Kubermatic Virtualization CRDs Reference

v1alpha1

KubeVRole

KubeVRole defines what operations a subject may perform.

FieldDescriptionSchemeRequired
metadatametav1.ObjectMetafalse
specKubeVRoleSpectrue

Back to Group

KubeVRoleBinding

KubeVRoleBinding grants a KubeVRole to a user.

FieldDescriptionSchemeRequired
metadatametav1.ObjectMetafalse
specKubeVRoleBindingSpectrue

Back to Group

KubeVRoleBindingList

KubeVRoleBindingList is the list type for KubeVRoleBinding.

FieldDescriptionSchemeRequired
metadatametav1.ListMetafalse
items[]KubeVRoleBindingtrue

Back to Group

KubeVRoleBindingSpec

KubeVRoleBindingSpec defines who gets what role.

FieldDescriptionSchemeRequired
subjectSubject is the name of the User being bound.stringtrue
roleRefRoleRef is the name of the KubeVRole to grant.stringtrue

Back to Group

KubeVRoleList

KubeVRoleList is the list type for KubeVRole.

FieldDescriptionSchemeRequired
metadatametav1.ListMetafalse
items[]KubeVRoletrue

Back to Group

KubeVRoleSpec

KubeVRoleSpec defines the rules of a KubeVRole.

FieldDescriptionSchemeRequired
displayNameDisplayName is a human-readable label shown in the UI.stringfalse
descriptionDescription explains what this role is intended for.stringfalse
systemSystem marks the role as built-in. System roles cannot be deleted via the API.boolfalse
rulesRules is the list of policy rules that define the permissions of this role.[]PolicyRuletrue

Back to Group

PolicyRule

PolicyRule grants a set of verbs on a set of resources, optionally scoped to one or more resource groups. Any field left empty (or set to ["*"]) is a wildcard that matches everything.

Example — full compute access:

{ resourceGroups: [\"compute\"], verbs: [\"*\"] }

Example — read-only access to a single resource type:

{ resourceGroups: [\"networking\"], resources: [\"subnets\"], verbs: [\"view\"] }
FieldDescriptionSchemeRequired
resourceGroupsResourceGroups scopes the rule to one or more IAM resource categories (e.g. "compute", "networking", "storage", "iam"). An empty list or ["*"] matches all groups.[]stringfalse
resourcesResources further narrows the rule to specific resource types within the group (e.g. "virtualmachines", "subnets"). An empty list or ["*"] matches all resources in the matched groups.[]stringfalse
verbsVerbs is the list of operations this rule permits. Standard verbs are: create, delete, update, view, manage, start, stop, restart, console. The wildcard "*" permits all verbs.[]stringtrue

Back to Group

User

User represents a synced OIDC identity. The controller creates and updates these from OIDC subject claims so that bindings can reference stable K8s resource names instead of raw OIDC subjects.

FieldDescriptionSchemeRequired
metadatametav1.ObjectMetafalse
specUserSpecfalse
statusUserStatusfalse

Back to Group

UserList

UserList is the list type for User.

FieldDescriptionSchemeRequired
metadatametav1.ListMetafalse
items[]Usertrue

Back to Group

UserSpec

UserSpec is the desired state of a User.

FieldDescriptionSchemeRequired
subSub is the stable OIDC subject identifier (never changes for a given user).stringtrue
emailEmail is the user’s email address from the OIDC claims.stringfalse
nameName is the user’s display name from the OIDC claims.stringfalse
disabledDisabled prevents the user from authenticating when true.boolfalse

Back to Group

UserStatus

UserStatus is the observed state of a User.

FieldDescriptionSchemeRequired
lastSeenLastSeen is the timestamp of the user’s most recent authentication.*metav1.Timefalse

Back to Group

Image

Image is a catalog entry describing an OS image available for use as a DataVolume source when creating VirtualMachines or VMPools.

FieldDescriptionSchemeRequired
metadatametav1.ObjectMetafalse
specImageSpecfalse

Back to Group

ImageList

ImageList is the list type for Image.

FieldDescriptionSchemeRequired
metadatametav1.ListMetafalse
items[]Imagetrue

Back to Group

ImageSourceGCS

ImageSourceGCS references an image stored in Google Cloud Storage.

FieldDescriptionSchemeRequired
urlURL is the GCS URL of the image.stringtrue

Back to Group

ImageSourceHTTP

ImageSourceHTTP references an image hosted at an HTTP/HTTPS URL.

FieldDescriptionSchemeRequired
urlURL is the full HTTP/HTTPS URL of the image.stringtrue

Back to Group

ImageSourcePVC

ImageSourcePVC references an image backed by an existing PersistentVolumeClaim.

FieldDescriptionSchemeRequired
nameName is the PVC name.stringtrue
namespaceNamespace is the PVC namespace. Defaults to the Image’s namespace when omitted.stringfalse

Back to Group

ImageSourceRegistry

ImageSourceRegistry references an image stored in a container registry.

FieldDescriptionSchemeRequired
urlURL is the full registry URL including tag or digest (e.g. docker.io/library/ubuntu:22.04).stringtrue

Back to Group

ImageSourceS3

ImageSourceS3 references an image stored in an S3-compatible bucket.

FieldDescriptionSchemeRequired
urlURL is the S3 URL of the image.stringtrue

Back to Group

ImageSpec

ImageSpec defines the desired state of an Image.

FieldDescriptionSchemeRequired
typeType identifies the kind of source backing this image.ImageSourceTypetrue
readableNameReadableName is a human-friendly display name shown in the UI.stringtrue
readableDescriptionReadableDescription is an optional human-friendly description.stringfalse
credentialsCredentials is an optional reference to a Secret holding credentials required to access the image source.stringfalse
httpHTTP describes an image hosted at an HTTP/HTTPS URL.*ImageSourceHTTPfalse
registryRegistry describes an image stored in a container registry.*ImageSourceRegistryfalse
s3S3 describes an image stored in an S3-compatible object store.*ImageSourceS3false
gcsGCS describes an image stored in Google Cloud Storage.*ImageSourceGCSfalse
pvcPVC describes an image backed by an existing PersistentVolumeClaim.*ImageSourcePVCfalse

Back to Group

SSHKey

SSHKey stores an SSH public key in the workspace namespace. The controller reconciles each SSHKey into an owned K8s Secret so that cloud-init can inject the key into virtual machines at creation time.

FieldDescriptionSchemeRequired
metadatametav1.ObjectMetafalse
specSSHKeySpecfalse
statusSSHKeyStatusfalse

Back to Group

SSHKeyList

SSHKeyList is the list type for SSHKey.

FieldDescriptionSchemeRequired
metadatametav1.ListMetafalse
items[]SSHKeytrue

Back to Group

SSHKeySpec

SSHKeySpec defines the desired state of an SSHKey.

FieldDescriptionSchemeRequired
publicKeyPublicKey is the SSH public key content (e.g. "ssh-rsa AAAA… user@host").stringtrue

Back to Group

SSHKeyStatus

SSHKeyStatus is the observed state of an SSHKey.

FieldDescriptionSchemeRequired
phasePhase is the current lifecycle phase.SSHKeyPhasefalse
secretRefSecretRef is the name of the managed Secret in the same namespace.stringfalse
messageMessage contains a human-readable description of the current phase.stringfalse

Back to Group

DNATRule

DNATRule maps an external port on an EIP to an internal address and port.

FieldDescriptionSchemeRequired
externalPortExternalPort is the port on the EIP to forward.stringtrue
internalIPInternalIP is the internal VM IP to forward traffic to.stringtrue
internalPortInternalPort is the destination port on the internal VM.stringtrue
protocolProtocol is the transport protocol: tcp or udp.stringfalse
eipRefEIPRef is the name of the ElasticIP wrapper in the same namespace.stringtrue

Back to Group

ElasticIP

ElasticIP is the namespace-scoped wrapper for a Kube-OVN IptablesEIP resource. It represents a public IP address that can be associated with a NAT gateway.

FieldDescriptionSchemeRequired
metadatametav1.ObjectMetafalse
specElasticIPSpecfalse
statusElasticIPStatusfalse

Back to Group

ElasticIPList

ElasticIPList is the list type for ElasticIP.

FieldDescriptionSchemeRequired
metadatametav1.ListMetafalse
items[]ElasticIPtrue

Back to Group

ElasticIPSpec

ElasticIPSpec defines the desired state of an ElasticIP.

FieldDescriptionSchemeRequired
natGatewayRefNATGatewayRef is the name of the NATGateway wrapper this EIP belongs to.stringfalse

Back to Group

ElasticIPStatus

ElasticIPStatus is the observed state of the ElasticIP wrapper.

FieldDescriptionSchemeRequired
phasePhase is the current lifecycle phase.Phasefalse
realNameRealName is the actual Kube-OVN IptablesEIP object name.stringfalse
ipAddressIPAddress is the public IP address allocated to this EIP.stringfalse
isUsedIsUsed indicates whether this EIP is currently in use by a NAT rule.booltrue
associatedNatAssociatedNAT is the real Kube-OVN NAT gateway name this EIP is bound to.stringfalse

Back to Group

NATGateway

NATGateway is the namespace-scoped wrapper for a Kube-OVN VpcNatGateway resource. It bundles SNAT and DNAT rules that are individually provisioned as separate Kube-OVN objects (IptablesSnatRule / IptablesDnatRule).

FieldDescriptionSchemeRequired
metadatametav1.ObjectMetafalse
specNATGatewaySpecfalse
statusNATGatewayStatusfalse

Back to Group

NATGatewayList

NATGatewayList is the list type for NATGateway.

FieldDescriptionSchemeRequired
metadatametav1.ListMetafalse
items[]NATGatewaytrue

Back to Group

NATGatewaySpec

NATGatewaySpec defines the desired state of a NAT gateway.

FieldDescriptionSchemeRequired
vpcRefVPCRef is the name of the VPC wrapper in the same namespace.stringtrue
subnetRefSubnetRef is the name of the Subnet wrapper in the same namespace.stringtrue
lanIPLanIP is the LAN-side IP address of the NAT gateway.stringfalse
snatRulesSNATRules define source NAT rules for outbound connectivity.[]SNATRulefalse
dnatRulesDNATRules define destination NAT rules for inbound port-forwarding.[]DNATRulefalse

Back to Group

NATGatewayStatus

NATGatewayStatus is the observed state of the NATGateway wrapper.

FieldDescriptionSchemeRequired
phasePhase is the current lifecycle phase.Phasefalse
realNameRealName is the actual Kube-OVN VpcNatGateway object name.stringfalse

Back to Group

SNATRule

SNATRule maps an internal CIDR to an EIP for outbound NAT.

FieldDescriptionSchemeRequired
cidrCIDR is the internal IP range to SNAT.stringtrue
eipRefEIPRef is the name of the ElasticIP wrapper in the same namespace.stringtrue

Back to Group

SecurityGroup

SecurityGroup is the namespace-scoped wrapper for a Kube-OVN SecurityGroup resource. It defines ACL-based firewall rules that can be applied to VMs.

FieldDescriptionSchemeRequired
metadatametav1.ObjectMetafalse
specSecurityGroupSpecfalse
statusSecurityGroupStatusfalse

Back to Group

SecurityGroupList

SecurityGroupList is the list type for SecurityGroup.

FieldDescriptionSchemeRequired
metadatametav1.ListMetafalse
items[]SecurityGrouptrue

Back to Group

SecurityGroupRule

SecurityGroupRule is a single ACL rule within a SecurityGroup.

FieldDescriptionSchemeRequired
ipVersionIPVersion specifies whether the rule applies to IPv4 or IPv6 traffic.stringfalse
protocolProtocol is the network protocol: tcp, udp, icmp, or all.stringfalse
priorityPriority determines the rule evaluation order (lower values = higher priority).intfalse
remoteTypeRemoteType is the type of the remote endpoint: address or securityGroup.stringtrue
remoteAddressRemoteAddress is the IP address or CIDR of the remote endpoint when RemoteType is address.stringfalse
remoteSecurityGroupRemoteSecurityGroup is the name of the remote security group when RemoteType is securityGroup.stringfalse
portRangeMinPortRangeMin is the inclusive minimum port number for this rule.intfalse
portRangeMaxPortRangeMax is the inclusive maximum port number for this rule.intfalse
policyPolicy is the rule action: allow or drop.stringtrue

Back to Group

SecurityGroupSpec

SecurityGroupSpec defines the desired firewall rules.

FieldDescriptionSchemeRequired
allowSameGroupTrafficAllowSameGroupTraffic permits traffic between members of the same security group.boolfalse
ingressRulesIngressRules defines the inbound firewall rules.[]SecurityGroupRulefalse
egressRulesEgressRules defines the outbound firewall rules.[]SecurityGroupRulefalse

Back to Group

SecurityGroupStatus

SecurityGroupStatus is the observed state of the SecurityGroup wrapper.

FieldDescriptionSchemeRequired
phasePhase is the current lifecycle phase.Phasefalse
realNameRealName is the actual Kube-OVN SecurityGroup object name.stringfalse

Back to Group

Subnet

Subnet is the namespace-scoped wrapper for a Kube-OVN Subnet resource. It is always associated with a VPC wrapper in the same namespace.

FieldDescriptionSchemeRequired
metadatametav1.ObjectMetafalse
specSubnetSpecfalse
statusSubnetStatusfalse

Back to Group

SubnetList

SubnetList is the list type for Subnet.

FieldDescriptionSchemeRequired
metadatametav1.ListMetafalse
items[]Subnettrue

Back to Group

SubnetSpec

SubnetSpec defines the desired state of a Subnet wrapper.

FieldDescriptionSchemeRequired
vpcRefVPCRef is the name of the VPC wrapper in the same namespace.stringtrue
cidrBlockCIDRBlock is the IP address range for this subnet.stringtrue
gatewayGateway is the gateway IP address for this subnet.stringfalse
protocolProtocol is the IP protocol family: IPv4, IPv6, or Dual.stringfalse
excludeIPsExcludeIPs is a list of IP ranges to exclude from allocation.[]stringfalse
enableDHCPEnableDHCP enables DHCP on this subnet.boolfalse
gatewayTypeGatewayType controls the gateway mode: distributed or centralized.stringfalse
natOutgoingNatOutgoing enables NAT for traffic leaving this subnet.boolfalse
privatePrivate denies traffic from outside this subnet when true.boolfalse
providerProvider is the kube-ovn provider name for this subnet, used to associate it with a NetworkAttachmentDefinition (NAD) via kube-ovn’s provider matching. Required for multi-homed pods (e.g. AZ transit NICs).stringfalse

Back to Group

SubnetStatus

SubnetStatus is the observed state of the Subnet wrapper.

FieldDescriptionSchemeRequired
phasePhase is the current lifecycle phase of this Subnet.Phasefalse
realNameRealName is the actual Kube-OVN Subnet object name.stringfalse
vpcRealNameVPCRealName is the real Kube-OVN Vpc name this subnet belongs to.stringfalse
availableIPsAvailableIPs is the number of IP addresses currently available in this subnet.int64true
usedIPsUsedIPs is the number of IP addresses currently in use.int64true

Back to Group

UnderlayCustomInterface

UnderlayCustomInterface overrides DefaultInterface on a specific set of nodes.

FieldDescriptionSchemeRequired
interfaceInterface is the physical NIC name to use on the listed nodes. It must be a valid Linux network interface name, which the kernel caps at 15 bytes.stringtrue
nodesNodes is the list of node names that use Interface instead of the spec-level DefaultInterface.[]stringtrue

Back to Group

UnderlaySubnet

UnderlaySubnet is the namespace-scoped wrapper that bundles the three Kube-OVN objects required to expose an underlay (L2) network: a cluster- scoped ProviderNetwork (which physical NIC per node), a Vlan (the 802.1Q tag), and a Subnet bound to that Vlan. The reconciler ensures the children are created and torn down in dependency order.

FieldDescriptionSchemeRequired
metadatametav1.ObjectMetafalse
specUnderlaySubnetSpecfalse
statusUnderlaySubnetStatusfalse

Back to Group

UnderlaySubnetList

UnderlaySubnetList is the list type for UnderlaySubnet.

FieldDescriptionSchemeRequired
metadatametav1.ListMetafalse
items[]UnderlaySubnettrue

Back to Group

UnderlaySubnetSpec

UnderlaySubnetSpec defines the desired state of an UnderlaySubnet wrapper.

FieldDescriptionSchemeRequired
defaultInterfaceDefaultInterface is the physical NIC name (e.g. "eth1") that the ProviderNetwork attaches to on every selected node. It must be a valid Linux network interface name, which the kernel caps at 15 bytes.stringtrue
nodeSelectorNodeSelector restricts the ProviderNetwork to a subset of nodes via label selection. When empty, the ProviderNetwork applies to all nodes.*metav1.LabelSelectorfalse
customInterfacesCustomInterfaces overrides DefaultInterface on specific nodes.[]UnderlayCustomInterfacefalse
vlanIDVlanID is the 802.1Q tag applied to traffic on this underlay.inttrue
cidrBlockCIDRBlock is the IP address range allocated from this underlay subnet.stringtrue
gatewayGateway is the gateway IP address for this subnet.stringfalse
gatewayNodeGatewayNode is the comma-separated list of node names that host the centralized gateway for this subnet.stringfalse
protocolProtocol is the IP protocol family: IPv4, IPv6, or Dual.stringfalse
excludeIPsExcludeIPs is a list of IP addresses or ranges to exclude from allocation.[]stringfalse

Back to Group

UnderlaySubnetStatus

UnderlaySubnetStatus is the observed state of the UnderlaySubnet wrapper.

FieldDescriptionSchemeRequired
phasePhase is the current lifecycle phase of this UnderlaySubnet.Phasefalse
providerNetworkNameProviderNetworkName is the name of the cluster-scoped Kube-OVN ProviderNetwork backing this underlay.stringfalse
vlanNameVlanName is the name of the cluster-scoped Kube-OVN Vlan backing this underlay.stringfalse
subnetNameSubnetName is the name of the cluster-scoped Kube-OVN Subnet backing this underlay.stringfalse
availableIPsAvailableIPs is the number of IP addresses currently available in this subnet.int64true
usedIPsUsedIPs is the number of IP addresses currently in use.int64true

Back to Group

VPC

VPC is the namespace-scoped wrapper for a Kube-OVN Vpc resource. Users create VPCs inside workspace namespaces; the operator reconciles them into cluster-scoped Kube-OVN Vpc objects, prefixing their names with the workspace namespace to prevent cross-tenant collisions.

FieldDescriptionSchemeRequired
metadatametav1.ObjectMetafalse
specVPCSpecfalse
statusVPCStatusfalse

Back to Group

VPCBFDPort

VPCBFDPort holds optional BFD logical router port configuration.

FieldDescriptionSchemeRequired
enabledEnabled activates the BFD port.booltrue
ipIP is the IP address assigned to the BFD port.stringfalse
nodeSelectorNodeSelector restricts which nodes the BFD LRP is hosted on. If not set, Kube-OVN selects up to 3 nodes automatically.*metav1.LabelSelectorfalse

Back to Group

VPCBFDPortStatus

VPCBFDPortStatus is the observed state of the BFD logical router port.

FieldDescriptionSchemeRequired
namestringfalse
ipstringfalse
nodes[]stringfalse

Back to Group

VPCList

VPCList is the list type for VPC.

FieldDescriptionSchemeRequired
metadatametav1.ListMetafalse
items[]VPCtrue

Back to Group

VPCPeering

VPCPeering configures a peering connection between two VPCs. The RemoteVPCRef references the name of another VPC wrapper in the same namespace.

FieldDescriptionSchemeRequired
remoteVpcRefRemoteVPCRef is the name of the remote VPC wrapper in the same namespace.stringtrue
localConnectIPLocalConnectIP is the local IP used to establish the peering connection.stringfalse

Back to Group

VPCPolicyRoute

VPCPolicyRoute is a policy-based routing rule for the VPC router.

FieldDescriptionSchemeRequired
priorityPriority determines evaluation order; lower numbers are evaluated first.intfalse
matchMatch is the OVN match expression that selects traffic for this rule.stringtrue
actionAction is the rule action: allow, drop, or reroute.stringtrue
nextHopIPNextHopIP is required when Action is reroute.stringfalse

Back to Group

VPCSpec

VPCSpec defines the desired state of a VPC wrapper.

FieldDescriptionSchemeRequired
defaultSubnetDefaultSubnet is the name of the default subnet wrapper in this namespace.stringfalse
staticRoutesStaticRoutes configures static routes for the VPC router.[]VPCStaticRoutefalse
policyRoutesPolicyRoutes configures policy-based routing rules for the VPC router.[]VPCPolicyRoutefalse
vpcPeeringsVPCPeerings configures peering connections to other VPCs in the same namespace.[]VPCPeeringfalse
enableExternalEnableExternal controls whether the VPC has access to the external network.boolfalse
enableBfdEnableBfd enables Bidirectional Forwarding Detection on the VPC router.boolfalse
bfdPortBFDPort holds configuration for the BFD logical router port. Only effective when EnableBfd is true.*VPCBFDPortfalse

Back to Group

VPCStaticRoute

VPCStaticRoute is a single static route entry for the VPC router.

FieldDescriptionSchemeRequired
cidrCIDR is the destination IP prefix for this route.stringtrue
nextHopIPNextHopIP is the IP address of the next-hop router.stringtrue
policyPolicy is the routing policy direction: dst or src.stringfalse
bfdIDBFDID is the UUID of the BFD session to associate with this route. When set, the underlying KubeOVN VPC will use BFD-monitored ECMP for this route.stringfalse
ecmpModeECMPMode sets the ECMP mode for this route (e.g. "ecmp" or "ecmp-symmetric").stringfalse

Back to Group

VPCStatus

VPCStatus mirrors the Kube-OVN VpcStatus, surfacing the full operational state of the underlying cluster-scoped Vpc object.

FieldDescriptionSchemeRequired
phasePhase is the lifecycle phase of this VPC wrapper.Phasefalse
realNameRealName is the cluster-scoped Kube-OVN Vpc object name (namespace-prefixed). Used internally by dependent controllers.stringfalse
standbybooltrue
defaultbooltrue
defaultLogicalSwitchstringtrue
routerstringtrue
tcpLoadBalancerstringtrue
udpLoadBalancerstringtrue
sctpLoadBalancerstringtrue
tcpSessionLoadBalancerstringtrue
udpSessionLoadBalancerstringtrue
sctpSessionLoadBalancerstringtrue
subnetsSubnets lists the user-facing names of subnets belonging to this VPC (namespace prefix stripped).[]stringtrue
vpcPeeringsVPCPeerings lists the real names of peered Kube-OVN Vpcs.[]stringtrue
enableExternalbooltrue
extraExternalSubnetsExtraExternalSubnets lists additional external subnets attached to this VPC.[]stringtrue
enableBfdbooltrue
bfdPortVPCBFDPortStatustrue

Back to Group