This version is under construction, please use an official release version

v1beta3 API Reference

v1beta3

APIEndpoint

APIEndpoint is the endpoint used to communicate with the Kubernetes API

FieldDescriptionSchemeRequired
hostHost is the hostname or IP on which API is running.stringtrue
portPort is the port used to reach to the API. Default value is 6443.intfalse
alternativeNamesAlternativeNames is a list of Subject Alternative Names for the API Server signing cert.[]stringfalse

Back to Group

AWSSpec

AWSSpec defines the AWS cloud provider

FieldDescriptionSchemeRequired

Back to Group

Addon

Addon config

FieldDescriptionSchemeRequired
nameName of the addon to configurestringtrue
paramsParams to the addon, to render the addon using text/template, this will override globalParamsmap[string]stringfalse
disableTemplatingDisableTemplating is used to disable templatization for the addon.boolfalse
deleteDelete flag to ensure the named addon with all its contents to be deletedboolfalse

Back to Group

AddonRef

FieldDescriptionSchemeRequired
addonKubeOne’s internal Addon*Addonfalse
helmReleaseHelmReleases configure helm charts to reconcile. For each HelmRelease it will run analog of: helm upgrade --namespace <NAMESPACE> --install --create-namespace <RELEASE> <CHART> [--values=values-override.yaml]*HelmReleasefalse

Back to Group

Addons

Addons config

FieldDescriptionSchemeRequired
pathPath on the local file system to the directory with addons manifests.stringfalse
addonsAddons is a list of config options for named addon[]AddonReffalse

Back to Group

AzureSpec

AzureSpec defines the Azure cloud provider

FieldDescriptionSchemeRequired

Back to Group

CNI

CNI config. Only one CNI provider must be used at the single time.

FieldDescriptionSchemeRequired
canalCanal*CanalSpecfalse
ciliumCilium*CiliumSpecfalse
weaveNetWeaveNet*WeaveNetSpecfalse
externalExternal*ExternalCNISpecfalse

Back to Group

CanalSpec

CanalSpec defines the Canal CNI plugin

FieldDescriptionSchemeRequired
mtuMTU automatically detected based on the cloudProvider default value is 1450intfalse

Back to Group

CiliumSpec

CiliumSpec defines the Cilium CNI plugin

FieldDescriptionSchemeRequired
kubeProxyReplacementKubeProxyReplacement defines weather cilium relies on underlying Kernel support to replace kube-proxy functionality by eBPF (strict), or disables a subset of those features so cilium does not bail out if the kernel support is missing (disabled). default is "disabled"KubeProxyReplacementTypetrue
enableHubbleEnableHubble to deploy Hubble relay and UI default value is falsebooltrue

Back to Group

CloudProviderSpec

CloudProviderSpec describes the cloud provider that is running the machines. Only one cloud provider must be defined at the single time.

FieldDescriptionSchemeRequired
externalExternalboolfalse
disableBundledCSIDriversDisableBundledCSIDrivers disables automatic deployment of CSI drivers bundled with KubeOnebooltrue
cloudConfigCloudConfigstringfalse
csiConfigCSIConfigstringfalse
secretProviderClassNameSecretProviderClassNamestringfalse
awsAWS*AWSSpecfalse
azureAzure*AzureSpecfalse
digitaloceanDigitalOcean*DigitalOceanSpecfalse
gceGCE*GCESpecfalse
hetznerHetzner*HetznerSpecfalse
kubevirtKubevirt*KubevirtSpecfalse
nutanixNutanix*NutanixSpecfalse
openstackOpenstack*OpenstackSpecfalse
equinixmetalEquinixMetal*EquinixMetalSpecfalse
vmwareCloudDirectorVMware Cloud Director*VMwareCloudDirectorSpecfalse
vsphereVsphere*VsphereSpecfalse
noneNone*NoneSpecfalse

Back to Group

ClusterNetworkConfig

ClusterNetworkConfig describes the cluster network

FieldDescriptionSchemeRequired
podSubnetPodSubnet default value is "10.244.0.0/16"stringfalse
podSubnetIPv6PodSubnetIPv6 default value is ""fd01::/48""stringfalse
serviceSubnetServiceSubnet default value is "10.96.0.0/12"stringfalse
serviceSubnetIPv6ServiceSubnetIPv6 default value is "fd02::/120"stringfalse
serviceDomainNameServiceDomainName default value is "cluster.local"stringfalse
nodePortRangeNodePortRange default value is "30000-32767"stringfalse
cniCNI default value is {canal: {mtu: 1450}}*CNIfalse
kubeProxyKubeProxy config*KubeProxyConfigfalse
ipFamilyIPFamily allows specifying IP family of a cluster. Valid values are IPv4 | IPv6 | IPv4+IPv6 | IPv6+IPv4.IPFamilyfalse
nodeCIDRMaskSizeIPv4NodeCIDRMaskSizeIPv4 is the mask size used to address the nodes within provided IPv4 Pods CIDR. It has to be larger than the provided IPv4 Pods CIDR. Defaults to 24.*intfalse
nodeCIDRMaskSizeIPv6NodeCIDRMaskSizeIPv6 is the mask size used to address the nodes within provided IPv6 Pods CIDR. It has to be larger than the provided IPv6 Pods CIDR. Defaults to 64.*intfalse

Back to Group

ContainerRuntimeConfig

ContainerRuntimeConfig

FieldDescriptionSchemeRequired
containerdContainerd related configurations*ContainerRuntimeContainerdfalse

Back to Group

ContainerRuntimeContainerd

ContainerRuntimeContainerd defines docker container runtime

FieldDescriptionSchemeRequired
registriesA map of registries to use to render configs and mirrors for containerd registriesmap[string]ContainerdRegistryfalse
deviceOwnershipFromSecurityContextEnable or disable device_ownership_from_security_context containerd CRI config. Default to true.*boolfalse

Back to Group

ContainerdRegistry

ContainerdRegistry defines endpoints and security for given container registry

FieldDescriptionSchemeRequired
mirrorsList of registry mirrors to use[]stringfalse
tlsConfigTLSConfig for the registry*ContainerdTLSConfigfalse
authRegistry authentication*ContainerdRegistryAuthConfigfalse

Back to Group

ContainerdRegistryAuthConfig

Containerd per-registry credentials config

FieldDescriptionSchemeRequired
usernamestringfalse
passwordstringfalse
authstringfalse
identityTokenstringfalse

Back to Group

ContainerdTLSConfig

Configures containerd TLS for a registry

FieldDescriptionSchemeRequired
insecureSkipVerifyDon’t validate remote TLS certificateboolfalse

Back to Group

ControlPlaneComponentConfig

FieldDescriptionSchemeRequired
flagsFlags is a set of additional flags that will be passed to the control plane component. KubeOne internally configures some flags that are eseeential for the cluster to work. Those flags set by KubeOne will be merged with the ones specified in the configuration. In case of conflict the value provided by the user will be used. Usage of feature-gates is not allowed here, use FeatureGates field instead. IMPORTANT: Use of these flags is at the user’s own risk, as KubeOne does not provide support for issues caused by invalid values and configurations.map[string]stringfalse
featureGatesFeatureGates is a map of additional feature gates that will be passed on to the control plane component. KubeOne internally configures some feature gates that are eseeential for the cluster to work. Those feature gates set by KubeOne will be merged with the ones specified in the configuration. In case of conflict the value provided by the user will be used. IMPORTANT: Use of these featureGates is at the user’s own risk, as KubeOne does not provide support for issues caused by invalid values and configurations.map[string]boolfalse

Back to Group

ControlPlaneComponents

FieldDescriptionSchemeRequired
controllerManagerControllerManagerConfig configures the Kubernetes Controller Manager*ControlPlaneComponentConfigfalse
schedulerScheduler configures the Kubernetes Scheduler*ControlPlaneComponentConfigfalse
apiServerAPIServer configures the Kubernetes API Server*ControlPlaneComponentConfigfalse

Back to Group

ControlPlaneConfig

ControlPlaneConfig defines control plane nodes

FieldDescriptionSchemeRequired
hostsHosts array of all control plane hosts.[]HostConfigtrue

Back to Group

CoreDNS

FieldDescriptionSchemeRequired
replicas*int32false
deployPodDisruptionBudget*boolfalse
imageRepositoryImageRepository allows users to specify the image registry to be used for CoreDNS. Kubeadm automatically appends /coredns at the end, so it’s not necessary to specify it. By default it’s empty, which means it’ll be defaulted based on kubeadm defaults and if overwriteRegistry feature is used. ImageRepository has the highest priority, meaning that it’ll override overwriteRegistry if specified.stringfalse

Back to Group

DNSConfig

DNSConfig contains a machine’s DNS configuration

FieldDescriptionSchemeRequired
serversServers[]stringtrue

Back to Group

DigitalOceanSpec

DigitalOceanSpec defines the DigitalOcean cloud provider

FieldDescriptionSchemeRequired

Back to Group

DynamicAuditLog

DynamicAuditLog feature flag

FieldDescriptionSchemeRequired
enableEnable Default value is false.boolfalse

Back to Group

DynamicWorkerConfig

DynamicWorkerConfig describes a set of worker machines

FieldDescriptionSchemeRequired
nameNamestringtrue
replicasReplicas*inttrue
providerSpecConfigProviderSpectrue

Back to Group

EncryptionProviders

Encryption Providers feature flag

FieldDescriptionSchemeRequired
enableEnablebooltrue
customEncryptionConfigurationCustomEncryptionConfigurationstringtrue

Back to Group

EquinixMetalSpec

EquinixMetalSpec defines the Equinix Metal cloud provider

FieldDescriptionSchemeRequired

Back to Group

ExternalCNISpec

ExternalCNISpec defines the external CNI plugin. It’s up to the user’s responsibility to deploy the external CNI plugin manually or as an addon

FieldDescriptionSchemeRequired

Back to Group

Features

Features controls what features will be enabled on the cluster

FieldDescriptionSchemeRequired
coreDNSCoreDNS*CoreDNSfalse
podNodeSelectorPodNodeSelector*PodNodeSelectorfalse
staticAuditLogStaticAuditLog*StaticAuditLogfalse
dynamicAuditLogDynamicAuditLog*DynamicAuditLogfalse
webhookAuditLogWebhookAuditLog*WebhookAuditLogfalse
metricsServerMetricsServer*MetricsServerfalse
openidConnectOpenIDConnect*OpenIDConnectfalse
encryptionProvidersEncryption Providers*EncryptionProvidersfalse
nodeLocalDNSNodeLocalDNS config*NodeLocalDNSfalse

Back to Group

GCESpec

GCESpec defines the GCE cloud provider

FieldDescriptionSchemeRequired

Back to Group

HelmRelease

FieldDescriptionSchemeRequired
chartChart is [CHART] part of the helm upgrade [RELEASE] [CHART] command.stringtrue
repoURLRepoURL is a chart repository URL where to locate the requested chart.stringfalse
chartURLChartURL is a direct chart URL location.stringfalse
versionVersion is –version flag of the helm upgrade command. Specify the exact chart version to use. If this is not specified, the latest version is used.stringfalse
releaseNameReleaseName is [RELEASE] part of the helm upgrade [RELEASE] [CHART] command. Empty is defaulted to chart.stringfalse
namespaceNamespace is –namespace flag of the helm upgrade command. A namespace to use for a release.stringtrue
waitWait is –wait flag of the helm install command.boolfalse
timeoutWaitTimeout –timeout flag of the helm install command. Default to 5mmetav1.Durationfalse
valuesValues provide optional overrides of the helm values.[]HelmValuesfalse

Back to Group

HelmValues

HelmValues configure inputs to helm upgrade --install command analog.

FieldDescriptionSchemeRequired
valuesFileValuesFile is an optional path on the local file system containing helm values to override. An analog of –values flag of the helm upgrade command.stringfalse
inlineInline is optionally used as a convenient way to provide short user input overrides to the helm upgrade process. Is written to a temporary file and used as an analog of the helm upgrade --values=/tmp/inline-helm-values-XXX command.json.RawMessagefalse

Back to Group

HetznerSpec

HetznerSpec defines the Hetzner cloud provider

FieldDescriptionSchemeRequired
networkIDNetworkIDstringfalse

Back to Group

HostConfig

HostConfig describes a single control plane or worker node.

FieldDescriptionSchemeRequired
publicAddressPublicAddress is externally accessible IP address from public internet.stringtrue
ipv6AddressesIPv6Addresses is a list of IPv6 addresses for the node. Only the first IPv6 address will be announced to the Kubernetes control plane. It is a list because you can request lots of IPv6 addresses (for example in case you want to assign one address per service).[]stringtrue
privateAddressPrivateAddress is internal RFC-1918 IP address.stringtrue
sshPortSSHPort is port to connect ssh to. Default value is 22.intfalse
sshUsernameSSHUsername is system login name. Default value is "root".stringfalse
sshPrivateKeyFileSSHPrivateKeyFile is path to the file with PRIVATE AND CLEANTEXT ssh key. Default value is "".stringfalse
sshCertFileSSHCertFile is path to the file with the certificate of the private key. Default value is "".stringfalse
sshHostPublicKeySSHHostPublicKey if not empty, will be used to verify remote host public key[]bytefalse
sshAgentSocketSSHAgentSocket path (or reference to the environment) to the SSH agent unix domain socket. Default value is "env:SSH_AUTH_SOCK".stringfalse
bastionBastion is an IP or hostname of the bastion (or jump) host to connect to. Default value is "".stringfalse
bastionPortBastionPort is SSH port to use when connecting to the bastion if it’s configured in .Bastion. Default value is 22.intfalse
bastionUserBastionUser is system login name to use when connecting to bastion host. Default value is "root".stringfalse
bastionHostPublicKeyBastionHostPublicKey if not empty, will be used to verify bastion SSH public key[]bytefalse
hostnameHostname is the hostname(1) of the host. Default value is populated at the runtime via running hostname -f command over ssh.stringfalse
isLeaderIsLeader indicates this host as a session leader. Default value is populated at the runtime.boolfalse
taintsTaints are taints applied to nodes. Those taints are only applied when the node is being provisioned. If not provided (i.e. nil) for control plane nodes, it defaults to TaintEffectNoSchedule with key\n node-role.kubernetes.io/control-plane\nExplicitly empty (i.e. []corev1.Taint{}) means no taints will be applied (this is default for worker nodes).[]corev1.Taintfalse
labelsLabels to be used to apply (or remove, with minus symbol suffix, see more kubectl help label) labels to/from nodemap[string]stringfalse
kubeletKubeletKubeletConfigfalse
operatingSystemOperatingSystem information, can be populated at the runtime.OperatingSystemNamefalse

Back to Group

IPTables

IPTables

FieldDescriptionSchemeRequired

Back to Group

IPVSConfig

IPVSConfig contains different options to configure IPVS kube-proxy mode

FieldDescriptionSchemeRequired
scheduleripvs scheduler, if it’s not configured, then round-robin (rr) is the default value. Can be one of: * rr: round-robin * lc: least connection (smallest number of open connections) * dh: destination hashing * sh: source hashing * sed: shortest expected delay * nq: never queuestringtrue
excludeCIDRsexcludeCIDRs is a list of CIDR’s which the ipvs proxier should not touch when cleaning up ipvs services.[]stringtrue
strictARPstrict ARP configure arp_ignore and arp_announce to avoid answering ARP queries from kube-ipvs0 interfacebooltrue
tcpTimeouttcpTimeout is the timeout value used for idle IPVS TCP sessions. The default value is 0, which preserves the current timeout value on the system.metav1.Durationtrue
tcpFinTimeouttcpFinTimeout is the timeout value used for IPVS TCP sessions after receiving a FIN. The default value is 0, which preserves the current timeout value on the system.metav1.Durationtrue
udpTimeoutudpTimeout is the timeout value used for IPVS UDP packets. The default value is 0, which preserves the current timeout value on the system.metav1.Durationtrue

Back to Group

KubeOneCluster

KubeOneCluster is KubeOne Cluster API Schema

FieldDescriptionSchemeRequired
nameName is the name of the cluster.stringtrue
controlPlaneControlPlane describes the control plane nodes and how to access them.ControlPlaneConfigtrue
apiEndpointAPIEndpoint are pairs of address and port used to communicate with the Kubernetes API.APIEndpointtrue
cloudProviderCloudProvider configures the cloud provider specific features.CloudProviderSpectrue
versionsVersions defines which Kubernetes version will be installed.VersionConfigtrue
containerRuntimeContainerRuntime defines which container runtime will be installedContainerRuntimeConfigfalse
clusterNetworkClusterNetwork configures the in-cluster networking.ClusterNetworkConfigfalse
proxyProxy configures proxy used while installing Kubernetes and by the Docker daemon.ProxyConfigfalse
staticWorkersStaticWorkers describes the worker nodes that are managed by KubeOne/kubeadm.StaticWorkersConfigfalse
dynamicWorkersDynamicWorkers describes the worker nodes that are managed by Kubermatic machine-controller/Cluster-API.[]DynamicWorkerConfigfalse
machineControllerMachineController configures the Kubermatic machine-controller component.*MachineControllerConfigfalse
operatingSystemManagerOperatingSystemManager configures the Kubermatic operating-system-manager component.*OperatingSystemManagerConfigfalse
caBundleCABundle PEM encoded global CAstringfalse
featuresFeatures enables and configures additional cluster features.Featuresfalse
addonsAddons are used to deploy additional manifests.*Addonsfalse
systemPackagesSystemPackages configure kubeone behaviour regarding OS packages.*SystemPackagesfalse
registryConfigurationRegistryConfiguration configures how Docker images are pulled from an image registry*RegistryConfigurationfalse
loggingConfigLoggingConfig configures the Kubelet’s log rotationLoggingConfigfalse
tlsCipherSuitesTLSCipherSuites allows to configure TLS cipher suites for different components. See https://pkg.go.dev/crypto/tls#pkg-constants for possible values.TLSCipherSuitestrue
controlPlaneComponentsControlPlaneComponents configures the Kubernetes control plane components*ControlPlaneComponentsfalse

Back to Group

KubeProxyConfig

KubeProxyConfig defines configured kube-proxy mode, default is iptables mode

FieldDescriptionSchemeRequired
skipInstallationSkipInstallation will skip the installation of kube-proxy default value is falsebooltrue
ipvsIPVS config*IPVSConfigtrue
iptablesIPTables config*IPTablestrue

Back to Group

KubeletConfig

KubeletConfig provides some kubelet configuration options

FieldDescriptionSchemeRequired
systemReservedSystemReserved configure –system-reserved command-line flag of the kubelet. See more at: https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/map[string]stringfalse
kubeReservedKubeReserved configure –kube-reserved command-line flag of the kubelet. See more at: https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/map[string]stringfalse
evictionHardEvictionHard configure –eviction-hard command-line flag of the kubelet. See more at: https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/map[string]stringfalse
maxPodsMaxPods configures maximum number of pods per node. If not provided, default value provided by kubelet will be used (max. 110 pods per node)*int32false
podPidsLimitPodPidsLimit configures the maximum number of processes running in a Pod If not provided, default value provided by kubelet will be used -1 See more about pid-limiting at: https://kubernetes.io/docs/concepts/policy/pid-limiting/*int64false

Back to Group

KubevirtSpec

KubevirtSpec defines the Kubevirt provider

FieldDescriptionSchemeRequired

Back to Group

LoggingConfig

LoggingConfig configures the Kubelet’s log rotation

FieldDescriptionSchemeRequired
containerLogMaxSizeContainerLogMaxSize configures the maximum size of container log file before it is rotated See more at: https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/stringfalse
containerLogMaxFilesContainerLogMaxFiles configures the maximum number of container log files that can be present for a container See more at: https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/int32false

Back to Group

MachineControllerConfig

MachineControllerConfig configures kubermatic machine-controller deployment

FieldDescriptionSchemeRequired
deployDeployboolfalse

Back to Group

MetricsServer

MetricsServer feature flag

FieldDescriptionSchemeRequired
enableEnable deployment of metrics-server. Default value is true.boolfalse

Back to Group

NodeLocalDNS

FieldDescriptionSchemeRequired
deployDeploy is enabled by defaultboolfalse

Back to Group

NoneSpec

NoneSpec defines a none provider

FieldDescriptionSchemeRequired

Back to Group

NutanixSpec

NutanixSpec defines the Nutanix provider

FieldDescriptionSchemeRequired

Back to Group

OpenIDConnect

OpenIDConnect feature flag

FieldDescriptionSchemeRequired
enableEnableboolfalse
configConfigOpenIDConnectConfigtrue

Back to Group

OpenIDConnectConfig

OpenIDConnectConfig config

FieldDescriptionSchemeRequired
issuerUrlIssuerURLstringtrue
clientIdClientIDstringfalse
usernameClaimUsernameClaimstringfalse
usernamePrefixUsernamePrefix. The value - can be used to disable all prefixing.stringfalse
groupsClaimGroupsClaimstringfalse
groupsPrefixGroupsPrefix. The value - can be used to disable all prefixing.stringfalse
requiredClaimRequiredClaimstringtrue
signingAlgsSigningAlgsstringfalse
caFileCAFilestringtrue

Back to Group

OpenstackSpec

OpenstackSpec defines the Openstack provider

FieldDescriptionSchemeRequired

Back to Group

OperatingSystemManagerConfig

OperatingSystemManagerConfig configures kubermatic operating-system-manager deployment.

FieldDescriptionSchemeRequired
deployDeployboolfalse

Back to Group

PodNodeSelector

PodNodeSelector feature flag

FieldDescriptionSchemeRequired
enableEnableboolfalse
configConfigPodNodeSelectorConfigtrue

Back to Group

PodNodeSelectorConfig

PodNodeSelectorConfig config

FieldDescriptionSchemeRequired
configFilePathConfigFilePath is a path on the local file system to the PodNodeSelector configuration file. ConfigFilePath is a required field. More info: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podnodeselectorstringtrue

Back to Group

ProviderSpec

ProviderSpec describes a worker node

FieldDescriptionSchemeRequired
cloudProviderSpecCloudProviderSpecjson.RawMessagetrue
annotationsAnnotations set MachineDeployment.ObjectMeta.Annotationsmap[string]stringfalse
machineAnnotationsMachineAnnotations set MachineDeployment.Spec.Template.Spec.ObjectMeta.Annotations as a way to annotate resulting Nodes Deprecated: Use NodeAnnotations instead.map[string]stringfalse
nodeAnnotationsNodeAnnotations set MachineDeployment.Spec.Template.Spec.ObjectMeta.Annotations as a way to annotate resulting Nodesmap[string]stringfalse
machineObjectAnnotationsMachineObjectAnnotations set MachineDeployment.Spec.Template.Metadata.Annotations as a way to annotate resulting Machine objects. Those annotations are not propagated to Node objects. If you want to annotate resulting Nodes as well, see NodeAnnotationsmap[string]stringfalse
labelsLabelsmap[string]stringfalse
taintsTaints[]corev1.Taintfalse
sshPublicKeysSSHPublicKeys[]stringfalse
operatingSystemOperatingSystemstringtrue
operatingSystemSpecOperatingSystemSpecjson.RawMessagefalse
networkNetwork*ProviderStaticNetworkConfigfalse
overwriteCloudConfigOverwriteCloudConfig*stringfalse

Back to Group

ProviderStaticNetworkConfig

ProviderStaticNetworkConfig contains a machine’s static network configuration

FieldDescriptionSchemeRequired
cidrCIDRstringtrue
gatewayGatewaystringtrue
dnsDNSDNSConfigtrue
ipFamilyIPFamilyIPFamilytrue

Back to Group

ProxyConfig

ProxyConfig configures proxy for the Docker daemon and is used by KubeOne scripts

FieldDescriptionSchemeRequired
httpHTTPstringfalse
httpsHTTPSstringfalse
noProxyNoProxystringfalse

Back to Group

RegistryConfiguration

RegistryConfiguration controls how images used for components deployed by KubeOne and kubeadm are pulled from an image registry

FieldDescriptionSchemeRequired
overwriteRegistryOverwriteRegistry specifies a custom Docker registry which will be used for all images required for KubeOne and kubeadm. This also applies to addons deployed by KubeOne. This field doesn’t modify the user/organization part of the image. For example, if OverwriteRegistry is set to 127.0.0.1:5000/example, image called calico/cni would translate to 127.0.0.1:5000/example/calico/cni. Default: ""stringfalse
insecureRegistryInsecureRegistry configures Docker to threat the registry specified in OverwriteRegistry as an insecure registry. This is also propagated to the worker nodes managed by machine-controller and/or KubeOne.boolfalse

Back to Group

StaticAuditLog

StaticAuditLog feature flag

FieldDescriptionSchemeRequired
enableEnableboolfalse
configConfigStaticAuditLogConfigtrue

Back to Group

StaticAuditLogConfig

StaticAuditLogConfig config

FieldDescriptionSchemeRequired
policyFilePathPolicyFilePath is a path on local file system to the audit policy manifest which defines what events should be recorded and what data they should include. PolicyFilePath is a required field. More info: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#audit-policystringtrue
logPathLogPath is path on control plane instances where audit log files are stored. Default value is /var/log/kubernetes/audit.logstringfalse
logMaxAgeLogMaxAge is maximum number of days to retain old audit log files. Default value is 30intfalse
logMaxBackupLogMaxBackup is maximum number of audit log files to retain. Default value is 3.intfalse
logMaxSizeLogMaxSize is maximum size in megabytes of audit log file before it gets rotated. Default value is 100.intfalse

Back to Group

StaticWorkersConfig

StaticWorkersConfig defines static worker nodes provisioned by KubeOne and kubeadm

FieldDescriptionSchemeRequired
hostsHosts[]HostConfigfalse

Back to Group

SystemPackages

SystemPackages controls configurations of APT/YUM

FieldDescriptionSchemeRequired
configureRepositoriesConfigureRepositories (true by default) is a flag to control automatic configuration of kubeadm / docker repositories.boolfalse

Back to Group

TLSCipherSuites

FieldDescriptionSchemeRequired
apiServerAPIServer is a list of TLS cipher suites to use in kube-apiserver.[]stringfalse
etcdEtcd is a list of TLS cipher suites to use in etcd.[]stringfalse
kubeletKubelet is a list of TLS cipher suites to use in kubelet.[]stringfalse

Back to Group

VMwareCloudDirectorSpec

VMwareCloudDirectorSpec defines the VMware Cloud Director provider

FieldDescriptionSchemeRequired
vAppVApp is the name of vApp for VMs.stringfalse
storageProfileStorageProfile is the name of storage profile to be used for disks.stringtrue

Back to Group

VersionConfig

VersionConfig describes the versions of components that are installed on the machines

FieldDescriptionSchemeRequired
kubernetesstringtrue

Back to Group

VsphereSpec

VsphereSpec defines the vSphere provider

FieldDescriptionSchemeRequired

Back to Group

WeaveNetSpec

WeaveNetSpec defines the WeaveNet CNI plugin

FieldDescriptionSchemeRequired
encryptedEncryptedboolfalse

Back to Group

WebHookAuditLogBatchConfig

FieldDescriptionSchemeRequired
bufferSizeBufferSize defines the number of events to buffer before batching. If the rate of incoming events overflows the buffer, events are dropped.intfalse
maxSizeMaxSize defines the maximum number of events in one batch.intfalse
maxWaitMaxWait defines the maximum amount of time to wait before unconditionally batching events in the queue.metav1.Durationfalse
throttleThrottle defines throttle configuration options.WebHookAuditLogThrottleConfigfalse

Back to Group

WebHookAuditLogThrottleConfig

FieldDescriptionSchemeRequired
disableDisable disables webhook throttling. Defaults to false, which corresponds to kube-apiservers default of enabling throttling.boolfalse
burstBurst defines the maximum number of batches generated at the same moment if the allowed QPS was underutilized previously.intfalse
QPSQPS defines the maximum average number of batches generated per second.float32false

Back to Group

WebHookAuditLogTruncateConfig

FieldDescriptionSchemeRequired
enableEnable enables webhook truncating to support limiting the size of events. Defaults to false.boolfalse
maxBatchSizeMaxBatchSize defines the maximum size in bytes of the batch sent to the underlying backend.intfalse
maxEventSizeMaxEventSize defines the maximum size in bytes of the audit event sent to the underlying backend.intfalse

Back to Group

WebhookAuditLog

FieldDescriptionSchemeRequired
enableEnable Default value is false.boolfalse
configConfigWebhookAuditLogConfigtrue

Back to Group

WebhookAuditLogConfig

FieldDescriptionSchemeRequired
policyFilePathPolicyFilePath is a path on local file system to the audit policy manifest which defines what events should be recorded and what data they should include. PolicyFilePath is a required field. More info: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#audit-policystringtrue
configFilePathConfigFilePath is a path on local file system to a kubeconfig formatted file that defines how kube-apiserver can connect to the audit webhook. ConfigFilePath is a required field. More info: https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/#webhook-backendstringtrue
initialBackOffInitialBackOff defines the amount of time to wait before retrying the first failed request. Defaults to 10s.metav1.Durationfalse
modeMode defines the strategy for sending audit events. Blocking indicates sending events should block server responses. Batch causes the backend to buffer and write events asynchronously. Known modes are batch,blocking,blocking-strict. Defaults to batch.stringfalse
versionVersion defines API group and version used for serializing audit events written to webhook. Defaults to audit.k8s.io/v1stringfalse
batchBatch defines settings for controlling event batching. Only applicable if webhook mode is set to batch.WebHookAuditLogBatchConfigfalse
truncateTruncate defines settings for controlling event truncation.WebHookAuditLogTruncateConfigfalse

Back to Group