] startswith scx-) - - macro: run_by_google_accounts_daemon - condition: > - (proc.aname[1] startswith google_accounts or - proc.aname[2] startswith google_accounts) - - macro: run_by_chef - condition: (proc.aname[2]=chef_command_wr or proc.aname[3]=chef_command_wr or - proc.aname[2]=chef-client or proc.aname[3]=chef-client or - proc.name=chef-client) - - macro: run_by_adclient - condition: (proc.aname[2]=adclient or proc.aname[3]=adclient or proc.aname[4]=adclient) - - macro: run_by_centrify - condition: (proc.aname[2]=centrify or proc.aname[3]=centrify or proc.aname[4]=centrify) - - macro: run_by_puppet - condition: (proc.aname[2]=puppet or proc.aname[3]=puppet) - - macro: run_by_foreman - condition: > - (user.name=foreman and - (proc.pname in (rake, ruby, scl) and proc.aname[5] in (tfm-rake,tfm-ruby)) or - (proc.pname=scl and proc.aname[2] in (tfm-rake,tfm-ruby))) - - macro: java_running_sdjagent - condition: proc.name=java and proc.cmdline contains sdjagent.jar - - macro: kubelet_running_loopback - condition: (proc.pname=kubelet and proc.name=loopback) - - macro: python_mesos_marathon_scripting - condition: (proc.pcmdline startswith "python3 /marathon-lb/marathon_lb.py") - - macro: splunk_running_forwarder - condition: (proc.pname=splunkd and proc.cmdline startswith "sh -c /opt/splunkforwarder") - - macro: parent_supervise_running_multilog - condition: (proc.name=multilog and proc.pname=supervise) - - macro: supervise_writing_status - condition: (proc.name in (supervise,svc) and fd.name startswith "/etc/sb/") - - macro: pki_realm_writing_realms - condition: (proc.cmdline startswith "bash /usr/local/lib/pki/pki-realm" and fd.name startswith /etc/pki/realms) - - macro: htpasswd_writing_passwd - condition: (proc.name=htpasswd and fd.name=/etc/nginx/.htpasswd) - - macro: lvprogs_writing_conf - condition: > - (proc.name in (dmeventd,lvcreate,pvscan) and - (fd.name startswith /etc/lvm/archive or - fd.name startswith /etc/lvm/backup or - fd.name startswith /etc/lvm/cache)) - - macro: ovsdb_writing_openvswitch - condition: (proc.name=ovsdb-server and fd.directory=/etc/openvswitch) - - macro: perl_running_plesk - condition: (proc.cmdline startswith "perl /opt/psa/admin/bin/plesk_agent_manager" or - proc.pcmdline startswith "perl /opt/psa/admin/bin/plesk_agent_manager") - - macro: perl_running_updmap - condition: (proc.cmdline startswith "perl /usr/bin/updmap") - - macro: perl_running_centrifydc - condition: (proc.cmdline startswith "perl /usr/share/centrifydc") - - macro: parent_ucf_writing_conf - condition: (proc.pname=ucf and proc.aname[2]=frontend) - - macro: consul_template_writing_conf - condition: > - ((proc.name=consul-template and fd.name startswith /etc/haproxy) or - (proc.name=reload.sh and proc.aname[2]=consul-template and fd.name startswith /etc/ssl)) - - macro: countly_writing_nginx_conf - condition: (proc.cmdline startswith "nodejs /opt/countly/bin" and fd.name startswith /etc/nginx) - - list: ms_oms_binaries - items: [omi.postinst, omsconfig.posti, scx.postinst, omsadmin.sh, omiagent] - - macro: ms_oms_writing_conf - condition: > - ((proc.name in (omiagent,omsagent,in_heartbeat_r*,omsadmin.sh,PerformInventor) - or proc.pname in (ms_oms_binaries) - or proc.aname[2] in (ms_oms_binaries)) - and (fd.name startswith /etc/opt/omi or fd.name startswith /etc/opt/microsoft/omsagent)) - - macro: ms_scx_writing_conf - condition: (proc.name in (GetLinuxOS.sh) and fd.name startswith /etc/opt/microsoft/scx) - - macro: azure_scripts_writing_conf - condition: (proc.pname startswith "bash /var/lib/waagent/" and fd.name startswith /etc/azure) - - macro: azure_networkwatcher_writing_conf - condition: (proc.name in (NetworkWatcherA) and fd.name=/etc/init.d/AzureNetworkWatcherAgent) - - macro: couchdb_writing_conf - condition: (proc.name=beam.smp and proc.cmdline contains couchdb and fd.name startswith /etc/couchdb) - - macro: update_texmf_writing_conf - condition: (proc.name=update-texmf and fd.name startswith /etc/texmf) - - macro: slapadd_writing_conf - condition: (proc.name=slapadd and fd.name startswith /etc/ldap) - - macro: openldap_writing_conf - condition: (proc.pname=run-openldap.sh and fd.name startswith /etc/openldap) - - macro: ucpagent_writing_conf - condition: (proc.name=apiserver and container.image startswith docker/ucp-agent and fd.name=/etc/authorization_config.cfg) - - macro: iscsi_writing_conf - condition: (proc.name=iscsiadm and fd.name startswith /etc/iscsi) - - macro: symantec_writing_conf - condition: > - ((proc.name=symcfgd and fd.name startswith /etc/symantec) or - (proc.name=navdefutil and fd.name=/etc/symc-defutils.conf)) - - macro: liveupdate_writing_conf - condition: (proc.cmdline startswith "java LiveUpdate" and fd.name in (/etc/liveupdate.conf, /etc/Product.Catalog.JavaLiveUpdate)) - - macro: sosreport_writing_files - condition: > - (proc.name=urlgrabber-ext- and proc.aname[3]=sosreport and - (fd.name startswith /etc/pkt/nssdb or fd.name startswith /etc/pki/nssdb)) - - macro: pkgmgmt_progs_writing_pki - condition: > - (proc.name=urlgrabber-ext- and proc.pname in (yum, yum-cron, repoquery) and - (fd.name startswith /etc/pkt/nssdb or fd.name startswith /etc/pki/nssdb)) - - macro: update_ca_trust_writing_pki - condition: (proc.pname=update-ca-trust and proc.name=trust and fd.name startswith /etc/pki) - - macro: brandbot_writing_os_release - condition: proc.name=brandbot and fd.name=/etc/os-release - - macro: selinux_writing_conf - condition: (proc.name in (semodule,genhomedircon,sefcontext_comp) and fd.name startswith /etc/selinux) - - list: veritas_binaries - items: [vxconfigd, sfcache, vxclustadm, vxdctl, vxprint, vxdmpadm, vxdisk, vxdg, vxassist, vxtune] - - macro: veritas_driver_script - condition: (proc.cmdline startswith "perl /opt/VRTSsfmh/bin/mh_driver.pl") - - macro: veritas_progs - condition: (proc.name in (veritas_binaries) or veritas_driver_script) - - macro: veritas_writing_config - condition: (veritas_progs and (fd.name startswith /etc/vx or fd.name startswith /etc/opt/VRTS or fd.name startswith /etc/vom)) - - macro: nginx_writing_conf - condition: (proc.name=nginx and fd.name startswith /etc/nginx) - - macro: nginx_writing_certs - condition: > - (((proc.name=openssl and proc.pname=nginx-launch.sh) or proc.name=nginx-launch.sh) and fd.name startswith /etc/nginx/certs) - - macro: chef_client_writing_conf - condition: (proc.pcmdline startswith "chef-client /opt/gitlab" and fd.name startswith /etc/gitlab) - - macro: centrify_writing_krb - condition: (proc.name in (adjoin,addns) and fd.name startswith /etc/krb5) - - macro: cockpit_writing_conf - condition: > - ((proc.pname=cockpit-kube-la or proc.aname[2]=cockpit-kube-la) - and fd.name startswith /etc/cockpit) - - macro: ipsec_writing_conf - condition: (proc.name=start-ipsec.sh and fd.directory=/etc/ipsec) - - macro: exe_running_docker_save - condition: (proc.cmdline startswith "exe /var/lib/docker" and proc.pname in (dockerd, docker)) - - macro: sed_temporary_file - condition: (proc.name=sed and fd.name startswith "/etc/sed") - - macro: python_running_get_pip - condition: (proc.cmdline startswith "python get-pip.py") - - macro: python_running_ms_oms - condition: (proc.cmdline startswith "python /var/lib/waagent/") - - macro: gugent_writing_guestagent_log - condition: (proc.name=gugent and fd.name=GuestAgent.log) - - macro: dse_writing_tmp - condition: (proc.name=dse-entrypoint and fd.name=/root/tmp__) - - macro: zap_writing_state - condition: (proc.name=java and proc.cmdline contains "jar /zap" and fd.name startswith /root/.ZAP) - - macro: airflow_writing_state - condition: (proc.name=airflow and fd.name startswith /root/airflow) - - macro: rpm_writing_root_rpmdb - condition: (proc.name=rpm and fd.directory=/root/.rpmdb) - - macro: maven_writing_groovy - condition: (proc.name=java and proc.cmdline contains "classpath /usr/local/apache-maven" and fd.name startswith /root/.groovy) - - rule: Write below binary dir - desc: an attempt to write to any file below a set of binary directories - condition: > - bin_dir and evt.dir = < and open_write - and not package_mgmt_procs - and not exe_running_docker_save - and not python_running_get_pip - and not python_running_ms_oms - output: > - File below a known binary directory opened for writing (user=%user.name - command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2]) - priority: ERROR - tags: [filesystem] - - list: monitored_directories - items: [/boot, /lib, /lib64, /usr/lib, /usr/local/lib, /usr/local/sbin, /usr/local/bin, /root/.ssh, /etc/cardserver] - - macro: user_ssh_directory - condition: (fd.name startswith '/home' and fd.name contains '.ssh') - - macro: mkinitramfs_writing_boot - condition: (proc.pname in (mkinitramfs, update-initramf) and fd.directory=/boot) - - macro: monitored_dir - condition: > - (fd.directory in (monitored_directories) - or user_ssh_directory) - and not mkinitramfs_writing_boot - - rule: Write below monitored dir - desc: an attempt to write to any file below a set of binary directories - condition: > - evt.dir = < and open_write and monitored_dir - and not package_mgmt_procs - and not coreos_write_ssh_dir - and not exe_running_docker_save - and not python_running_get_pip - and not python_running_ms_oms - output: > - File below a monitored directory opened for writing (user=%user.name - command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2]) - priority: ERROR - tags: [filesystem] - - list: safe_etc_dirs - items: [/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, /etc/nginx/conf.d, /etc/container_environment, /etc/hrmconfig] - - macro: fluentd_writing_conf_files - condition: (proc.name=start-fluentd and fd.name in (/etc/fluent/fluent.conf, /etc/td-agent/td-agent.conf)) - - macro: qualys_writing_conf_files - condition: (proc.name=qualys-cloud-ag and fd.name=/etc/qualys/cloud-agent/qagent-log.conf) - - macro: git_writing_nssdb - condition: (proc.name=git-remote-http and fd.directory=/etc/pki/nssdb) - - macro: plesk_writing_keys - condition: (proc.name in (plesk_binaries) and fd.name startswith /etc/sw/keys) - - macro: plesk_install_writing_apache_conf - condition: (proc.cmdline startswith "bash -hB /usr/lib/plesk-9.0/services/webserver.apache configure" - and fd.name="/etc/apache2/apache2.conf.tmp") - - macro: plesk_running_mktemp - condition: (proc.name=mktemp and proc.aname[3] in (plesk_binaries)) - - macro: networkmanager_writing_resolv_conf - condition: proc.aname[2]=nm-dispatcher and fd.name=/etc/resolv.conf - - macro: add_shell_writing_shells_tmp - condition: (proc.name=add-shell and fd.name=/etc/shells.tmp) - - macro: duply_writing_exclude_files - condition: (proc.name=touch and proc.pcmdline startswith "bash /usr/bin/duply" and fd.name startswith "/etc/duply") - - macro: xmlcatalog_writing_files - condition: (proc.name=update-xmlcatal and fd.directory=/etc/xml) - - macro: datadog_writing_conf - condition: ((proc.cmdline startswith "python /opt/datadog-agent" or - proc.cmdline startswith "entrypoint.sh /entrypoint.sh datadog start" or - proc.cmdline startswith "agent.py /opt/datadog-agent") - and fd.name startswith "/etc/dd-agent") - - macro: curl_writing_pki_db - condition: (proc.name=curl and fd.directory=/etc/pki/nssdb) - - macro: haproxy_writing_conf - condition: ((proc.name in (update-haproxy-,haproxy_reload.) or proc.pname in (update-haproxy-,haproxy_reload,haproxy_reload.)) - and (fd.name=/etc/openvpn/client.map or fd.name startswith /etc/haproxy)) - - macro: java_writing_conf - condition: (proc.name=java and fd.name=/etc/.java/.systemPrefs/.system.lock) - - macro: rabbitmq_writing_conf - condition: (proc.name=rabbitmq-server and fd.directory=/etc/rabbitmq) - - macro: rook_writing_conf - condition: (proc.name=toolbox.sh and container.image startswith rook/toolbox - and fd.directory=/etc/ceph) - - macro: httpd_writing_conf_logs - condition: (proc.name=httpd and fd.name startswith /etc/httpd/) - - macro: mysql_writing_conf - condition: > - ((proc.name in (start-mysql.sh, run-mysqld) or proc.pname=start-mysql.sh) and - (fd.name startswith /etc/mysql or fd.directory=/etc/my.cnf.d)) - - macro: redis_writing_conf - condition: > - (proc.name in (run-redis, redis-launcher.) and fd.name=/etc/redis.conf or fd.name startswith /etc/redis) - - macro: openvpn_writing_conf - condition: (proc.name in (openvpn,openvpn-entrypo) and fd.name startswith /etc/openvpn) - - macro: php_handlers_writing_conf - condition: (proc.name=php_handlers_co and fd.name=/etc/psa/php_versions.json) - - macro: sed_writing_temp_file - condition: > - ((proc.aname[3]=cron_start.sh and fd.name startswith /etc/security/sed) or - (proc.name=sed and (fd.name startswith /etc/apt/sources.list.d/sed or - fd.name startswith /etc/apt/sed or - fd.name startswith /etc/apt/apt.conf.d/sed))) - - macro: cron_start_writing_pam_env - condition: (proc.cmdline="bash /usr/sbin/start-cron" and fd.name=/etc/security/pam_env.conf) - - macro: dpkg_scripting - condition: (proc.aname[2] in (dpkg-reconfigur, dpkg-preconfigu)) - - macro: user_known_write_etc_conditions - condition: proc.name=confd - - macro: write_etc_common - condition: > - etc_dir and evt.dir = < and open_write - and proc_name_exists - and not proc.name in (passwd_binaries, shadowutils_binaries, sysdigcloud_binaries, - package_mgmt_binaries, ssl_mgmt_binaries, dhcp_binaries, - dev_creation_binaries, shell_mgmt_binaries, - mail_config_binaries, - sshkit_script_binaries, - ldconfig.real, ldconfig, confd, gpg, insserv, - apparmor_parser, update-mime, tzdata.config, tzdata.postinst, - systemd, systemd-machine, systemd-sysuser, - debconf-show, rollerd, bind9.postinst, sv, - gen_resolvconf., update-ca-certi, certbot, runsv, - qualys-cloud-ag, locales.postins, nomachine_binaries, - adclient, certutil, crlutil, pam-auth-update, parallels_insta, - openshift-launc, update-rc.d) - and not proc.pname in (sysdigcloud_binaries, mail_config_binaries, hddtemp.postins, sshkit_script_binaries, locales.postins, deb_binaries, dhcp_binaries) - and not fd.name pmatch (safe_etc_dirs) - and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json, /etc/motd, /etc/motd.svc) - and not sed_temporary_file - and not exe_running_docker_save - and not ansible_running_python - and not python_running_denyhosts - and not fluentd_writing_conf_files - and not user_known_write_etc_conditions - and not run_by_centrify - and not run_by_adclient - and not qualys_writing_conf_files - and not git_writing_nssdb - and not plesk_writing_keys - and not plesk_install_writing_apache_conf - and not plesk_running_mktemp - and not networkmanager_writing_resolv_conf - and not run_by_chef - and not add_shell_writing_shells_tmp - and not duply_writing_exclude_files - and not xmlcatalog_writing_files - and not parent_supervise_running_multilog - and not supervise_writing_status - and not pki_realm_writing_realms - and not htpasswd_writing_passwd - and not lvprogs_writing_conf - and not ovsdb_writing_openvswitch - and not datadog_writing_conf - and not curl_writing_pki_db - and not haproxy_writing_conf - and not java_writing_conf - and not dpkg_scripting - and not parent_ucf_writing_conf - and not rabbitmq_writing_conf - and not rook_writing_conf - and not php_handlers_writing_conf - and not sed_writing_temp_file - and not cron_start_writing_pam_env - and not httpd_writing_conf_logs - and not mysql_writing_conf - and not openvpn_writing_conf - and not consul_template_writing_conf - and not countly_writing_nginx_conf - and not ms_oms_writing_conf - and not ms_scx_writing_conf - and not azure_scripts_writing_conf - and not azure_networkwatcher_writing_conf - and not couchdb_writing_conf - and not update_texmf_writing_conf - and not slapadd_writing_conf - and not symantec_writing_conf - and not liveupdate_writing_conf - and not sosreport_writing_files - and not selinux_writing_conf - and not veritas_writing_config - and not nginx_writing_conf - and not nginx_writing_certs - and not chef_client_writing_conf - and not centrify_writing_krb - and not cockpit_writing_conf - and not ipsec_writing_conf - and not httpd_writing_ssl_conf - and not userhelper_writing_etc_security - and not pkgmgmt_progs_writing_pki - and not update_ca_trust_writing_pki - and not brandbot_writing_os_release - and not redis_writing_conf - and not openldap_writing_conf - and not ucpagent_writing_conf - and not iscsi_writing_conf - - rule: Write below etc - desc: an attempt to write to any file below /etc - condition: write_etc_common - output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name program=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])" - priority: ERROR - tags: [filesystem] - - list: known_root_files - items: [/root/.monit.state, /root/.auth_tokens, /root/.bash_history, /root/.ash_history, /root/.aws/credentials, - /root/.viminfo.tmp, /root/.lesshst, /root/.bzr.log, /root/.gitconfig.lock, /root/.babel.json, /root/.localstack, - /root/.node_repl_history, /root/.mongorc.js, /root/.dbshell, /root/.augeas/history, /root/.rnd, /root/.wget-hsts] - - list: known_root_directories - items: [/root/.oracle_jre_usage, /root/.ssh, /root/.subversion, /root/.nami] - - macro: known_root_conditions - condition: (fd.name startswith /root/orcexec. - or fd.name startswith /root/.m2 - or fd.name startswith /root/.npm - or fd.name startswith /root/.pki - or fd.name startswith /root/.ivy2 - or fd.name startswith /root/.config/Cypress - or fd.name startswith /root/.config/pulse - or fd.name startswith /root/.config/configstore - or fd.name startswith /root/jenkins/workspace - or fd.name startswith /root/.jenkins - or fd.name startswith /root/.cache - or fd.name startswith /root/.sbt - or fd.name startswith /root/.java - or fd.name startswith /root/.glide - or fd.name startswith /root/.sonar - or fd.name startswith /root/.v8flag - or fd.name startswith /root/infaagent - or fd.name startswith /root/.local/lib/python - or fd.name startswith /root/.pm2 - or fd.name startswith /root/.gnupg - or fd.name startswith /root/.pgpass - or fd.name startswith /root/.theano - or fd.name startswith /root/.gradle - or fd.name startswith /root/.android - or fd.name startswith /root/.ansible - or fd.name startswith /root/.crashlytics - or fd.name startswith /root/.dbus - or fd.name startswith /root/.composer - or fd.name startswith /root/.gconf - or fd.name startswith /root/.nv - or fd.name startswith /root/.local/share/jupyter - or fd.name startswith /root/oradiag_root - or fd.name startswith /root/workspace - or fd.name startswith /root/jvm - or fd.name startswith /root/.node-gyp) - - rule: Write below root - desc: an attempt to write to any file directly below / or /root - condition: > - root_dir and evt.dir = < and open_write - and not fd.name in (known_root_files) - and not fd.directory in (known_root_directories) - and not exe_running_docker_save - and not gugent_writing_guestagent_log - and not dse_writing_tmp - and not zap_writing_state - and not airflow_writing_state - and not rpm_writing_root_rpmdb - and not maven_writing_groovy - and not known_root_conditions - output: "File below / or /root opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name program=%proc.name)" - priority: ERROR - tags: [filesystem] - - macro: cmp_cp_by_passwd - condition: proc.name in (cmp, cp) and proc.pname in (passwd, run-parts) - - rule: Read sensitive file trusted after startup - desc: > - an attempt to read any sensitive file (e.g. files containing user/password/authentication - information) by a trusted program after startup. Trusted programs might read these files - at startup to load initial state, but not afterwards. - condition: sensitive_files and open_read and server_procs and not proc_is_new and proc.name!="sshd" - output: > - Sensitive file opened for reading by trusted program after startup (user=%user.name - command=%proc.cmdline parent=%proc.pname file=%fd.name parent=%proc.pname gparent=%proc.aname[2]) - priority: WARNING - tags: [filesystem] - - list: read_sensitive_file_binaries - items: [ - iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd, - vsftpd, systemd, mysql_install_d, psql, screen, debconf-show, sa-update, - pam-auth-update, pam-config, /usr/sbin/spamd, polkit-agent-he, lsattr, file, sosreport, - scxcimservera, adclient, rtvscand, cockpit-session, userhelper, ossec-syscheckd - ] - - macro: user_read_sensitive_file_conditions - condition: cmp_cp_by_passwd - - rule: Read sensitive file untrusted - desc: > - an attempt to read any sensitive file (e.g. files containing user/password/authentication - information). Exceptions are made for known trusted programs. - condition: > - sensitive_files and open_read - and proc_name_exists - and not proc.name in (user_mgmt_binaries, userexec_binaries, package_mgmt_binaries, - cron_binaries, read_sensitive_file_binaries, shell_binaries, hids_binaries, - vpn_binaries, mail_config_binaries, nomachine_binaries, sshkit_script_binaries, - in.proftpd, mandb, salt-minion, postgres_mgmt_binaries) - and not cmp_cp_by_passwd - and not ansible_running_python - and not proc.cmdline contains /usr/bin/mandb - and not run_by_qualys - and not run_by_chef - and not user_read_sensitive_file_conditions - and not perl_running_plesk - and not perl_running_updmap - and not veritas_driver_script - and not perl_running_centrifydc - output: > - Sensitive file opened for reading by non-trusted program (user=%user.name program=%proc.name - command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4]) - priority: WARNING - tags: [filesystem] - - rule: Write below rpm database - desc: an attempt to write to the rpm database by any non-rpm related program - condition: fd.name startswith /var/lib/rpm and open_write and not rpm_procs and not ansible_running_python and not python_running_chef - output: "Rpm database opened for writing by a non-rpm program (command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline)" - priority: ERROR - tags: [filesystem, software_mgmt] - - macro: postgres_running_wal_e - condition: (proc.pname=postgres and proc.cmdline startswith "sh -c envdir /etc/wal-e.d/env /usr/local/bin/wal-e") - - macro: redis_running_prepost_scripts - condition: (proc.aname[2]=redis-server and (proc.cmdline contains "redis-server.post-up.d" or proc.cmdline contains "redis-server.pre-up.d")) - - macro: rabbitmq_running_scripts - condition: > - (proc.pname=beam.smp and - (proc.cmdline startswith "sh -c exec ps" or - proc.cmdline startswith "sh -c exec inet_gethost" or - proc.cmdline= "sh -s unix:cmd" or - proc.cmdline= "sh -c exec /bin/sh -s unix:cmd 2>&1")) - - macro: rabbitmqctl_running_scripts - condition: (proc.aname[2]=rabbitmqctl and proc.cmdline startswith "sh -c ") - - macro: run_by_appdynamics - condition: (proc.pname=java and proc.pcmdline startswith "java -jar -Dappdynamics") - - rule: DB program spawned process - desc: > - a database-server related program spawned a new process other than itself. - This shouldn\'t occur and is a follow on from some SQL injection attacks. - condition: > - proc.pname in (db_server_binaries) - and spawned_process - and not proc.name in (db_server_binaries) - and not postgres_running_wal_e - output: > - Database-related program spawned process other than itself (user=%user.name - program=%proc.cmdline parent=%proc.pname) - priority: NOTICE - tags: [process, database] - - rule: Modify binary dirs - desc: an attempt to modify any file below a set of binary directories. - condition: (bin_dir_rename) and modify and not package_mgmt_procs and not exe_running_docker_save - output: > - File below known binary directory renamed/removed (user=%user.name command=%proc.cmdline - pcmdline=%proc.pcmdline operation=%evt.type file=%fd.name %evt.args) - priority: ERROR - tags: [filesystem] - - rule: Mkdir binary dirs - desc: an attempt to create a directory below a set of binary directories. - condition: mkdir and bin_dir_mkdir and not package_mgmt_procs - output: > - Directory below known binary directory created (user=%user.name - command=%proc.cmdline directory=%evt.arg.path) - priority: ERROR - tags: [filesystem] - - list: user_known_change_thread_namespace_binaries - items: [] - - rule: Change thread namespace - desc: > - an attempt to change a program/thread\'s namespace (commonly done - as a part of creating a container) by calling setns. - condition: > - evt.type = setns - and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries, sysdig, nsenter) - and not proc.name in (user_known_change_thread_namespace_binaries) - and not proc.name startswith "runc:" - and not proc.pname in (sysdigcloud_binaries) - and not java_running_sdjagent - and not kubelet_running_loopback - output: > - Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline - parent=%proc.pname %container.info) - priority: NOTICE - tags: [process] - - list: protected_shell_spawning_binaries - items: [ - http_server_binaries, db_server_binaries, nosql_server_binaries, mail_binaries, - fluentd, flanneld, splunkd, consul, smbd, runsv, PM2 - ] - - macro: parent_java_running_elasticsearch - condition: (proc.pname=java and proc.pcmdline contains org.elasticsearch.bootstrap.Elasticsearch) - - macro: parent_java_running_activemq - condition: (proc.pname=java and proc.pcmdline contains activemq.jar) - - macro: parent_java_running_cassandra - condition: (proc.pname=java and (proc.pcmdline contains "-Dcassandra.config.loader" or proc.pcmdline contains org.apache.cassandra.service.CassandraDaemon)) - - macro: parent_java_running_jboss_wildfly - condition: (proc.pname=java and proc.pcmdline contains org.jboss) - - macro: parent_java_running_glassfish - condition: (proc.pname=java and proc.pcmdline contains com.sun.enterprise.glassfish) - - macro: parent_java_running_hadoop - condition: (proc.pname=java and proc.pcmdline contains org.apache.hadoop) - - macro: parent_java_running_datastax - condition: (proc.pname=java and proc.pcmdline contains com.datastax) - - macro: nginx_starting_nginx - condition: (proc.pname=nginx and proc.cmdline contains "/usr/sbin/nginx -c /etc/nginx/nginx.conf") - - macro: nginx_running_aws_s3_cp - condition: (proc.pname=nginx and proc.cmdline startswith "sh -c /usr/local/bin/aws s3 cp") - - macro: consul_running_net_scripts - condition: (proc.pname=consul and (proc.cmdline startswith "sh -c curl" or proc.cmdline startswith "sh -c nc")) - - macro: consul_running_alert_checks - condition: (proc.pname=consul and proc.cmdline startswith "sh -c /bin/consul-alerts") - - macro: serf_script - condition: (proc.cmdline startswith "sh -c serf") - - macro: check_process_status - condition: (proc.cmdline startswith "sh -c kill -0 ") - - macro: possibly_node_in_container - condition: (never_true and (proc.pname=node and proc.aname[3]=docker-containe)) - - macro: possibly_parent_java_running_tomcat - condition: (never_true and proc.pname=java and proc.pcmdline contains org.apache.catalina.startup.Bootstrap) - - macro: protected_shell_spawner - condition: > - (proc.aname in (protected_shell_spawning_binaries) - or parent_java_running_elasticsearch - or parent_java_running_activemq - or parent_java_running_cassandra - or parent_java_running_jboss_wildfly - or parent_java_running_glassfish - or parent_java_running_hadoop - or parent_java_running_datastax - or possibly_parent_java_running_tomcat - or possibly_node_in_container) - - list: mesos_shell_binaries - items: [mesos-docker-ex, mesos-slave, mesos-health-ch] - - rule: Run shell untrusted - desc: an attempt to spawn a shell below a non-shell application. Specific applications are monitored. - condition: > - spawned_process - and shell_procs - and proc.pname exists - and protected_shell_spawner - and not proc.pname in (shell_binaries, gitlab_binaries, cron_binaries, user_known_shell_spawn_binaries, - needrestart_binaries, - mesos_shell_binaries, - erl_child_setup, exechealthz, - PM2, PassengerWatchd, c_rehash, svlogd, logrotate, hhvm, serf, - lb-controller, nvidia-installe, runsv, statsite, erlexec) - and not proc.cmdline in (known_shell_spawn_cmdlines) - and not proc.aname in (unicorn_launche) - and not consul_running_net_scripts - and not consul_running_alert_checks - and not nginx_starting_nginx - and not nginx_running_aws_s3_cp - and not run_by_package_mgmt_binaries - and not serf_script - and not check_process_status - and not run_by_foreman - and not python_mesos_marathon_scripting - and not splunk_running_forwarder - and not postgres_running_wal_e - and not redis_running_prepost_scripts - and not rabbitmq_running_scripts - and not rabbitmqctl_running_scripts - and not run_by_appdynamics - and not user_shell_container_exclusions - output: > - Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname - cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3] - aname[4]=%proc.aname[4] aname[5]=%proc.aname[5] aname[6]=%proc.aname[6] aname[7]=%proc.aname[7]) - priority: DEBUG - tags: [shell] - - macro: trusted_containers - condition: (container.image startswith sysdig/agent or - (container.image startswith sysdig/falco and - not container.image startswith sysdig/falco-event-generator) or - container.image startswith quay.io/sysdig or - container.image startswith sysdig/sysdig or - container.image startswith registry.k8s.io/hyperkube or - container.image startswith quay.io/coreos/flannel or - container.image startswith registry.k8s.io/kube-proxy or - container.image startswith calico/node or - container.image startswith rook/toolbox or - container.image startswith registry.access.redhat.com/openshift3/logging-fluentd or - container.image startswith registry.access.redhat.com/openshift3/logging-elasticsearch or - container.image startswith registry.access.redhat.com/openshift3/metrics-cassandra or - container.image startswith openshift3/ose-sti-builder or - container.image startswith registry.access.redhat.com/openshift3/ose-sti-builder or - container.image startswith registry.access.redhat.com/openshift3/ose-docker-builder or - container.image startswith registry.access.redhat.com/openshift3/image-inspector or - container.image startswith cloudnativelabs/kube-router or - container.image startswith "consul:" or - container.image startswith mesosphere/mesos-slave or - container.image startswith istio/proxy_ or - container.image startswith datadog/docker-dd-agent or - container.image startswith datadog/agent or - container.image startswith docker/ucp-agent or - container.image startswith gliderlabs/logspout) - - macro: user_trusted_containers - condition: (container.image startswith sysdig/agent) - - macro: user_sensitive_mount_containers - condition: (container.image startswith sysdig/agent) - - rule: Launch Privileged Container - desc: Detect the initial process started in a privileged container. Exceptions are made for known trusted images. - condition: > - evt.type=execve and proc.vpid=1 and container - and container.privileged=true - and not trusted_containers - and not user_trusted_containers - output: Privileged container started (user=%user.name command=%proc.cmdline %container.info image=%container.image) - priority: INFO - tags: [container, cis] - - macro: sensitive_mount - condition: (container.mount.dest[/proc*] != "N/A" or - container.mount.dest[/var/run/docker.sock] != "N/A" or - container.mount.dest[/] != "N/A" or - container.mount.dest[/etc] != "N/A" or - container.mount.dest[/root*] != "N/A") - - macro: container_entrypoint - condition: (not proc.pname exists or proc.pname in (runc:[0:PARENT], runc:[1:CHILD], docker-runc, exe)) - - rule: Launch Sensitive Mount Container - desc: > - Detect the initial process started by a container that has a mount from a sensitive host directory - (i.e. /proc). Exceptions are made for known trusted images. - condition: > - evt.type=execve and proc.vpid=1 and container - and sensitive_mount - and not trusted_containers - and not user_sensitive_mount_containers - output: Container with sensitive mount started (user=%user.name command=%proc.cmdline %container.info image=%container.image mounts=%container.mounts) - priority: INFO - tags: [container, cis] - - macro: allowed_containers - condition: (proc.vpid=1) - - rule: Launch Disallowed Container - desc: > - Detect the initial process started by a container that is not in a list of allowed containers. - condition: evt.type=execve and proc.vpid=1 and container and not allowed_containers - output: Container started and not in allowed list (user=%user.name command=%proc.cmdline %container.info image=%container.image) - priority: WARNING - tags: [container] - - rule: System user interactive - desc: an attempt to run interactive commands by a system (i.e. non-login) user - condition: spawned_process and system_users and interactive - output: "System user ran an interactive command (user=%user.name command=%proc.cmdline)" - priority: INFO - tags: [users] - - rule: Terminal shell in container - desc: A shell was used as the entrypoint/exec point into a container with an attached terminal. - condition: > - spawned_process and container - and shell_procs and proc.tty != 0 - and container_entrypoint - output: > - A shell was spawned in a container with an attached terminal (user=%user.name %container.info - shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty) - priority: NOTICE - tags: [container, shell] - - list: known_shell_spawn_cmdlines - items: [ - '"sh -c uname -p 2> /dev/null"', - '"sh -c uname -s 2>&1"', - '"sh -c uname -r 2>&1"', - '"sh -c uname -v 2>&1"', - '"sh -c uname -a 2>&1"', - '"sh -c ruby -v 2>&1"', - '"sh -c getconf CLK_TCK"', - '"sh -c getconf PAGESIZE"', - '"sh -c LC_ALL=C LANG=C /sbin/ldconfig -p 2>/dev/null"', - '"sh -c LANG=C /sbin/ldconfig -p 2>/dev/null"', - '"sh -c /sbin/ldconfig -p 2>/dev/null"', - '"sh -c stty -a 2>/dev/null"', - '"sh -c stty -a < /dev/tty"', - '"sh -c stty -g < /dev/tty"', - '"sh -c node index.js"', - '"sh -c node index"', - '"sh -c node ./src/start.js"', - '"sh -c node app.js"', - '"sh -c node -e \"require(''nan'')\""', - '"sh -c node -e \"require(''nan'')\")"', - '"sh -c node $NODE_DEBUG_OPTION index.js "', - '"sh -c crontab -l 2"', - '"sh -c lsb_release -a"', - '"sh -c lsb_release -is 2>/dev/null"', - '"sh -c whoami"', - '"sh -c node_modules/.bin/bower-installer"', - '"sh -c /bin/hostname -f 2> /dev/null"', - '"sh -c locale -a"', - '"sh -c -t -i"', - '"sh -c openssl version"', - '"bash -c id -Gn kafadmin"', - '"sh -c /bin/sh -c ''date +%%s''"' - ] - - list: user_known_shell_spawn_binaries - items: [] - - macro: user_shell_container_exclusions - condition: (never_true) - - macro: login_doing_dns_lookup - condition: (proc.name=login and fd.l4proto=udp and fd.sport=53) - - rule: System procs network activity - desc: any network activity performed by system binaries that are not expected to send or receive any network traffic - condition: > - (fd.sockfamily = ip and system_procs) - and (inbound_outbound) - and not proc.name in (systemd, hostid, id) - and not login_doing_dns_lookup - output: > - Known system binary sent/received network traffic - (user=%user.name command=%proc.cmdline connection=%fd.name) - priority: NOTICE - tags: [network] - - list: openvpn_udp_ports - items: [1194, 1197, 1198, 8080, 9201] - - list: l2tp_udp_ports - items: [500, 1701, 4500, 10000] - - list: statsd_ports - items: [8125] - - list: ntp_ports - items: [123] - - list: test_connect_ports - items: [0, 9, 80, 3306] - - macro: do_unexpected_udp_check - condition: (never_true) - - list: expected_udp_ports - items: [53, openvpn_udp_ports, l2tp_udp_ports, statsd_ports, ntp_ports, test_connect_ports] - - macro: expected_udp_traffic - condition: fd.port in (expected_udp_ports) - - rule: Unexpected UDP Traffic - desc: UDP traffic not on port 53 (DNS) or other commonly used ports - condition: (inbound_outbound) and do_unexpected_udp_check and fd.l4proto=udp and not expected_udp_traffic - output: > - Unexpected UDP Traffic Seen - (user=%user.name command=%proc.cmdline connection=%fd.name proto=%fd.l4proto evt=%evt.type %evt.args) - priority: NOTICE - tags: [network] - - macro: somebody_becoming_themself - condition: ((user.name=nobody and evt.arg.uid=nobody) or - (user.name=www-data and evt.arg.uid=www-data) or - (user.name=_apt and evt.arg.uid=_apt) or - (user.name=postfix and evt.arg.uid=postfix) or - (user.name=pki-agent and evt.arg.uid=pki-agent) or - (user.name=pki-acme and evt.arg.uid=pki-acme) or - (user.name=nfsnobody and evt.arg.uid=nfsnobody) or - (user.name=postgres and evt.arg.uid=postgres)) - - macro: nrpe_becoming_nagios - condition: (proc.name=nrpe and evt.arg.uid=nagios) - - macro: known_user_in_container - condition: (container and user.name != "N/A") - - rule: Non sudo setuid - desc: > - an attempt to change users by calling setuid. sudo/su are excluded. users "root" and "nobody" - suing to itself are also excluded, as setuid calls typically involve dropping privileges. - condition: > - evt.type=setuid and evt.dir=> - and (known_user_in_container or not container) - and not user.name=root and not somebody_becoming_themself - and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries, - nomachine_binaries) - and not java_running_sdjagent - and not nrpe_becoming_nagios - output: > - Unexpected setuid call by non-sudo, non-root program (user=%user.name cur_uid=%user.uid parent=%proc.pname - command=%proc.cmdline uid=%evt.arg.uid) - priority: NOTICE - tags: [users] - - rule: User mgmt binaries - desc: > - activity by any programs that can manage users, passwords, or permissions. sudo and su are excluded. - Activity in containers is also excluded--some containers create custom users on top - of a base linux distribution at startup. - Some innocuous commandlines that don't actually change anything are excluded. - condition: > - spawned_process and proc.name in (user_mgmt_binaries) and - not proc.name in (su, sudo, lastlog, nologin, unix_chkpwd) and not container and - not proc.pname in (cron_binaries, systemd, systemd.postins, udev.postinst, run-parts) and - not proc.cmdline startswith "passwd -S" and - not proc.cmdline startswith "useradd -D" and - not proc.cmdline startswith "systemd --version" and - not run_by_qualys and - not run_by_sumologic_securefiles and - not run_by_yum and - not run_by_ms_oms and - not run_by_google_accounts_daemon - output: > - User management binary command run outside of container - (user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4]) - priority: NOTICE - tags: [host, users] - - list: allowed_dev_files - items: [ - /dev/null, /dev/stdin, /dev/stdout, /dev/stderr, - /dev/random, /dev/urandom, /dev/console, /dev/kmsg - ] - - rule: Create files below dev - desc: creating any files below /dev other than known programs that manage devices. Some rootkits hide files in /dev. - condition: > - fd.directory = /dev and - (evt.type = creat or (evt.type = open and evt.arg.flags contains O_CREAT)) - and not proc.name in (dev_creation_binaries) - and not fd.name in (allowed_dev_files) - and not fd.name startswith /dev/tty - output: "File created below /dev by untrusted program (user=%user.name command=%proc.cmdline file=%fd.name)" - priority: ERROR - tags: [filesystem] - - macro: ec2_metadata_containers - condition: container - - rule: Contact EC2 Instance Metadata Service From Container - desc: Detect attempts to contact the EC2 Instance Metadata Service from a container - condition: outbound and fd.sip="169.254.169.254" and container and not ec2_metadata_containers - output: Outbound connection to EC2 instance metadata service (command=%proc.cmdline connection=%fd.name %container.info image=%container.image) - priority: NOTICE - tags: [network, aws, container] - - macro: k8s_api_server - condition: (fd.sip="1.2.3.4" and fd.sport=8080) - - macro: k8s_containers - condition: > - (container.image startswith registry.k8s.io/hyperkube-amd64 or - container.image startswith registry.k8s.io/kube2sky or - container.image startswith sysdig/agent or - container.image startswith sysdig/falco or - container.image startswith sysdig/sysdig) - - rule: Contact K8S API Server From Container - desc: Detect attempts to contact the K8S API Server from a container - condition: outbound and k8s_api_server and container and not k8s_containers - output: Unexpected connection to K8s API Server from container (command=%proc.cmdline %container.info image=%container.image connection=%fd.name) - priority: NOTICE - tags: [network, k8s, container] - - macro: nodeport_containers - condition: container - - rule: Unexpected K8s NodePort Connection - desc: Detect attempts to use K8s NodePorts from a container - condition: (inbound_outbound) and fd.sport >= 30000 and fd.sport <= 32767 and container and not nodeport_containers - output: Unexpected K8s NodePort Connection (command=%proc.cmdline connection=%fd.name) - priority: NOTICE - tags: [network, k8s, container] - - falco_rules_local: | - #################### - # Your custom rules! - #################### - - # Add new rules, like this one - # - rule: The program "sudo" is run in a container - # desc: An event will trigger every time you run sudo in a container - # condition: evt.type = execve and evt.dir=< and container.id != host and proc.name = sudo - # output: "Sudo run in container (user=%user.name %container.info parent=%proc.pname cmdline=%proc.cmdline)" - # priority: ERROR - # tags: [users, container] - - # Or override/append to any rule, macro, or list from the Default Rules - custom_rules: {} - # Although Falco comes with a nice default rule set for detecting weird - # behavior in containers, our users are going to customize the run-time - # security rule sets or policies for the specific container images and - # applications they run. This feature can be handled in this section. - # - # Example: - # - # rules-traefik.yaml: |- - # [ rule body ] - -dependencies: - dynamic: - common: - local_image_registry: - jobs: - - k8sksauth-image-repo-sync - services: - - endpoint: node - service: local_image_registry - static: - falco: - services: null - image_repo_sync: - services: - - endpoint: internal - service: local_image_registry - -manifests: - daemonset: true - configmap_etc: true - configmap_custom_rules: false - configmap_bin: true - secret_registry: true - -# -- Array of extra K8s manifests to deploy -## Note: Supports use of custom Helm templates -extraObjects: [] - # - apiVersion: secrets-store.csi.x-k8s.io/v1 - # kind: SecretProviderClass - # metadata: - # name: osh-secrets-store - # spec: - # provider: aws - # parameters: - # objects: | - # - objectName: "osh" - # objectType: "secretsmanager" - # jmesPath: - # - path: "client_id" - # objectAlias: "client_id" - # - path: "client_secret" - # objectAlias: "client_secret" - # secretObjects: - # - data: - # - key: client_id - # objectName: client_id - # - key: client_secret - # objectName: client_secret - # secretName: osh-secrets-store - # type: Opaque - # labels: - # app.kubernetes.io/part-of: osh -... diff --git a/lockdown/Chart.yaml b/lockdown/Chart.yaml deleted file mode 100644 index 0492be500a..0000000000 --- a/lockdown/Chart.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -apiVersion: v2 -appVersion: "1.0" -description: | - A helm chart used to lockdown all ingress and egress for a namespace -name: lockdown -version: 2025.2.0 -home: https://kubernetes.io/docs/concepts/services-networking/network-policies/ -... diff --git a/lockdown/templates/extra-manifests.yaml b/lockdown/templates/extra-manifests.yaml deleted file mode 100644 index fc9a76b885..0000000000 --- a/lockdown/templates/extra-manifests.yaml +++ /dev/null @@ -1,8 +0,0 @@ -{{ range .Values.extraObjects }} ---- -{{ if typeIs "string" . }} - {{- tpl . $ }} -{{- else }} - {{- tpl (toYaml .) $ }} -{{- end }} -{{ end }} diff --git a/lockdown/templates/network_policy.yaml b/lockdown/templates/network_policy.yaml deleted file mode 100644 index 145d696aab..0000000000 --- a/lockdown/templates/network_policy.yaml +++ /dev/null @@ -1,35 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} -{{- if or .Values.conf.ingress.disallowed .Values.conf.egress.disallowed }} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: deny-all - namespace: {{ .Release.Namespace }} -spec: - policyTypes: -{{- if .Values.conf.ingress.disallowed }} - - Ingress -{{- end }} -{{- if .Values.conf.egress.disallowed }} - - Egress -{{- end }} - podSelector: {} -{{- if .Values.conf.ingress.disallowed }} - ingress: [] -{{- end }} -{{- if .Values.conf.egress.disallowed }} - egress: [] -{{- end }} -{{- end }} diff --git a/lockdown/values.yaml b/lockdown/values.yaml deleted file mode 100644 index ed80b9bf36..0000000000 --- a/lockdown/values.yaml +++ /dev/null @@ -1,51 +0,0 @@ ---- -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Default values for lockdown chart. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. -conf: - ingress: - disallowed: true - egress: - disallowed: true - -# -- Array of extra K8s manifests to deploy -## Note: Supports use of custom Helm templates -extraObjects: [] - # - apiVersion: secrets-store.csi.x-k8s.io/v1 - # kind: SecretProviderClass - # metadata: - # name: osh-secrets-store - # spec: - # provider: aws - # parameters: - # objects: | - # - objectName: "osh" - # objectType: "secretsmanager" - # jmesPath: - # - path: "client_id" - # objectAlias: "client_id" - # - path: "client_secret" - # objectAlias: "client_secret" - # secretObjects: - # - data: - # - key: client_id - # objectName: client_id - # - key: client_secret - # objectName: client_secret - # secretName: osh-secrets-store - # type: Opaque - # labels: - # app.kubernetes.io/part-of: osh -... diff --git a/metacontroller/Chart.yaml b/metacontroller/Chart.yaml deleted file mode 100644 index e890699c2f..0000000000 --- a/metacontroller/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -apiVersion: v2 -appVersion: v0.4.2 -description: A Helm chart for Metacontroller -name: metacontroller -version: 2025.2.0 -home: https://metacontroller.app/ -keywords: - - CRDs - - metacontroller -sources: - - https://github.com/GoogleCloudPlatform/metacontroller -maintainers: - - name: OpenStack-Helm Authors -dependencies: - - name: helm-toolkit - repository: file://../helm-toolkit - version: ">= 0.1.0" -... diff --git a/metacontroller/templates/crds.yaml b/metacontroller/templates/crds.yaml deleted file mode 100644 index 0355dbc7d4..0000000000 --- a/metacontroller/templates/crds.yaml +++ /dev/null @@ -1,333 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.crds }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: compositecontrollers.metacontroller.k8s.io - annotations: - "api-approved.kubernetes.io": "https://github.com/kubernetes/kubernetes/pull/78458" -spec: - group: metacontroller.k8s.io - versions: - - name: v1alpha1 - served: true - storage: true - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - type: object - properties: - generateSelector: - type: boolean - resyncPeriodSeconds: - format: int32 - type: integer - parentResource: - properties: - apiVersion: - description: APIVersion is the combination of group & version of - the resource - type: string - resource: - description: Resource is the name of the resource. Its also the - plural of Kind - type: string - revisionHistory: - properties: - fieldPaths: - items: - type: string - type: array - type: object - required: - - apiVersion - - resource - type: object - childResources: - items: - properties: - apiVersion: - description: APIVersion is the combination of group & version - of the resource - type: string - resource: - description: Resource is the name of the resource. Its also the - plural of Kind - type: string - updateStrategy: - properties: - method: - description: ChildUpdateMethod represents a typed constant - to determine the update strategy of a child resource - type: string - statusChecks: - properties: - conditions: - items: - properties: - reason: - type: string - status: - type: string - type: - type: string - required: - - type - type: object - type: array - type: object - type: object - required: - - apiVersion - - resource - type: object - type: array - hooks: - properties: - finalize: - description: Hook refers to the logic that builds the desired state - of resources - properties: - inline: - description: Inline invocation to arrive at desired state - properties: - funcName: - type: string - type: object - webhook: - description: Webhook invocation to arrive at desired state - properties: - path: - type: string - service: - properties: - name: - type: string - namespace: - type: string - port: - format: int32 - type: integer - protocol: - type: string - required: - - name - - namespace - type: object - timeout: - type: string - url: - type: string - type: object - type: object - postUpdateChild: - description: Hook refers to the logic that builds the desired state - of resources - properties: - inline: - description: Inline invocation to arrive at desired state - properties: - funcName: - type: string - type: object - webhook: - description: Webhook invocation to arrive at desired state - properties: - path: - type: string - service: - properties: - name: - type: string - namespace: - type: string - port: - format: int32 - type: integer - protocol: - type: string - required: - - name - - namespace - type: object - timeout: - type: string - url: - type: string - type: object - type: object - preUpdateChild: - description: Hook refers to the logic that builds the desired state - of resources - properties: - inline: - description: Inline invocation to arrive at desired state - properties: - funcName: - type: string - type: object - webhook: - description: Webhook invocation to arrive at desired state - properties: - path: - type: string - service: - properties: - name: - type: string - namespace: - type: string - port: - format: int32 - type: integer - protocol: - type: string - required: - - name - - namespace - type: object - timeout: - type: string - url: - type: string - type: object - type: object - sync: - description: Hook refers to the logic that builds the desired state - of resources - properties: - inline: - description: Inline invocation to arrive at desired state - properties: - funcName: - type: string - type: object - webhook: - description: Webhook invocation to arrive at desired state - properties: - path: - type: string - service: - properties: - name: - type: string - namespace: - type: string - port: - format: int32 - type: integer - protocol: - type: string - required: - - name - - namespace - type: object - timeout: - type: string - url: - type: string - type: object - type: object - type: object - required: - - parentResource - status: - type: object - required: - - metadata - - spec - scope: Cluster - names: - plural: compositecontrollers - singular: compositecontroller - kind: CompositeController - shortNames: - - cc - - cctl -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: decoratorcontrollers.metacontroller.k8s.io - annotations: - "api-approved.kubernetes.io": "https://github.com/kubernetes/kubernetes/pull/78458" -spec: - group: metacontroller.k8s.io - versions: - - name: v1alpha1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - scope: Cluster - names: - plural: decoratorcontrollers - singular: decoratorcontroller - kind: DecoratorController - shortNames: - - dec - - decorators ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: controllerrevisions.metacontroller.k8s.io - annotations: - "api-approved.kubernetes.io": "https://github.com/kubernetes/kubernetes/pull/78458" -spec: - group: metacontroller.k8s.io - versions: - - name: v1alpha1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - scope: Namespaced - names: - plural: controllerrevisions - singular: controllerrevision - kind: ControllerRevision -{{- end }} diff --git a/metacontroller/templates/extra-manifests.yaml b/metacontroller/templates/extra-manifests.yaml deleted file mode 100644 index fc9a76b885..0000000000 --- a/metacontroller/templates/extra-manifests.yaml +++ /dev/null @@ -1,8 +0,0 @@ -{{ range .Values.extraObjects }} ---- -{{ if typeIs "string" . }} - {{- tpl . $ }} -{{- else }} - {{- tpl (toYaml .) $ }} -{{- end }} -{{ end }} diff --git a/metacontroller/templates/job-image-repo-sync.yaml b/metacontroller/templates/job-image-repo-sync.yaml deleted file mode 100644 index 7cc55d2f6c..0000000000 --- a/metacontroller/templates/job-image-repo-sync.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }} -{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "metacontroller" -}} -{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }} -{{- end }} \ No newline at end of file diff --git a/metacontroller/templates/secret-registry.yaml b/metacontroller/templates/secret-registry.yaml deleted file mode 100644 index da979b3223..0000000000 --- a/metacontroller/templates/secret-registry.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }} -{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }} -{{- end }} diff --git a/metacontroller/templates/service.yaml b/metacontroller/templates/service.yaml deleted file mode 100644 index 62674a661b..0000000000 --- a/metacontroller/templates/service.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.service }} -{{- $envAll := . }} ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ tuple "metacontroller" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} - namespace: {{ .Release.Namespace }} - labels: -{{ tuple $envAll "metacontroller" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} -spec: - clusterIP: None - ports: - - name: metacontroller - port: {{ tuple "metacontroller" "internal" "metacontroller" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - selector: -{{ tuple $envAll "metacontroller" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} -{{- end }} \ No newline at end of file diff --git a/metacontroller/templates/statefulset.yaml b/metacontroller/templates/statefulset.yaml deleted file mode 100644 index 2472ec4760..0000000000 --- a/metacontroller/templates/statefulset.yaml +++ /dev/null @@ -1,94 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.statefulset }} -{{- $envAll := . }} - -{{- $serviceAccountName := "metacontroller-serviceaccount" }} -{{ tuple $envAll "metacontroller" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} - -{{ $controllerName := printf "%s-%s" .Release.Namespace $serviceAccountName }} ---- -{{- if .Values.manifests.rbac }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ $controllerName }} -rules: -- apiGroups: - - "*" - resources: - - "*" - verbs: - - "*" -{{- end }} ---- -{{- if .Values.manifests.rbac }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ $controllerName }} -subjects: -- kind: ServiceAccount - name: {{ $serviceAccountName }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: {{ $controllerName }} - apiGroup: rbac.authorization.k8s.io -{{- end }} ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: metacontroller - annotations: -{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 4 }} - namespace: {{ .Release.Namespace }} - labels: -{{ tuple $envAll "metacontroller" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} -spec: - selector: - matchLabels: -{{ tuple $envAll "metacontroller" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} - serviceName: {{ tuple "metacontroller" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} - podManagementPolicy: "Parallel" - replicas: {{ .Values.pod.replicas.metacontroller }} - template: - metadata: - labels: -{{ tuple $envAll "metacontroller" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} - annotations: -{{ dict "envAll" $envAll "podName" "metacontroller" "containerNames" (list "metacontroller") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} - spec: -{{ dict "envAll" . "application" "metacontroller" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} - serviceAccountName: {{ $serviceAccountName }} - terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.server.timeout | default "30" }} - nodeSelector: - {{ .Values.labels.server.node_selector_key }}: {{ .Values.labels.server.node_selector_value | quote }} - containers: - - name: metacontroller -{{ tuple $envAll "metacontroller" | include "helm-toolkit.snippets.image" | indent 8 }} -{{ tuple $envAll $envAll.Values.pod.resources.metacontroller | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }} -{{ dict "envAll" $envAll "application" "metacontroller" "container" "metacontroller" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }} - ports: - - name: metacontroller - containerPort: {{ tuple "metacontroller" "internal" "metacontroller" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - command: - - /usr/bin/metacontroller - args: - - --logtostderr - - -v=6 - - --discovery-interval=20s -{{- end }} diff --git a/metacontroller/values.yaml b/metacontroller/values.yaml deleted file mode 100644 index 2535accb04..0000000000 --- a/metacontroller/values.yaml +++ /dev/null @@ -1,162 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Default values for elasticsearch -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - ---- -release_group: null - -images: - tags: - metacontroller: metacontrollerio/metacontroller:v0.4.2 - dep_check: quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_jammy - image_repo_sync: quay.io/airshipit/docker:27.5.0 - pull_policy: IfNotPresent - local_registry: - active: false - exclude: - - dep_check - - image_repo_sync - -labels: - server: - node_selector_key: openstack-control-plane - node_selector_value: enabled - -dependencies: - dynamic: - common: - local_image_registry: - jobs: - - metacontroller-image-repo-sync - services: - - endpoint: node - service: local_image_registry - static: - image_repo_sync: - services: - - endpoint: internal - service: local_image_registry -pod: - lifecycle: - termination_grace_period: - server: - timeout: 600 - resources: - enabled: false - metacontroller: - limits: - memory: "1024Mi" - cpu: "2000m" - requests: - memory: "128Mi" - cpu: "500m" - replicas: - metacontroller: 1 - affinity: - anti: - type: - default: preferredDuringSchedulingIgnoredDuringExecution - topologyKey: - default: kubernetes.io/hostname - weight: - default: 10 - security_context: - metacontroller: - pod: - runAsUser: 34356 - container: - metacontroller: - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - -secrets: - oci_image_registry: - metacontroller: metacontroller-oci-image-registry-key - -endpoints: - cluster_domain_suffix: cluster.local - local_image_registry: - name: docker-registry - namespace: docker-registry - hosts: - default: localhost - internal: docker-registry - node: localhost - host_fqdn_override: - default: null - port: - registry: - node: 5000 - oci_image_registry: - name: oci-image-registry - namespace: oci-image-registry - auth: - enabled: false - metacontroller: - username: metacontroller - password: password - hosts: - default: localhost - host_fqdn_override: - default: null - port: - registry: - default: null - metacontroller: - hosts: - default: metacontroller - host_fqdn_override: - default: null - port: - metacontroller: - default: 8083 - -manifests: - secret_registry: true - service: true - statefulset: true - job_image_repo_sync: true - crds: true - rbac: true - -# -- Array of extra K8s manifests to deploy -## Note: Supports use of custom Helm templates -extraObjects: [] - # - apiVersion: secrets-store.csi.x-k8s.io/v1 - # kind: SecretProviderClass - # metadata: - # name: osh-secrets-store - # spec: - # provider: aws - # parameters: - # objects: | - # - objectName: "osh" - # objectType: "secretsmanager" - # jmesPath: - # - path: "client_id" - # objectAlias: "client_id" - # - path: "client_secret" - # objectAlias: "client_secret" - # secretObjects: - # - data: - # - key: client_id - # objectName: client_id - # - key: client_secret - # objectName: client_secret - # secretName: osh-secrets-store - # type: Opaque - # labels: - # app.kubernetes.io/part-of: osh -... diff --git a/releasenotes/config.yaml b/releasenotes/config.yaml index c17f4dd5b2..9f7657b799 100644 --- a/releasenotes/config.yaml +++ b/releasenotes/config.yaml @@ -20,7 +20,6 @@ sections: - [ceph-provisioners, ceph-provisioners Chart] - [cinder, cinder Chart] - [cloudkitty, cloudkitty Chart] - - [daemonjob-controller, daemonjob-controller Chart] - [designate, designate Chart] - [elastic-apm-server, elastic-apm-server Chart] - [elastic-filebeat, elastic-filebeat Chart] @@ -28,7 +27,6 @@ sections: - [elastic-packetbeat, elastic-packetbeat Chart] - [elasticsearch, elasticsearch Chart] - [etcd, etcd Chart] - - [falco, falco Chart] - [flannel, flannel Chart] - [fluentbit, fluentbit Chart] - [fluentd, fluentd Chart] @@ -49,11 +47,9 @@ sections: - [ldap, ldap Chart] - [libvirt, libvirt Chart] - [local-storage, local-storage Chart] - - [lockdown, lockdown Chart] - [magnum, magnum Chart] - [mariadb, mariadb Chart] - [memcached, memcached Chart] - - [metacontroller, metacontroller Chart] - [mistral, mistral Chart] - [mongodb, mongodb Chart] - [nagios, nagios Chart] diff --git a/releasenotes/notes/daemonjob-controller.yaml b/releasenotes/notes/daemonjob-controller.yaml deleted file mode 100644 index db272a6472..0000000000 --- a/releasenotes/notes/daemonjob-controller.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -daemonjob-controller: - - 0.1.0 Initial Chart - - 0.1.1 Change helm-toolkit dependency version to ">= 0.1.0" - - 0.1.2 Add default value for property in x-kubernetes-list-map-keys - - 0.1.3 Update to container image repo k8s.gcr.io - - 0.1.4 Use full image ref for docker official images - - 0.1.5 Update htk requirements - - 0.1.6 Added OCI registry authentication - - 0.1.7 Update kubernetes registry to registry.k8s.io - - 0.1.8 Update Chart.yaml apiVersion to v2 - - 2024.2.0 Update version to align with the Openstack release cycle -... diff --git a/releasenotes/notes/falco.yaml b/releasenotes/notes/falco.yaml deleted file mode 100644 index 2da3f34d7a..0000000000 --- a/releasenotes/notes/falco.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -falco: - - 0.1.0 Initial Chart - - 0.1.1 Change helm-toolkit dependency version to ">= 0.1.0" - - 0.1.2 Update to container image repo k8s.gcr.io - - 0.1.3 Remove zookeeper residue - - 0.1.4 Remove kafka residue - - 0.1.5 Use full image ref for docker official images - - 0.1.6 Update htk requirements - - 0.1.7 Added OCI registry authentication - - 0.1.8 Replace node-role.kubernetes.io/master with control-plane - - 0.1.9 Update kubernetes registry to registry.k8s.io - - 0.1.10 Use quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal by default - - 0.1.11 Update Chart.yaml apiVersion to v2 - - 2024.2.0 Update version to align with the Openstack release cycle -... diff --git a/releasenotes/notes/lockdown.yaml b/releasenotes/notes/lockdown.yaml deleted file mode 100644 index 4ad8013b7f..0000000000 --- a/releasenotes/notes/lockdown.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -lockdown: - - 0.1.0 Initial Chart - - 0.1.1 Allows toggling - - 0.1.2 Update Chart.yaml apiVersion to v2 - - 2024.2.0 Update version to align with the Openstack release cycle -... diff --git a/releasenotes/notes/metacontroller.yaml b/releasenotes/notes/metacontroller.yaml deleted file mode 100644 index a09e3ba3df..0000000000 --- a/releasenotes/notes/metacontroller.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -metacontroller: - - 0.1.0 Initial Chart - - 0.1.1 Change helm-toolkit dependency version to ">= 0.1.0" - - 0.1.2 Fix disappearing metacontroller CRDs on upgrade - - 0.1.3 Use full image ref for docker official images - - 0.1.4 Update htk requirements - - 0.1.5 Fix field validation error - - 0.1.6 Added OCI registry authentication - - 0.1.7 Use quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal by default - - 0.1.8 Update Chart.yaml apiVersion to v2 - - 2024.2.0 Update version to align with the Openstack release cycle -... diff --git a/tools/deployment/common/daemonjob-controller.sh b/tools/deployment/common/daemonjob-controller.sh deleted file mode 100755 index dd907b256e..0000000000 --- a/tools/deployment/common/daemonjob-controller.sh +++ /dev/null @@ -1,117 +0,0 @@ -#!/bin/bash - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -set -xe - -namespace="metacontroller" -: ${OSH_HELM_REPO:="../openstack-helm"} -: ${OSH_VALUES_OVERRIDES_PATH:="../openstack-helm/values_overrides"} -: ${HELM_ARGS_DAEMONJOB_CONTROLLER:="$(helm osh get-values-overrides -p ${OSH_VALUES_OVERRIDES_PATH} -c daemonjob-controller ${FEATURES})"} - -#NOTE: Deploy command -helm upgrade --install daemonjob-controller ${OSH_HELM_REPO}/daemonjob-controller \ - --namespace=$namespace \ - --set pod.replicas.daemonjob_controller=4 \ - ${HELM_ARGS_DAEMONJOB_CONTROLLER} - -#NOTE: Wait for deploy -helm osh wait-for-pods daemonjob-controller - -#NOTE: CompositeController succesfully deployed -composite_controller_cr=$(kubectl get compositecontrollers | awk '{print $1}') -echo "$composite_controller_cr, a CompositeController created succesfully" - -#NOTE: Check crd of APIGroup ctl.example.com -daemonjob_crd=$(kubectl get crd | awk '/ctl.example.com/{print $1}') -echo "$daemonjob_crd is succesfully created" - -#NOTE: Check daemonjob_controller is running -pod=$(kubectl get pods -n $namespace | awk '/daemonjob-controller/{print $1}') -daemonjob_controller_status=$(kubectl get pods -n $namespace | awk '/daemonjob-controller/{print $3}') - -NEXT_WAIT_TIME=0 -until [[ $daemonjob_controller_status == 'Running' ]] || [ $NEXT_WAIT_TIME -eq 5 ]; do - daemonjob_controller_status=$(kubectl get pods -n $namespace | awk '/daemonjob-controller/{print $3}') - echo "DaemonjobController is not still up and running" - sleep 20 - NEXT_WAIT_TIME=$((NEXT_WAIT_TIME+1)) -done - -#NOTE: Create sample-daemonjob.yaml -tee /tmp/sample-daemonjob.yaml << EOF -apiVersion: ctl.example.com/v1 -kind: DaemonJob -metadata: - name: hello-world - annotations: - imageregistry: "https://hub.docker.com/" - labels: - app: hello-world -spec: - selector: - matchLabels: - app: hello-world - template: - metadata: - labels: - app: hello-world - annotations: - container.apparmor.security.beta.kubernetes.io/hello-world: localhost/docker-default - spec: - containers: - - name: hello-world - image: busybox - command: ["sh", "-c", "echo 'Hello world' && sleep 120"] - resources: - requests: - cpu: 10m - terminationGracePeriodSeconds: 10 -EOF - -dj="daemonjobs" - -#NOTE: Deploy daemonjob -kubectl apply -f /tmp/sample-daemonjob.yaml - -#NOTE: Wait for successful completion -NEXT_WAIT_TIME=0 -echo "Wait for successful completion..." -until [[ "$(kubectl get $dj hello-world -o 'jsonpath={.status.conditions[0].status}')" == "True" ]] || [ $NEXT_WAIT_TIME -eq 5 ]; do - daemonset_pod=$(kubectl get pods | awk '/hello-world-dj/{print $1}') - if [ -z "$daemonset_pod" ] - then - echo "Child resource daemonset not yet created" - else - daemonset_pod_status=$(kubectl get pods | awk '/hello-world-dj/{print $3}') - if [ $daemonset_pod_status == 'Init:0/1' ]; then - kubectl describe dj hello-world - init_container_status=$(kubectl get pod $daemonset_pod -o 'jsonpath={.status.initContainerStatuses[0].state.running}') - if [ ! -z "$init_container_status" ]; then - expected_log=$(kubectl logs $daemonset_pod -c hello-world) - if [ $expected_log == 'Hello world' ]; then - echo "Strings are equal." && break - fi - fi - fi - fi - sleep 20 - NEXT_WAIT_TIME=$((NEXT_WAIT_TIME+1)) -done - -#NOTE: Check that DaemonSet gets cleaned up after finishing -NEXT_WAIT_TIME=0 -echo "Check that DaemonSet gets cleaned up after finishing..." -until [[ "$(kubectl get daemonset hello-world-dj 2>&1)" =~ NotFound ]] || [ $NEXT_WAIT_TIME -eq 5 ]; do - sleep 20 - NEXT_WAIT_TIME=$((NEXT_WAIT_TIME+1)) -done diff --git a/tools/deployment/common/falco.sh b/tools/deployment/common/falco.sh deleted file mode 100755 index 454f6d2309..0000000000 --- a/tools/deployment/common/falco.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/bash - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -set -xe - -: ${OSH_HELM_REPO:="../openstack-helm"} - -#NOTE: Deploy command -helm upgrade --install falco ${OSH_HELM_REPO}/falco \ - --namespace=kube-system - -#NOTE: Wait for deploy -helm osh wait-for-pods kube-system diff --git a/tools/deployment/common/lockdown-netpol.sh b/tools/deployment/common/lockdown-netpol.sh deleted file mode 100755 index cbd46ae8f4..0000000000 --- a/tools/deployment/common/lockdown-netpol.sh +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/bash - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -set -xe - -#NOTE: Define variables -: ${OSH_HELM_REPO:="../openstack-helm"} -: ${OSH_VALUES_OVERRIDES_PATH:="../openstack-helm/values_overrides"} -: ${OSH_EXTRA_HELM_ARGS_LOCKDOWN:="$(helm osh get-values-overrides ${DOWNLOAD_OVERRIDES:-} -p ${OSH_VALUES_OVERRIDES_PATH} -c lockdown ${FEATURES})"} - -#NOTE: Deploy command -helm upgrade --install lockdown ${OSH_HELM_REPO}/lockdown \ - --namespace=openstack \ - ${OSH_EXTRA_HELM_ARGS:=} \ - ${OSH_EXTRA_HELM_ARGS_LOCKDOWN} - -#NOTE: Wait for deploy -helm osh wait-for-pods openstack diff --git a/tools/deployment/common/metacontroller.sh b/tools/deployment/common/metacontroller.sh deleted file mode 100755 index 53f85697c0..0000000000 --- a/tools/deployment/common/metacontroller.sh +++ /dev/null @@ -1,65 +0,0 @@ -#!/bin/bash - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -set -xe - -namespace="metacontroller" -: ${OSH_HELM_REPO:="../openstack-helm"} -: ${OSH_VALUES_OVERRIDES_PATH:="../openstack-helm/values_overrides"} -: ${HELM_ARGS_METACONTROLLER:="$(helm osh get-values-overrides -p ${OSH_VALUES_OVERRIDES_PATH} -c metacontroller ${FEATURES})"} - -#NOTE: Check no crd exists of APIGroup metacontroller.k8s.io -crds=$(kubectl get crd | awk '/metacontroller.k8s.io/{print $1}') - -if [ -z "$crds" ]; then - echo "No crd exists of APIGroup metacontroller.k8s.io" -fi - -tee /tmp/${namespace}-ns.yaml << EOF -apiVersion: v1 -kind: Namespace -metadata: - labels: - kubernetes.io/metadata.name: ${namespace} - name: ${namespace} - name: ${namespace} -EOF - -kubectl create -f /tmp/${namespace}-ns.yaml - -#NOTE: Deploy command -helm upgrade --install metacontroller ${OSH_HELM_REPO}/metacontroller \ - --namespace=$namespace \ - --set pod.replicas.metacontroller=3 \ - ${HELM_ARGS_METACONTROLLER} - -#NOTE: Wait for deploy -helm osh wait-for-pods metacontroller - -#NOTE: Check crds of APIGroup metacontroller.k8s.io successfully created -crds=$(kubectl get crd | awk '/metacontroller.k8s.io/{print $1}') - -COUNTER=0 -for i in $crds -do - case $i in - "compositecontrollers.metacontroller.k8s.io") COUNTER=$((COUNTER+1));; - "controllerrevisions.metacontroller.k8s.io") COUNTER=$((COUNTER+1));; - "decoratorcontrollers.metacontroller.k8s.io") COUNTER=$((COUNTER+1));; - *) echo "This is a wrong crd!!!";; - esac -done - -if test $COUNTER -eq 3; then - echo "crds created succesfully" -fi diff --git a/values_overrides/daemonjob-controller/apparmor.yaml b/values_overrides/daemonjob-controller/apparmor.yaml deleted file mode 100644 index 25c31940cf..0000000000 --- a/values_overrides/daemonjob-controller/apparmor.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -pod: - security_context: - daemonjob_controller: - container: - controller: - appArmorProfile: - type: RuntimeDefault -... diff --git a/values_overrides/metacontroller/apparmor.yaml b/values_overrides/metacontroller/apparmor.yaml deleted file mode 100644 index 37c4de0ac4..0000000000 --- a/values_overrides/metacontroller/apparmor.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -pod: - security_context: - metacontroller: - container: - metacontroller: - appArmorProfile: - type: RuntimeDefault -... diff --git a/zuul.d/infra_jobs.yaml b/zuul.d/infra_jobs.yaml index b7cac3cfda..f2b50fe7bf 100644 --- a/zuul.d/infra_jobs.yaml +++ b/zuul.d/infra_jobs.yaml @@ -67,22 +67,6 @@ - ./tools/gate/selenium/prometheus-selenium.sh || true - ./tools/gate/selenium/nagios-selenium.sh || true -- job: - name: openstack-helm-metacontroller - parent: openstack-helm-deploy - nodeset: openstack-helm-1node-ubuntu_jammy - vars: - osh_params: - container_distro_name: ubuntu - container_distro_version: jammy - feature_gates: apparmor,gateway - ingress_setup: false - gate_scripts: - - ./tools/deployment/common/prepare-k8s.sh - - ./tools/deployment/common/prepare-charts.sh - - ./tools/deployment/common/metacontroller.sh - - ./tools/deployment/common/daemonjob-controller.sh - - job: name: openstack-helm-mariadb-operator-2025-1-ubuntu_jammy parent: openstack-helm-deploy diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index a2e1552167..9bedf0eaea 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -58,7 +58,6 @@ # Infra jobs - openstack-helm-logging - openstack-helm-monitoring - - openstack-helm-metacontroller gate: jobs: - openstack-helm-linter @@ -66,7 +65,6 @@ - openstack-helm-compute-kit-2025-1-ubuntu_jammy # - openstack-helm-logging # - openstack-helm-monitoring - - openstack-helm-metacontroller post: jobs: - openstack-helm-publish-charts