diff --git a/cmd/k8s-operator/operator.go b/cmd/k8s-operator/operator.go index 7ccb806c12499..9f9fe2f3c0a70 100644 --- a/cmd/k8s-operator/operator.go +++ b/cmd/k8s-operator/operator.go @@ -51,7 +51,8 @@ import ( // Generate static manifests for deploying Tailscale operator on Kubernetes from the operator's Helm chart. //go:generate go run tailscale.com/cmd/k8s-operator/generate staticmanifests -// TODO (irbekrm): generate CRD docs from the yamls +// Generate CRD API docs. +//go:generate go run github.com/elastic/crd-ref-docs --renderer=markdown --source-path=../../k8s-operator/apis/ --config=../../k8s-operator/api-docs-config.yaml --output-path=../../k8s-operator/api.md func main() { // Required to use our client API. We're fine with the instability since the diff --git a/go.mod b/go.mod index f7a004d8620cb..5663c770af57f 100644 --- a/go.mod +++ b/go.mod @@ -25,6 +25,7 @@ require ( github.com/distribution/reference v0.6.0 github.com/djherbis/times v1.6.0 github.com/dsnet/try v0.0.3 + github.com/elastic/crd-ref-docs v0.0.12 github.com/evanw/esbuild v0.19.11 github.com/frankban/quicktest v1.14.6 github.com/fxamacker/cbor/v2 v2.6.0 @@ -87,28 +88,28 @@ require ( github.com/u-root/u-root v0.12.0 github.com/vishvananda/netlink v1.2.1-beta.2 github.com/vishvananda/netns v0.0.4 - go.uber.org/zap v1.26.0 + go.uber.org/zap v1.27.0 go4.org/mem v0.0.0-20220726221520-4f986261bf13 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba - golang.org/x/crypto v0.24.0 + golang.org/x/crypto v0.25.0 golang.org/x/exp v0.0.0-20240119083558-1b970713d09a - golang.org/x/mod v0.18.0 - golang.org/x/net v0.26.0 + golang.org/x/mod v0.19.0 + golang.org/x/net v0.27.0 golang.org/x/oauth2 v0.16.0 golang.org/x/sync v0.7.0 - golang.org/x/sys v0.21.0 - golang.org/x/term v0.21.0 + golang.org/x/sys v0.22.0 + golang.org/x/term v0.22.0 golang.org/x/time v0.5.0 - golang.org/x/tools v0.22.0 + golang.org/x/tools v0.23.0 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 golang.zx2c4.com/wireguard/windows v0.5.3 gopkg.in/square/go-jose.v2 v2.6.0 gvisor.dev/gvisor v0.0.0-20240306221502-ee1e1f6070e3 honnef.co/go/tools v0.4.6 - k8s.io/api v0.30.1 - k8s.io/apimachinery v0.30.1 - k8s.io/apiserver v0.30.1 - k8s.io/client-go v0.30.1 + k8s.io/api v0.30.3 + k8s.io/apimachinery v0.30.3 + k8s.io/apiserver v0.30.3 + k8s.io/client-go v0.30.3 nhooyr.io/websocket v1.8.10 sigs.k8s.io/controller-runtime v0.18.4 sigs.k8s.io/controller-tools v0.15.1-0.20240618033008-7824932b0cab @@ -117,6 +118,7 @@ require ( ) require ( + github.com/Masterminds/sprig v2.22.0+incompatible // indirect github.com/Microsoft/go-winio v0.6.1 // indirect github.com/bits-and-blooms/bitset v1.13.0 // indirect github.com/cyphar/filepath-securejoin v0.2.4 // indirect @@ -127,6 +129,7 @@ require ( github.com/felixge/httpsnoop v1.0.4 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/gobuffalo/flect v1.0.2 // indirect + github.com/goccy/go-yaml v1.12.0 // indirect github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect github.com/google/pprof v0.0.0-20240409012703-83162a5b38cd // indirect github.com/gorilla/securecookie v1.1.2 // indirect @@ -134,6 +137,7 @@ require ( go.opentelemetry.io/otel v1.22.0 // indirect go.opentelemetry.io/otel/metric v1.22.0 // indirect go.opentelemetry.io/otel/trace v1.22.0 // indirect + golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9 // indirect ) require ( @@ -201,7 +205,7 @@ require ( github.com/ettle/strcase v0.1.1 // indirect github.com/evanphx/json-patch v5.6.0+incompatible // indirect github.com/evanphx/json-patch/v5 v5.9.0 // indirect - github.com/fatih/color v1.16.0 // indirect + github.com/fatih/color v1.17.0 // indirect github.com/fatih/structtag v1.2.0 // indirect github.com/firefart/nonamedreturns v1.0.4 // indirect github.com/fsnotify/fsnotify v1.7.0 @@ -210,7 +214,7 @@ require ( github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect github.com/go-git/go-billy/v5 v5.5.0 // indirect github.com/go-git/go-git/v5 v5.11.0 // indirect - github.com/go-logr/logr v1.4.1 // indirect + github.com/go-logr/logr v1.4.2 // indirect github.com/go-openapi/jsonpointer v0.20.2 // indirect github.com/go-openapi/jsonreference v0.20.4 // indirect github.com/go-openapi/swag v0.22.7 // indirect @@ -252,7 +256,7 @@ require ( github.com/hashicorp/go-version v1.6.0 // indirect github.com/hashicorp/hcl v1.0.0 // indirect github.com/hexops/gotextdiff v1.0.3 // indirect - github.com/huandu/xstrings v1.4.0 // indirect + github.com/huandu/xstrings v1.5.0 // indirect github.com/imdario/mergo v0.3.16 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect @@ -337,14 +341,14 @@ require ( github.com/sourcegraph/go-diff v0.7.0 // indirect github.com/spf13/afero v1.9.5 // indirect github.com/spf13/cast v1.6.0 // indirect - github.com/spf13/cobra v1.8.0 // indirect + github.com/spf13/cobra v1.8.1 // indirect github.com/spf13/jwalterweatherman v1.1.0 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/spf13/viper v1.16.0 // indirect github.com/ssgreg/nlreturn/v2 v2.2.1 // indirect github.com/stbenjam/no-sprintf-host-port v0.1.1 // indirect - github.com/stretchr/objx v0.5.0 // indirect - github.com/stretchr/testify v1.8.4 + github.com/stretchr/objx v0.5.2 // indirect + github.com/stretchr/testify v1.9.0 github.com/subosito/gotenv v1.4.2 // indirect github.com/t-yuki/gocover-cobertura v0.0.0-20180217150009-aaee18c8195c // indirect github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55 @@ -379,10 +383,10 @@ require ( gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 howett.net/plist v1.0.0 // indirect - k8s.io/apiextensions-apiserver v0.30.1 // indirect - k8s.io/klog/v2 v2.120.1 // indirect + k8s.io/apiextensions-apiserver v0.30.3 // indirect + k8s.io/klog/v2 v2.130.1 // indirect k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect - k8s.io/utils v0.0.0-20240102154912-e7106e64919e + k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 mvdan.cc/gofumpt v0.5.0 // indirect mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed // indirect mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b // indirect diff --git a/go.sum b/go.sum index 825ca9c0fedc1..ecb40fae65af1 100644 --- a/go.sum +++ b/go.sum @@ -73,6 +73,8 @@ github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF0 github.com/Masterminds/semver/v3 v3.2.0/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ= github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0= github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ= +github.com/Masterminds/sprig v2.22.0+incompatible h1:z4yfnGrZ7netVz+0EDJ0Wi+5VZCSYp4Z0m2dk6cEM60= +github.com/Masterminds/sprig v2.22.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o= github.com/Masterminds/sprig/v3 v3.2.3 h1:eL2fZNezLomi0uOLqjQoN6BfsDD+fyLtgbJMAj9n6YA= github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBaRMhvYXJNkGuM= github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY= @@ -224,7 +226,7 @@ github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6 h1:8h5+bWd7R6 github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q= github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf h1:iW4rZ826su+pqaw19uhpSCzhj44qo35pNgKFGqzDKkU= github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= -github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/creack/pty v1.1.21 h1:1/QdRyBaHHJP61QkWMXlOIBfsgdDeeKfK8SYVUWJKf0= github.com/creack/pty v1.1.21/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= @@ -270,6 +272,8 @@ github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= github.com/dsnet/try v0.0.3 h1:ptR59SsrcFUYbT/FhAbKTV6iLkeD6O18qfIWRml2fqI= github.com/dsnet/try v0.0.3/go.mod h1:WBM8tRpUmnXXhY1U6/S8dt6UWdHTQ7y8A5YSkRCkq40= +github.com/elastic/crd-ref-docs v0.0.12 h1:F3seyncbzUz3rT3d+caeYWhumb5ojYQ6Bl0Z+zOp16M= +github.com/elastic/crd-ref-docs v0.0.12/go.mod h1:X83mMBdJt05heJUYiS3T0yJ/JkCuliuhSUNav5Gjo/U= github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a h1:mATvB/9r/3gvcejNsXKSkQ6lcIaNec2nyfOdlTBR2lU= github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM= github.com/emicklei/go-restful/v3 v3.11.2 h1:1onLa9DcsMYO9P+CXaL0dStDqQ2EHHXLiz+BtnqkLAU= @@ -292,8 +296,8 @@ github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0 github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= github.com/evanw/esbuild v0.19.11 h1:mbPO1VJ/df//jjUd+p/nRLYCpizXxXb2w/zZMShxa2k= github.com/evanw/esbuild v0.19.11/go.mod h1:D2vIQZqV/vIf/VRHtViaUtViZmG7o+kKmlBfVQuRi48= -github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM= -github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE= +github.com/fatih/color v1.17.0 h1:GlRw1BRJxkpqUCBKzKOw098ed57fEsKeNjpTe3cSjK4= +github.com/fatih/color v1.17.0/go.mod h1:YZ7TlrGPkiz6ku9fK3TLD/pl3CpsiFyu8N92HLgmosI= github.com/fatih/structtag v1.2.0 h1:/OdNE99OxoI/PqaW/SuSK9uxxT3f/tcSZgon/ssNSx4= github.com/fatih/structtag v1.2.0/go.mod h1:mBJUNpUnHmRKrKlQQlmCrh5PuhftFbNv8Ys4/aAZl94= github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= @@ -336,8 +340,8 @@ github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= -github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= +github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= @@ -350,6 +354,12 @@ github.com/go-openapi/jsonreference v0.20.4 h1:bKlDxQxQJgwpUSgOENiMPzCTBVuc7vTdX github.com/go-openapi/jsonreference v0.20.4/go.mod h1:5pZJyJP2MnYCpoeoMAql78cCHauHj0V9Lhc506VOpw4= github.com/go-openapi/swag v0.22.7 h1:JWrc1uc/P9cSomxfnsFSVWoE1FW6bNbrVPmpQYpCcR8= github.com/go-openapi/swag v0.22.7/go.mod h1:Gl91UqO+btAM0plGGxHqJcQZ1ZTy6jbmridBTsDy8A0= +github.com/go-playground/locales v0.13.0 h1:HyWk6mgj5qFqCT5fjGBuRArbVDfE4hi8+e8ceBS/t7Q= +github.com/go-playground/locales v0.13.0/go.mod h1:taPMhCMXrRLJO55olJkUXHZBHCxTMfnGwq/HNwmWNS8= +github.com/go-playground/universal-translator v0.17.0 h1:icxd5fm+REJzpZx7ZfpaD876Lmtgy7VtROAbHHXk8no= +github.com/go-playground/universal-translator v0.17.0/go.mod h1:UkSxE5sNxxRwHyU+Scu5vgOQjsIJAF8j9muTVoKLVtA= +github.com/go-playground/validator/v10 v10.4.1 h1:pH2c5ADXtd66mxoE0Zm9SUhxE20r7aM3F26W0hOn+GE= +github.com/go-playground/validator/v10 v10.4.1/go.mod h1:nlOn6nFhuKACm19sB/8EGNn9GlaMV7XkbRSipzJ0Ii4= github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7eI= github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= @@ -379,6 +389,8 @@ github.com/gobuffalo/flect v1.0.2 h1:eqjPGSo2WmjgY2XlpGwo2NXgL3RucAKo4k4qQMNA5sA github.com/gobuffalo/flect v1.0.2/go.mod h1:A5msMlrHtLqh9umBSnvabjsMrCcCpAyzglnDvkbYKHs= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= +github.com/goccy/go-yaml v1.12.0 h1:/1WHjnMsI1dlIBQutrvSMGZRQufVO3asrHfTwfACoPM= +github.com/goccy/go-yaml v1.12.0/go.mod h1:wKnAMd44+9JAAnGQpWVEgBzGt3YuTaQ4uXoHvE4m7WU= github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466 h1:sQspH8M4niEijh3PFscJRLDnkL547IeP7kpPe3uUhEg= github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466/go.mod h1:ZiQxhyQ+bbbfxUKVvjfO498oPYvtYhZzycal3G/NHmU= github.com/gofrs/flock v0.8.1 h1:+gYjHKf32LDeiEEFhQaotPbLuUXjY5ZqxKgXy7n59aw= @@ -540,8 +552,8 @@ github.com/hdevalence/ed25519consensus v0.2.0/go.mod h1:w3BHWjwJbFU29IRHL1Iqkw3s github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM= github.com/hexops/gotextdiff v1.0.3/go.mod h1:pSWU5MAI3yDq+fZBTazCSJysOMbxWL1BSow5/V2vxeg= github.com/huandu/xstrings v1.3.3/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= -github.com/huandu/xstrings v1.4.0 h1:D17IlohoQq4UcpqD7fDk80P7l+lwAmlFaBHgOipl2FU= -github.com/huandu/xstrings v1.4.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= +github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI= +github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= github.com/hugelgupf/vmtest v0.0.0-20240102225328-693afabdd27f h1:ov45/OzrJG8EKbGjn7jJZQJTN7Z1t73sFYNIRd64YlI= github.com/hugelgupf/vmtest v0.0.0-20240102225328-693afabdd27f/go.mod h1:JoDrYMZpDPYo6uH9/f6Peqms3zNNWT2XiGgioMOIGuI= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= @@ -634,6 +646,8 @@ github.com/ldez/gomoddirectives v0.2.3 h1:y7MBaisZVDYmKvt9/l1mjNCiSA1BVn34U0ObUc github.com/ldez/gomoddirectives v0.2.3/go.mod h1:cpgBogWITnCfRq2qGoDkKMEVSaarhdBr6g8G04uz6d0= github.com/ldez/tagliatelle v0.5.0 h1:epgfuYt9v0CG3fms0pEgIMNPuFf/LpPIfjk4kyqSioo= github.com/ldez/tagliatelle v0.5.0/go.mod h1:rj1HmWiL1MiKQuOONhd09iySTEkUuE/8+5jtPYz9xa4= +github.com/leodido/go-urn v1.2.0 h1:hpXL4XnriNwQ/ABnpepYM/1vCLWNDfUNts8dX3xTG6Y= +github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII= github.com/leonklingele/grouper v1.1.1 h1:suWXRU57D4/Enn6pXR0QVqqWWrnJ9Osrz+5rjt8ivzU= github.com/leonklingele/grouper v1.1.1/go.mod h1:uk3I3uDfi9B6PeUjsCKi6ndcf63Uy7snXgR4yDYQVDY= github.com/lufeee/execinquery v1.2.1 h1:hf0Ems4SHcUGBxpGN7Jz78z1ppVkP/837ZlETPCEtOM= @@ -857,8 +871,8 @@ github.com/spf13/afero v1.9.5/go.mod h1:UBogFpq8E9Hx+xc5CNTTEpTnuHVmXDwZcZcE1eb/ github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0= github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= -github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0= -github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= +github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= +github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk= github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= @@ -872,8 +886,9 @@ github.com/stbenjam/no-sprintf-host-port v0.1.1/go.mod h1:TLhvtIvONRzdmkFiio4O8L github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= -github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY= +github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= github.com/stretchr/testify v1.1.4/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= @@ -885,8 +900,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= -github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= -github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/studio-b12/gowebdav v0.9.0 h1:1j1sc9gQnNxbXXM4M/CebPOX4aXYtr7MojAVcN4dHjU= github.com/studio-b12/gowebdav v0.9.0/go.mod h1:bHA7t77X/QFExdeAnDzK6vKM34kEZAcE1OX4MfiwjkE= github.com/subosito/gotenv v1.4.2 h1:X1TuBLAMDFbaTAChgCBLu3DU3UPyELpnF2jjJ2cz/S8= @@ -1011,8 +1026,8 @@ go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= -go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo= -go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so= +go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= +go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= go4.org/mem v0.0.0-20220726221520-4f986261bf13 h1:CbZeCBZ0aZj8EfVgnqQcYZgf0lpZ3H9rmp5nkDTAst8= go4.org/mem v0.0.0-20220726221520-4f986261bf13/go.mod h1:reUoABIJ9ikfM5sgtSF3Wushcza7+WeD01VB9Lirh3g= go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M= @@ -1031,8 +1046,8 @@ golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= -golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI= -golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM= +golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30= +golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -1081,8 +1096,8 @@ golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91 golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI= golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0= -golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8= +golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -1127,8 +1142,8 @@ golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= -golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ= -golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= +golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys= +golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1222,8 +1237,8 @@ golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.4.1-0.20230131160137-e7d7f63158de/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= -golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI= +golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= @@ -1232,8 +1247,8 @@ golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA= golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= -golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA= -golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0= +golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk= +golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1328,12 +1343,14 @@ golang.org/x/tools v0.3.0/go.mod h1:/rWhSS2+zyEVwoJf8YAX6L2f0ntZ7Kn/mGgAWcipA5k= golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ= golang.org/x/tools v0.5.0/go.mod h1:N+Kgy78s5I24c24dU8OfWNEotWjutIs8SnJvn5IDq+k= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA= -golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c= +golang.org/x/tools v0.23.0 h1:SGsXPZ+2l4JsgaCKkx+FQ9YZ5XEtA1GZYuoDjenLjvg= +golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9 h1:LLhsEBxRTBLuKlQxFBYUOU8xyFgXv6cOTp2HASDlsDk= +golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90= golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg= golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI= golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus8eIuExIE= @@ -1485,22 +1502,22 @@ honnef.co/go/tools v0.4.6 h1:oFEHCKeID7to/3autwsWfnuv69j3NsfcXbvJKuIcep8= honnef.co/go/tools v0.4.6/go.mod h1:+rnGS1THNh8zMwnd2oVOTL9QF6vmfyG6ZXBULae2uc0= howett.net/plist v1.0.0 h1:7CrbWYbPPO/PyNy38b2EB/+gYbjCe2DXBxgtOOZbSQM= howett.net/plist v1.0.0/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g= -k8s.io/api v0.30.1 h1:kCm/6mADMdbAxmIh0LBjS54nQBE+U4KmbCfIkF5CpJY= -k8s.io/api v0.30.1/go.mod h1:ddbN2C0+0DIiPntan/bye3SW3PdwLa11/0yqwvuRrJM= -k8s.io/apiextensions-apiserver v0.30.1 h1:4fAJZ9985BmpJG6PkoxVRpXv9vmPUOVzl614xarePws= -k8s.io/apiextensions-apiserver v0.30.1/go.mod h1:R4GuSrlhgq43oRY9sF2IToFh7PVlF1JjfWdoG3pixk4= -k8s.io/apimachinery v0.30.1 h1:ZQStsEfo4n65yAdlGTfP/uSHMQSoYzU/oeEbkmF7P2U= -k8s.io/apimachinery v0.30.1/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= -k8s.io/apiserver v0.30.1 h1:BEWEe8bzS12nMtDKXzCF5Q5ovp6LjjYkSp8qOPk8LZ8= -k8s.io/apiserver v0.30.1/go.mod h1:i87ZnQ+/PGAmSbD/iEKM68bm1D5reX8fO4Ito4B01mo= -k8s.io/client-go v0.30.1 h1:uC/Ir6A3R46wdkgCV3vbLyNOYyCJ8oZnjtJGKfytl/Q= -k8s.io/client-go v0.30.1/go.mod h1:wrAqLNs2trwiCH/wxxmT/x3hKVH9PuV0GGW0oDoHVqc= -k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= -k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +k8s.io/api v0.30.3 h1:ImHwK9DCsPA9uoU3rVh4QHAHHK5dTSv1nxJUapx8hoQ= +k8s.io/api v0.30.3/go.mod h1:GPc8jlzoe5JG3pb0KJCSLX5oAFIW3/qNJITlDj8BH04= +k8s.io/apiextensions-apiserver v0.30.3 h1:oChu5li2vsZHx2IvnGP3ah8Nj3KyqG3kRSaKmijhB9U= +k8s.io/apiextensions-apiserver v0.30.3/go.mod h1:uhXxYDkMAvl6CJw4lrDN4CPbONkF3+XL9cacCT44kV4= +k8s.io/apimachinery v0.30.3 h1:q1laaWCmrszyQuSQCfNB8cFgCuDAoPszKY4ucAjDwHc= +k8s.io/apimachinery v0.30.3/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= +k8s.io/apiserver v0.30.3 h1:QZJndA9k2MjFqpnyYv/PH+9PE0SHhx3hBho4X0vE65g= +k8s.io/apiserver v0.30.3/go.mod h1:6Oa88y1CZqnzetd2JdepO0UXzQX4ZnOekx2/PtEjrOg= +k8s.io/client-go v0.30.3 h1:bHrJu3xQZNXIi8/MoxYtZBBWQQXwy16zqJwloXXfD3k= +k8s.io/client-go v0.30.3/go.mod h1:8d4pf8vYu665/kUbsxWAQ/JDBNWqfFeZnvFiVdmx89U= +k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= +k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag= k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98= -k8s.io/utils v0.0.0-20240102154912-e7106e64919e h1:eQ/4ljkx21sObifjzXwlPKpdGLrCfRziVtos3ofG/sQ= -k8s.io/utils v0.0.0-20240102154912-e7106e64919e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= mvdan.cc/gofumpt v0.5.0 h1:0EQ+Z56k8tXjj/6TQD25BFNKQXpCvT0rnansIc7Ug5E= mvdan.cc/gofumpt v0.5.0/go.mod h1:HBeVDtMKRZpXyxFciAirzdKklDlGu8aAy1wEbH5Y9js= mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed h1:WX1yoOaKQfddO/mLzdV4wptyWgoH/6hwLs7QHTixo0I= diff --git a/k8s-operator/api-docs-config.yaml b/k8s-operator/api-docs-config.yaml new file mode 100644 index 0000000000000..214171ca35c0d --- /dev/null +++ b/k8s-operator/api-docs-config.yaml @@ -0,0 +1,6 @@ +# Copyright (c) Tailscale Inc & AUTHORS +# SPDX-License-Identifier: BSD-3-Clause + +processor: {} +render: + kubernetesVersion: 1.30 diff --git a/k8s-operator/api.md b/k8s-operator/api.md index b47641d08415f..1b72df0f2720b 100644 --- a/k8s-operator/api.md +++ b/k8s-operator/api.md @@ -1,27 +1,25 @@ # API Reference -Packages: - +## Packages - [tailscale.com/v1alpha1](#tailscalecomv1alpha1) -# tailscale.com/v1alpha1 -Resource Types: +## tailscale.com/v1alpha1 -- [Connector](#connector) +### Resource Types +- [Connector](#connector) +- [ConnectorList](#connectorlist) - [DNSConfig](#dnsconfig) - +- [DNSConfigList](#dnsconfiglist) - [ProxyClass](#proxyclass) +- [ProxyClassList](#proxyclasslist) -## Connector -[↩ Parent](#tailscalecomv1alpha1 ) - - +#### Connector @@ -32,309 +30,106 @@ Connector is a cluster-scoped resource. More info: https://tailscale.com/kb/1236/kubernetes-operator#deploying-exit-nodes-and-subnet-routers-on-kubernetes-using-connector-custom-resource -
Name | -Type | -Description | -Required | -
---|---|---|---|
apiVersion | -string | -tailscale.com/v1alpha1 | -true | -
kind | -string | -Connector | -true | -
metadata | -object | -Refer to the Kubernetes API documentation for the fields of the `metadata` field. | -true | -
spec | -object | -
- ConnectorSpec describes the desired Tailscale component.
-More info:
-https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - - Validations: |
- true | -
status | -object | -
- ConnectorStatus describes the status of the Connector. This is set
-and managed by the Tailscale operator. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
exitNode | -boolean | -
- ExitNode defines whether the Connector node should act as a
-Tailscale exit node. Defaults to false.
-https://tailscale.com/kb/1103/exit-nodes - |
- false | -
hostname | -string | -
- Hostname is the tailnet hostname that should be assigned to the
-Connector node. If unset, hostname defaults to - |
- false | -
proxyClass | -string | -
- ProxyClass is the name of the ProxyClass custom resource that
-contains configuration options that should be applied to the
-resources created for this Connector. If unset, the operator will
-create resources with the default configuration. - |
- false | -
subnetRouter | -object | -
- SubnetRouter defines subnet routes that the Connector node should
-expose to tailnet. If unset, none are exposed.
-https://tailscale.com/kb/1019/subnets/ - |
- false | -
tags | -[]string | -
- Tags that the Tailscale node will be tagged with.
-Defaults to [tag:k8s].
-To autoapprove the subnet routes or exit node defined by a Connector,
-you can configure Tailscale ACLs to give these tags the necessary
-permissions.
-See https://tailscale.com/kb/1018/acls/#auto-approvers-for-routes-and-exit-nodes.
-If you specify custom tags here, you must also make the operator an owner of these tags.
-See https://tailscale.com/kb/1236/kubernetes-operator/#setting-up-the-kubernetes-operator.
-Tags cannot be changed once a Connector node has been created.
-Tag values must be in form ^tag:[a-zA-Z][a-zA-Z0-9-]*$. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
advertiseRoutes | -[]string | -
- AdvertiseRoutes refer to CIDRs that the subnet router should make
-available. Route values must be strings that represent a valid IPv4
-or IPv6 CIDR range. Values can be Tailscale 4via6 subnet routes.
-https://tailscale.com/kb/1201/4via6-subnets/ - |
- true | -
Name | -Type | -Description | -Required | -
---|---|---|---|
conditions | -[]object | -
- List of status conditions to indicate the status of the Connector.
-Known condition types are `ConnectorReady`. - |
- false | -
hostname | -string | -
- Hostname is the fully qualified domain name of the Connector node.
-If MagicDNS is enabled in your tailnet, it is the MagicDNS name of the
-node. - |
- false | -
isExitNode | -boolean | -
- IsExitNode is set to true if the Connector acts as an exit node. - |
- false | -
subnetRoutes | -string | -
- SubnetRoutes are the routes currently exposed to tailnet via this
-Connector instance. - |
- false | -
tailnetIPs | -[]string | -
- TailnetIPs is the set of tailnet IP addresses (both IPv4 and IPv6)
-assigned to the Connector node. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
lastTransitionTime | -string | -
- lastTransitionTime is the last time the condition transitioned from one status to another.
-This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - - Format: date-time - |
- true | -
message | -string | -
- message is a human readable message indicating details about the transition.
-This may be an empty string. - |
- true | -
reason | -string | -
- reason contains a programmatic identifier indicating the reason for the condition's last transition.
-Producers of specific condition types may define expected values and meanings for this field,
-and whether the values are considered a guaranteed API.
-The value should be a CamelCase string.
-This field may not be empty. - |
- true | -
status | -enum | -
- status of the condition, one of True, False, Unknown. - - Enum: True, False, Unknown - |
- true | -
type | -string | -
- type of condition in CamelCase or in foo.example.com/CamelCase. - |
- true | -
observedGeneration | -integer | -
- observedGeneration represents the .metadata.generation that the condition was set based upon.
-For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
-with respect to the current state of the instance. - - Format: int64 - Minimum: 0 - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
apiVersion | -string | -tailscale.com/v1alpha1 | -true | -
kind | -string | -DNSConfig | -true | -
metadata | -object | -Refer to the Kubernetes API documentation for the fields of the `metadata` field. | -true | -
spec | -object | -
- Spec describes the desired DNS configuration.
-More info:
-https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - |
- true | -
status | -object | -
- Status describes the status of the DNSConfig. This is set
-and managed by the Tailscale operator. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
nameserver | -object | -
- Configuration for a nameserver that can resolve ts.net DNS names
-associated with in-cluster proxies for Tailscale egress Services and
-Tailscale Ingresses. The operator will always deploy this nameserver
-when a DNSConfig is applied. - |
- true | -
Name | -Type | -Description | -Required | -
---|---|---|---|
image | -object | -
- Nameserver image. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
repo | -string | -
- Repo defaults to tailscale/k8s-nameserver. - |
- false | -
tag | -string | -
- Tag defaults to operator's own tag. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
conditions | -[]object | -
- - |
- false | -
nameserver | -object | -
- Nameserver describes the status of nameserver cluster resources. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
lastTransitionTime | -string | -
- lastTransitionTime is the last time the condition transitioned from one status to another.
-This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - - Format: date-time - |
- true | -
message | -string | -
- message is a human readable message indicating details about the transition.
-This may be an empty string. - |
- true | -
reason | -string | -
- reason contains a programmatic identifier indicating the reason for the condition's last transition.
-Producers of specific condition types may define expected values and meanings for this field,
-and whether the values are considered a guaranteed API.
-The value should be a CamelCase string.
-This field may not be empty. - |
- true | -
status | -enum | -
- status of the condition, one of True, False, Unknown. - - Enum: True, False, Unknown - |
- true | -
type | -string | -
- type of condition in CamelCase or in foo.example.com/CamelCase. - |
- true | -
observedGeneration | -integer | -
- observedGeneration represents the .metadata.generation that the condition was set based upon.
-For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
-with respect to the current state of the instance. - - Format: int64 - Minimum: 0 - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
ip | -string | -
- IP is the ClusterIP of the Service fronting the deployed ts.net nameserver.
-Currently you must manually update your cluster DNS config to add
-this address as a stub nameserver for ts.net for cluster workloads to be
-able to resolve MagicDNS names associated with egress or Ingress
-proxies.
-The IP address will change if you delete and recreate the DNSConfig. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
apiVersion | -string | -tailscale.com/v1alpha1 | -true | -
kind | -string | -ProxyClass | -true | -
metadata | -object | -Refer to the Kubernetes API documentation for the fields of the `metadata` field. | -true | -
spec | -object | -
- Specification of the desired state of the ProxyClass resource.
-https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - |
- true | -
status | -object | -
- Status of the ProxyClass. This is set and managed automatically.
-https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
metrics | -object | -
- Configuration for proxy metrics. Metrics are currently not supported
-for egress proxies and for Ingress proxies that have been configured
-with tailscale.com/experimental-forward-cluster-traffic-via-ingress
-annotation. Note that the metrics are currently considered unstable
-and will likely change in breaking ways in the future - we only
-recommend that you use those for debugging purposes. - |
- false | -
statefulSet | -object | -
- Configuration parameters for the proxy's StatefulSet. Tailscale
-Kubernetes operator deploys a StatefulSet for each of the user
-configured proxies (Tailscale Ingress, Tailscale Service, Connector). - |
- false | -
tailscale | -object | -
- TailscaleConfig contains options to configure the tailscale-specific
-parameters of proxies. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
enable | -boolean | -
- Setting enable to true will make the proxy serve Tailscale metrics
-at - |
- true | -
Name | -Type | -Description | -Required | -
---|---|---|---|
annotations | -map[string]string | -
- Annotations that will be added to the StatefulSet created for the proxy.
-Any Annotations specified here will be merged with the default annotations
-applied to the StatefulSet by the Tailscale Kubernetes operator as
-well as any other annotations that might have been applied by other
-actors.
-Annotations must be valid Kubernetes annotations.
-https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/#syntax-and-character-set - |
- false | -
labels | -map[string]string | -
- Labels that will be added to the StatefulSet created for the proxy.
-Any labels specified here will be merged with the default labels
-applied to the StatefulSet by the Tailscale Kubernetes operator as
-well as any other labels that might have been applied by other
-actors.
-Label keys and values must be valid Kubernetes label keys and values.
-https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set - |
- false | -
pod | -object | -
- Configuration for the proxy Pod. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
affinity | -object | -
- Proxy Pod's affinity rules.
-By default, the Tailscale Kubernetes operator does not apply any affinity rules.
-https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#affinity - |
- false | -
annotations | -map[string]string | -
- Annotations that will be added to the proxy Pod.
-Any annotations specified here will be merged with the default
-annotations applied to the Pod by the Tailscale Kubernetes operator.
-Annotations must be valid Kubernetes annotations.
-https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/#syntax-and-character-set - |
- false | -
imagePullSecrets | -[]object | -
- Proxy Pod's image pull Secrets.
-https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#PodSpec - |
- false | -
labels | -map[string]string | -
- Labels that will be added to the proxy Pod.
-Any labels specified here will be merged with the default labels
-applied to the Pod by the Tailscale Kubernetes operator.
-Label keys and values must be valid Kubernetes label keys and values.
-https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set - |
- false | -
nodeName | -string | -
- Proxy Pod's node name.
-https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling - |
- false | -
nodeSelector | -map[string]string | -
- Proxy Pod's node selector.
-By default Tailscale Kubernetes operator does not apply any node
-selector.
-https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling - |
- false | -
securityContext | -object | -
- Proxy Pod's security context.
-By default Tailscale Kubernetes operator does not apply any Pod
-security context.
-https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-2 - |
- false | -
tailscaleContainer | -object | -
- Configuration for the proxy container running tailscale. - |
- false | -
tailscaleInitContainer | -object | -
- Configuration for the proxy init container that enables forwarding. - |
- false | -
tolerations | -[]object | -
- Proxy Pod's tolerations.
-By default Tailscale Kubernetes operator does not apply any
-tolerations.
-https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
nodeAffinity | -object | -
- Describes node affinity scheduling rules for the pod. - |
- false | -
podAffinity | -object | -
- Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - |
- false | -
podAntiAffinity | -object | -
- Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
preferredDuringSchedulingIgnoredDuringExecution | -[]object | -
- The scheduler will prefer to schedule pods to nodes that satisfy
-the affinity expressions specified by this field, but it may choose
-a node that violates one or more of the expressions. The node that is
-most preferred is the one with the greatest sum of weights, i.e.
-for each node that meets all of the scheduling requirements (resource
-request, requiredDuringScheduling affinity expressions, etc.),
-compute a sum by iterating through the elements of this field and adding
-"weight" to the sum if the node matches the corresponding matchExpressions; the
-node(s) with the highest sum are the most preferred. - |
- false | -
requiredDuringSchedulingIgnoredDuringExecution | -object | -
- If the affinity requirements specified by this field are not met at
-scheduling time, the pod will not be scheduled onto the node.
-If the affinity requirements specified by this field cease to be met
-at some point during pod execution (e.g. due to an update), the system
-may or may not try to eventually evict the pod from its node. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
preference | -object | -
- A node selector term, associated with the corresponding weight. - |
- true | -
weight | -integer | -
- Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - - Format: int32 - |
- true | -
Name | -Type | -Description | -Required | -
---|---|---|---|
matchExpressions | -[]object | -
- A list of node selector requirements by node's labels. - |
- false | -
matchFields | -[]object | -
- A list of node selector requirements by node's fields. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
key | -string | -
- The label key that the selector applies to. - |
- true | -
operator | -string | -
- Represents a key's relationship to a set of values.
-Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - |
- true | -
values | -[]string | -
- An array of string values. If the operator is In or NotIn,
-the values array must be non-empty. If the operator is Exists or DoesNotExist,
-the values array must be empty. If the operator is Gt or Lt, the values
-array must have a single element, which will be interpreted as an integer.
-This array is replaced during a strategic merge patch. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
key | -string | -
- The label key that the selector applies to. - |
- true | -
operator | -string | -
- Represents a key's relationship to a set of values.
-Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - |
- true | -
values | -[]string | -
- An array of string values. If the operator is In or NotIn,
-the values array must be non-empty. If the operator is Exists or DoesNotExist,
-the values array must be empty. If the operator is Gt or Lt, the values
-array must have a single element, which will be interpreted as an integer.
-This array is replaced during a strategic merge patch. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
nodeSelectorTerms | -[]object | -
- Required. A list of node selector terms. The terms are ORed. - |
- true | -
Name | -Type | -Description | -Required | -
---|---|---|---|
matchExpressions | -[]object | -
- A list of node selector requirements by node's labels. - |
- false | -
matchFields | -[]object | -
- A list of node selector requirements by node's fields. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
key | -string | -
- The label key that the selector applies to. - |
- true | -
operator | -string | -
- Represents a key's relationship to a set of values.
-Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - |
- true | -
values | -[]string | -
- An array of string values. If the operator is In or NotIn,
-the values array must be non-empty. If the operator is Exists or DoesNotExist,
-the values array must be empty. If the operator is Gt or Lt, the values
-array must have a single element, which will be interpreted as an integer.
-This array is replaced during a strategic merge patch. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
key | -string | -
- The label key that the selector applies to. - |
- true | -
operator | -string | -
- Represents a key's relationship to a set of values.
-Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - |
- true | -
values | -[]string | -
- An array of string values. If the operator is In or NotIn,
-the values array must be non-empty. If the operator is Exists or DoesNotExist,
-the values array must be empty. If the operator is Gt or Lt, the values
-array must have a single element, which will be interpreted as an integer.
-This array is replaced during a strategic merge patch. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
preferredDuringSchedulingIgnoredDuringExecution | -[]object | -
- The scheduler will prefer to schedule pods to nodes that satisfy
-the affinity expressions specified by this field, but it may choose
-a node that violates one or more of the expressions. The node that is
-most preferred is the one with the greatest sum of weights, i.e.
-for each node that meets all of the scheduling requirements (resource
-request, requiredDuringScheduling affinity expressions, etc.),
-compute a sum by iterating through the elements of this field and adding
-"weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
-node(s) with the highest sum are the most preferred. - |
- false | -
requiredDuringSchedulingIgnoredDuringExecution | -[]object | -
- If the affinity requirements specified by this field are not met at
-scheduling time, the pod will not be scheduled onto the node.
-If the affinity requirements specified by this field cease to be met
-at some point during pod execution (e.g. due to a pod label update), the
-system may or may not try to eventually evict the pod from its node.
-When there are multiple elements, the lists of nodes corresponding to each
-podAffinityTerm are intersected, i.e. all terms must be satisfied. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
podAffinityTerm | -object | -
- Required. A pod affinity term, associated with the corresponding weight. - |
- true | -
weight | -integer | -
- weight associated with matching the corresponding podAffinityTerm,
-in the range 1-100. - - Format: int32 - |
- true | -
Name | -Type | -Description | -Required | -
---|---|---|---|
topologyKey | -string | -
- This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
-the labelSelector in the specified namespaces, where co-located is defined as running on a node
-whose value of the label with key topologyKey matches that of any node on which any of the
-selected pods is running.
-Empty topologyKey is not allowed. - |
- true | -
labelSelector | -object | -
- A label query over a set of resources, in this case pods.
-If it's null, this PodAffinityTerm matches with no Pods. - |
- false | -
matchLabelKeys | -[]string | -
- MatchLabelKeys is a set of pod label keys to select which pods will
-be taken into consideration. The keys are used to lookup values from the
-incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
-to select the group of existing pods which pods will be taken into consideration
-for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
-pod labels will be ignored. The default value is empty.
-The same key is forbidden to exist in both matchLabelKeys and labelSelector.
-Also, matchLabelKeys cannot be set when labelSelector isn't set.
-This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - |
- false | -
mismatchLabelKeys | -[]string | -
- MismatchLabelKeys is a set of pod label keys to select which pods will
-be taken into consideration. The keys are used to lookup values from the
-incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
-to select the group of existing pods which pods will be taken into consideration
-for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
-pod labels will be ignored. The default value is empty.
-The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
-Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - |
- false | -
namespaceSelector | -object | -
- A label query over the set of namespaces that the term applies to.
-The term is applied to the union of the namespaces selected by this field
-and the ones listed in the namespaces field.
-null selector and null or empty namespaces list means "this pod's namespace".
-An empty selector ({}) matches all namespaces. - |
- false | -
namespaces | -[]string | -
- namespaces specifies a static list of namespace names that the term applies to.
-The term is applied to the union of the namespaces listed in this field
-and the ones selected by namespaceSelector.
-null or empty namespaces list and null namespaceSelector means "this pod's namespace". - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
matchExpressions | -[]object | -
- matchExpressions is a list of label selector requirements. The requirements are ANDed. - |
- false | -
matchLabels | -map[string]string | -
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-map is equivalent to an element of matchExpressions, whose key field is "key", the
-operator is "In", and the values array contains only "value". The requirements are ANDed. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
key | -string | -
- key is the label key that the selector applies to. - |
- true | -
operator | -string | -
- operator represents a key's relationship to a set of values.
-Valid operators are In, NotIn, Exists and DoesNotExist. - |
- true | -
values | -[]string | -
- values is an array of string values. If the operator is In or NotIn,
-the values array must be non-empty. If the operator is Exists or DoesNotExist,
-the values array must be empty. This array is replaced during a strategic
-merge patch. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
matchExpressions | -[]object | -
- matchExpressions is a list of label selector requirements. The requirements are ANDed. - |
- false | -
matchLabels | -map[string]string | -
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-map is equivalent to an element of matchExpressions, whose key field is "key", the
-operator is "In", and the values array contains only "value". The requirements are ANDed. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
key | -string | -
- key is the label key that the selector applies to. - |
- true | -
operator | -string | -
- operator represents a key's relationship to a set of values.
-Valid operators are In, NotIn, Exists and DoesNotExist. - |
- true | -
values | -[]string | -
- values is an array of string values. If the operator is In or NotIn,
-the values array must be non-empty. If the operator is Exists or DoesNotExist,
-the values array must be empty. This array is replaced during a strategic
-merge patch. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
topologyKey | -string | -
- This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
-the labelSelector in the specified namespaces, where co-located is defined as running on a node
-whose value of the label with key topologyKey matches that of any node on which any of the
-selected pods is running.
-Empty topologyKey is not allowed. - |
- true | -
labelSelector | -object | -
- A label query over a set of resources, in this case pods.
-If it's null, this PodAffinityTerm matches with no Pods. - |
- false | -
matchLabelKeys | -[]string | -
- MatchLabelKeys is a set of pod label keys to select which pods will
-be taken into consideration. The keys are used to lookup values from the
-incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
-to select the group of existing pods which pods will be taken into consideration
-for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
-pod labels will be ignored. The default value is empty.
-The same key is forbidden to exist in both matchLabelKeys and labelSelector.
-Also, matchLabelKeys cannot be set when labelSelector isn't set.
-This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - |
- false | -
mismatchLabelKeys | -[]string | -
- MismatchLabelKeys is a set of pod label keys to select which pods will
-be taken into consideration. The keys are used to lookup values from the
-incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
-to select the group of existing pods which pods will be taken into consideration
-for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
-pod labels will be ignored. The default value is empty.
-The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
-Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - |
- false | -
namespaceSelector | -object | -
- A label query over the set of namespaces that the term applies to.
-The term is applied to the union of the namespaces selected by this field
-and the ones listed in the namespaces field.
-null selector and null or empty namespaces list means "this pod's namespace".
-An empty selector ({}) matches all namespaces. - |
- false | -
namespaces | -[]string | -
- namespaces specifies a static list of namespace names that the term applies to.
-The term is applied to the union of the namespaces listed in this field
-and the ones selected by namespaceSelector.
-null or empty namespaces list and null namespaceSelector means "this pod's namespace". - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
matchExpressions | -[]object | -
- matchExpressions is a list of label selector requirements. The requirements are ANDed. - |
- false | -
matchLabels | -map[string]string | -
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-map is equivalent to an element of matchExpressions, whose key field is "key", the
-operator is "In", and the values array contains only "value". The requirements are ANDed. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
key | -string | -
- key is the label key that the selector applies to. - |
- true | -
operator | -string | -
- operator represents a key's relationship to a set of values.
-Valid operators are In, NotIn, Exists and DoesNotExist. - |
- true | -
values | -[]string | -
- values is an array of string values. If the operator is In or NotIn,
-the values array must be non-empty. If the operator is Exists or DoesNotExist,
-the values array must be empty. This array is replaced during a strategic
-merge patch. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
matchExpressions | -[]object | -
- matchExpressions is a list of label selector requirements. The requirements are ANDed. - |
- false | -
matchLabels | -map[string]string | -
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-map is equivalent to an element of matchExpressions, whose key field is "key", the
-operator is "In", and the values array contains only "value". The requirements are ANDed. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
key | -string | -
- key is the label key that the selector applies to. - |
- true | -
operator | -string | -
- operator represents a key's relationship to a set of values.
-Valid operators are In, NotIn, Exists and DoesNotExist. - |
- true | -
values | -[]string | -
- values is an array of string values. If the operator is In or NotIn,
-the values array must be non-empty. If the operator is Exists or DoesNotExist,
-the values array must be empty. This array is replaced during a strategic
-merge patch. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
preferredDuringSchedulingIgnoredDuringExecution | -[]object | -
- The scheduler will prefer to schedule pods to nodes that satisfy
-the anti-affinity expressions specified by this field, but it may choose
-a node that violates one or more of the expressions. The node that is
-most preferred is the one with the greatest sum of weights, i.e.
-for each node that meets all of the scheduling requirements (resource
-request, requiredDuringScheduling anti-affinity expressions, etc.),
-compute a sum by iterating through the elements of this field and adding
-"weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
-node(s) with the highest sum are the most preferred. - |
- false | -
requiredDuringSchedulingIgnoredDuringExecution | -[]object | -
- If the anti-affinity requirements specified by this field are not met at
-scheduling time, the pod will not be scheduled onto the node.
-If the anti-affinity requirements specified by this field cease to be met
-at some point during pod execution (e.g. due to a pod label update), the
-system may or may not try to eventually evict the pod from its node.
-When there are multiple elements, the lists of nodes corresponding to each
-podAffinityTerm are intersected, i.e. all terms must be satisfied. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
podAffinityTerm | -object | -
- Required. A pod affinity term, associated with the corresponding weight. - |
- true | -
weight | -integer | -
- weight associated with matching the corresponding podAffinityTerm,
-in the range 1-100. - - Format: int32 - |
- true | -
Name | -Type | -Description | -Required | -
---|---|---|---|
topologyKey | -string | -
- This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
-the labelSelector in the specified namespaces, where co-located is defined as running on a node
-whose value of the label with key topologyKey matches that of any node on which any of the
-selected pods is running.
-Empty topologyKey is not allowed. - |
- true | -
labelSelector | -object | -
- A label query over a set of resources, in this case pods.
-If it's null, this PodAffinityTerm matches with no Pods. - |
- false | -
matchLabelKeys | -[]string | -
- MatchLabelKeys is a set of pod label keys to select which pods will
-be taken into consideration. The keys are used to lookup values from the
-incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
-to select the group of existing pods which pods will be taken into consideration
-for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
-pod labels will be ignored. The default value is empty.
-The same key is forbidden to exist in both matchLabelKeys and labelSelector.
-Also, matchLabelKeys cannot be set when labelSelector isn't set.
-This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - |
- false | -
mismatchLabelKeys | -[]string | -
- MismatchLabelKeys is a set of pod label keys to select which pods will
-be taken into consideration. The keys are used to lookup values from the
-incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
-to select the group of existing pods which pods will be taken into consideration
-for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
-pod labels will be ignored. The default value is empty.
-The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
-Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - |
- false | -
namespaceSelector | -object | -
- A label query over the set of namespaces that the term applies to.
-The term is applied to the union of the namespaces selected by this field
-and the ones listed in the namespaces field.
-null selector and null or empty namespaces list means "this pod's namespace".
-An empty selector ({}) matches all namespaces. - |
- false | -
namespaces | -[]string | -
- namespaces specifies a static list of namespace names that the term applies to.
-The term is applied to the union of the namespaces listed in this field
-and the ones selected by namespaceSelector.
-null or empty namespaces list and null namespaceSelector means "this pod's namespace". - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
matchExpressions | -[]object | -
- matchExpressions is a list of label selector requirements. The requirements are ANDed. - |
- false | -
matchLabels | -map[string]string | -
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-map is equivalent to an element of matchExpressions, whose key field is "key", the
-operator is "In", and the values array contains only "value". The requirements are ANDed. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
key | -string | -
- key is the label key that the selector applies to. - |
- true | -
operator | -string | -
- operator represents a key's relationship to a set of values.
-Valid operators are In, NotIn, Exists and DoesNotExist. - |
- true | -
values | -[]string | -
- values is an array of string values. If the operator is In or NotIn,
-the values array must be non-empty. If the operator is Exists or DoesNotExist,
-the values array must be empty. This array is replaced during a strategic
-merge patch. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
matchExpressions | -[]object | -
- matchExpressions is a list of label selector requirements. The requirements are ANDed. - |
- false | -
matchLabels | -map[string]string | -
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-map is equivalent to an element of matchExpressions, whose key field is "key", the
-operator is "In", and the values array contains only "value". The requirements are ANDed. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
key | -string | -
- key is the label key that the selector applies to. - |
- true | -
operator | -string | -
- operator represents a key's relationship to a set of values.
-Valid operators are In, NotIn, Exists and DoesNotExist. - |
- true | -
values | -[]string | -
- values is an array of string values. If the operator is In or NotIn,
-the values array must be non-empty. If the operator is Exists or DoesNotExist,
-the values array must be empty. This array is replaced during a strategic
-merge patch. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
topologyKey | -string | -
- This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
-the labelSelector in the specified namespaces, where co-located is defined as running on a node
-whose value of the label with key topologyKey matches that of any node on which any of the
-selected pods is running.
-Empty topologyKey is not allowed. - |
- true | -
labelSelector | -object | -
- A label query over a set of resources, in this case pods.
-If it's null, this PodAffinityTerm matches with no Pods. - |
- false | -
matchLabelKeys | -[]string | -
- MatchLabelKeys is a set of pod label keys to select which pods will
-be taken into consideration. The keys are used to lookup values from the
-incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
-to select the group of existing pods which pods will be taken into consideration
-for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
-pod labels will be ignored. The default value is empty.
-The same key is forbidden to exist in both matchLabelKeys and labelSelector.
-Also, matchLabelKeys cannot be set when labelSelector isn't set.
-This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - |
- false | -
mismatchLabelKeys | -[]string | -
- MismatchLabelKeys is a set of pod label keys to select which pods will
-be taken into consideration. The keys are used to lookup values from the
-incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
-to select the group of existing pods which pods will be taken into consideration
-for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
-pod labels will be ignored. The default value is empty.
-The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
-Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - |
- false | -
namespaceSelector | -object | -
- A label query over the set of namespaces that the term applies to.
-The term is applied to the union of the namespaces selected by this field
-and the ones listed in the namespaces field.
-null selector and null or empty namespaces list means "this pod's namespace".
-An empty selector ({}) matches all namespaces. - |
- false | -
namespaces | -[]string | -
- namespaces specifies a static list of namespace names that the term applies to.
-The term is applied to the union of the namespaces listed in this field
-and the ones selected by namespaceSelector.
-null or empty namespaces list and null namespaceSelector means "this pod's namespace". - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
matchExpressions | -[]object | -
- matchExpressions is a list of label selector requirements. The requirements are ANDed. - |
- false | -
matchLabels | -map[string]string | -
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-map is equivalent to an element of matchExpressions, whose key field is "key", the
-operator is "In", and the values array contains only "value". The requirements are ANDed. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
key | -string | -
- key is the label key that the selector applies to. - |
- true | -
operator | -string | -
- operator represents a key's relationship to a set of values.
-Valid operators are In, NotIn, Exists and DoesNotExist. - |
- true | -
values | -[]string | -
- values is an array of string values. If the operator is In or NotIn,
-the values array must be non-empty. If the operator is Exists or DoesNotExist,
-the values array must be empty. This array is replaced during a strategic
-merge patch. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
matchExpressions | -[]object | -
- matchExpressions is a list of label selector requirements. The requirements are ANDed. - |
- false | -
matchLabels | -map[string]string | -
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-map is equivalent to an element of matchExpressions, whose key field is "key", the
-operator is "In", and the values array contains only "value". The requirements are ANDed. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
key | -string | -
- key is the label key that the selector applies to. - |
- true | -
operator | -string | -
- operator represents a key's relationship to a set of values.
-Valid operators are In, NotIn, Exists and DoesNotExist. - |
- true | -
values | -[]string | -
- values is an array of string values. If the operator is In or NotIn,
-the values array must be non-empty. If the operator is Exists or DoesNotExist,
-the values array must be empty. This array is replaced during a strategic
-merge patch. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
name | -string | -
- Name of the referent.
-This field is effectively required, but due to backwards compatibility is
-allowed to be empty. Instances of this type with an empty value here are
-almost certainly wrong.
-More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - - Default: - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
appArmorProfile | -object | -
- appArmorProfile is the AppArmor options to use by the containers in this pod.
-Note that this field cannot be set when spec.os.name is windows. - |
- false | -
fsGroup | -integer | -
- A special supplemental group that applies to all containers in a pod.
-Some volume types allow the Kubelet to change the ownership of that volume
-to be owned by the pod:
-
-1. The owning GID will be the FSGroup
-2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
-3. The permission bits are OR'd with rw-rw----
-
-If unset, the Kubelet will not modify the ownership and permissions of any volume.
-Note that this field cannot be set when spec.os.name is windows. - - Format: int64 - |
- false | -
fsGroupChangePolicy | -string | -
- fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
-before being exposed inside Pod. This field will only apply to
-volume types which support fsGroup based ownership(and permissions).
-It will have no effect on ephemeral volume types such as: secret, configmaps
-and emptydir.
-Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
-Note that this field cannot be set when spec.os.name is windows. - |
- false | -
runAsGroup | -integer | -
- The GID to run the entrypoint of the container process.
-Uses runtime default if unset.
-May also be set in SecurityContext. If set in both SecurityContext and
-PodSecurityContext, the value specified in SecurityContext takes precedence
-for that container.
-Note that this field cannot be set when spec.os.name is windows. - - Format: int64 - |
- false | -
runAsNonRoot | -boolean | -
- Indicates that the container must run as a non-root user.
-If true, the Kubelet will validate the image at runtime to ensure that it
-does not run as UID 0 (root) and fail to start the container if it does.
-If unset or false, no such validation will be performed.
-May also be set in SecurityContext. If set in both SecurityContext and
-PodSecurityContext, the value specified in SecurityContext takes precedence. - |
- false | -
runAsUser | -integer | -
- The UID to run the entrypoint of the container process.
-Defaults to user specified in image metadata if unspecified.
-May also be set in SecurityContext. If set in both SecurityContext and
-PodSecurityContext, the value specified in SecurityContext takes precedence
-for that container.
-Note that this field cannot be set when spec.os.name is windows. - - Format: int64 - |
- false | -
seLinuxOptions | -object | -
- The SELinux context to be applied to all containers.
-If unspecified, the container runtime will allocate a random SELinux context for each
-container. May also be set in SecurityContext. If set in
-both SecurityContext and PodSecurityContext, the value specified in SecurityContext
-takes precedence for that container.
-Note that this field cannot be set when spec.os.name is windows. - |
- false | -
seccompProfile | -object | -
- The seccomp options to use by the containers in this pod.
-Note that this field cannot be set when spec.os.name is windows. - |
- false | -
supplementalGroups | -[]integer | -
- A list of groups applied to the first process run in each container, in addition
-to the container's primary GID, the fsGroup (if specified), and group memberships
-defined in the container image for the uid of the container process. If unspecified,
-no additional groups are added to any container. Note that group memberships
-defined in the container image for the uid of the container process are still effective,
-even if they are not included in this list.
-Note that this field cannot be set when spec.os.name is windows. - |
- false | -
sysctls | -[]object | -
- Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
-sysctls (by the container runtime) might fail to launch.
-Note that this field cannot be set when spec.os.name is windows. - |
- false | -
windowsOptions | -object | -
- The Windows specific settings applied to all containers.
-If unspecified, the options within a container's SecurityContext will be used.
-If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
-Note that this field cannot be set when spec.os.name is linux. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
type | -string | -
- type indicates which kind of AppArmor profile will be applied.
-Valid options are:
- Localhost - a profile pre-loaded on the node.
- RuntimeDefault - the container runtime's default profile.
- Unconfined - no AppArmor enforcement. - |
- true | -
localhostProfile | -string | -
- localhostProfile indicates a profile loaded on the node that should be used.
-The profile must be preconfigured on the node to work.
-Must match the loaded name of the profile.
-Must be set if and only if type is "Localhost". - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
level | -string | -
- Level is SELinux level label that applies to the container. - |
- false | -
role | -string | -
- Role is a SELinux role label that applies to the container. - |
- false | -
type | -string | -
- Type is a SELinux type label that applies to the container. - |
- false | -
user | -string | -
- User is a SELinux user label that applies to the container. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
type | -string | -
- type indicates which kind of seccomp profile will be applied.
-Valid options are:
-
-Localhost - a profile defined in a file on the node should be used.
-RuntimeDefault - the container runtime default profile should be used.
-Unconfined - no profile should be applied. - |
- true | -
localhostProfile | -string | -
- localhostProfile indicates a profile defined in a file on the node should be used.
-The profile must be preconfigured on the node to work.
-Must be a descending path, relative to the kubelet's configured seccomp profile location.
-Must be set if type is "Localhost". Must NOT be set for any other type. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
name | -string | -
- Name of a property to set - |
- true | -
value | -string | -
- Value of a property to set - |
- true | -
Name | -Type | -Description | -Required | -
---|---|---|---|
gmsaCredentialSpec | -string | -
- GMSACredentialSpec is where the GMSA admission webhook
-(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
-GMSA credential spec named by the GMSACredentialSpecName field. - |
- false | -
gmsaCredentialSpecName | -string | -
- GMSACredentialSpecName is the name of the GMSA credential spec to use. - |
- false | -
hostProcess | -boolean | -
- HostProcess determines if a container should be run as a 'Host Process' container.
-All of a Pod's containers must have the same effective HostProcess value
-(it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
-In addition, if HostProcess is true then HostNetwork must also be set to true. - |
- false | -
runAsUserName | -string | -
- The UserName in Windows to run the entrypoint of the container process.
-Defaults to the user specified in image metadata if unspecified.
-May also be set in PodSecurityContext. If set in both SecurityContext and
-PodSecurityContext, the value specified in SecurityContext takes precedence. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
env | -[]object | -
- List of environment variables to set in the container.
-https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables
-Note that environment variables provided here will take precedence
-over Tailscale-specific environment variables set by the operator,
-however running proxies with custom values for Tailscale environment
-variables (i.e TS_USERSPACE) is not recommended and might break in
-the future. - |
- false | -
image | -string | -
- Container image name. By default images are pulled from
-docker.io/tailscale/tailscale, but the official images are also
-available at ghcr.io/tailscale/tailscale. Specifying image name here
-will override any proxy image values specified via the Kubernetes
-operator's Helm chart values or PROXY_IMAGE env var in the operator
-Deployment.
-https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#image - |
- false | -
imagePullPolicy | -enum | -
- Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always.
-https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#image - - Enum: Always, Never, IfNotPresent - |
- false | -
resources | -object | -
- Container resource requirements.
-By default Tailscale Kubernetes operator does not apply any resource
-requirements. The amount of resources required wil depend on the
-amount of resources the operator needs to parse, usage patterns and
-cluster size.
-https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources - |
- false | -
securityContext | -object | -
- Container security context.
-Security context specified here will override the security context by the operator.
-By default the operator:
-- sets 'privileged: true' for the init container
-- set NET_ADMIN capability for tailscale container for proxies that
-are created for Services or Connector.
-https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
name | -string | -
- Name of the environment variable. Must be a C_IDENTIFIER. - |
- true | -
value | -string | -
- Variable references $(VAR_NAME) are expanded using the previously defined
- environment variables in the container and any service environment
-variables. If a variable cannot be resolved, the reference in the input
-string will be unchanged. Double $$ are reduced to a single $, which
-allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
-produce the string literal "$(VAR_NAME)". Escaped references will never
-be expanded, regardless of whether the variable exists or not. Defaults
-to "". - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
claims | -[]object | -
- Claims lists the names of resources, defined in spec.resourceClaims,
-that are used by this container.
-
-This is an alpha field and requires enabling the
-DynamicResourceAllocation feature gate.
-
-This field is immutable. It can only be set for containers. - |
- false | -
limits | -map[string]int or string | -
- Limits describes the maximum amount of compute resources allowed.
-More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - |
- false | -
requests | -map[string]int or string | -
- Requests describes the minimum amount of compute resources required.
-If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
-otherwise to an implementation-defined value. Requests cannot exceed Limits.
-More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
name | -string | -
- Name must match the name of one entry in pod.spec.resourceClaims of
-the Pod where this field is used. It makes that resource available
-inside a container. - |
- true | -
Name | -Type | -Description | -Required | -
---|---|---|---|
allowPrivilegeEscalation | -boolean | -
- AllowPrivilegeEscalation controls whether a process can gain more
-privileges than its parent process. This bool directly controls if
-the no_new_privs flag will be set on the container process.
-AllowPrivilegeEscalation is true always when the container is:
-1) run as Privileged
-2) has CAP_SYS_ADMIN
-Note that this field cannot be set when spec.os.name is windows. - |
- false | -
appArmorProfile | -object | -
- appArmorProfile is the AppArmor options to use by this container. If set, this profile
-overrides the pod's appArmorProfile.
-Note that this field cannot be set when spec.os.name is windows. - |
- false | -
capabilities | -object | -
- The capabilities to add/drop when running containers.
-Defaults to the default set of capabilities granted by the container runtime.
-Note that this field cannot be set when spec.os.name is windows. - |
- false | -
privileged | -boolean | -
- Run container in privileged mode.
-Processes in privileged containers are essentially equivalent to root on the host.
-Defaults to false.
-Note that this field cannot be set when spec.os.name is windows. - |
- false | -
procMount | -string | -
- procMount denotes the type of proc mount to use for the containers.
-The default is DefaultProcMount which uses the container runtime defaults for
-readonly paths and masked paths.
-This requires the ProcMountType feature flag to be enabled.
-Note that this field cannot be set when spec.os.name is windows. - |
- false | -
readOnlyRootFilesystem | -boolean | -
- Whether this container has a read-only root filesystem.
-Default is false.
-Note that this field cannot be set when spec.os.name is windows. - |
- false | -
runAsGroup | -integer | -
- The GID to run the entrypoint of the container process.
-Uses runtime default if unset.
-May also be set in PodSecurityContext. If set in both SecurityContext and
-PodSecurityContext, the value specified in SecurityContext takes precedence.
-Note that this field cannot be set when spec.os.name is windows. - - Format: int64 - |
- false | -
runAsNonRoot | -boolean | -
- Indicates that the container must run as a non-root user.
-If true, the Kubelet will validate the image at runtime to ensure that it
-does not run as UID 0 (root) and fail to start the container if it does.
-If unset or false, no such validation will be performed.
-May also be set in PodSecurityContext. If set in both SecurityContext and
-PodSecurityContext, the value specified in SecurityContext takes precedence. - |
- false | -
runAsUser | -integer | -
- The UID to run the entrypoint of the container process.
-Defaults to user specified in image metadata if unspecified.
-May also be set in PodSecurityContext. If set in both SecurityContext and
-PodSecurityContext, the value specified in SecurityContext takes precedence.
-Note that this field cannot be set when spec.os.name is windows. - - Format: int64 - |
- false | -
seLinuxOptions | -object | -
- The SELinux context to be applied to the container.
-If unspecified, the container runtime will allocate a random SELinux context for each
-container. May also be set in PodSecurityContext. If set in both SecurityContext and
-PodSecurityContext, the value specified in SecurityContext takes precedence.
-Note that this field cannot be set when spec.os.name is windows. - |
- false | -
seccompProfile | -object | -
- The seccomp options to use by this container. If seccomp options are
-provided at both the pod & container level, the container options
-override the pod options.
-Note that this field cannot be set when spec.os.name is windows. - |
- false | -
windowsOptions | -object | -
- The Windows specific settings applied to all containers.
-If unspecified, the options from the PodSecurityContext will be used.
-If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
-Note that this field cannot be set when spec.os.name is linux. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
type | -string | -
- type indicates which kind of AppArmor profile will be applied.
-Valid options are:
- Localhost - a profile pre-loaded on the node.
- RuntimeDefault - the container runtime's default profile.
- Unconfined - no AppArmor enforcement. - |
- true | -
localhostProfile | -string | -
- localhostProfile indicates a profile loaded on the node that should be used.
-The profile must be preconfigured on the node to work.
-Must match the loaded name of the profile.
-Must be set if and only if type is "Localhost". - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
add | -[]string | -
- Added capabilities - |
- false | -
drop | -[]string | -
- Removed capabilities - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
level | -string | -
- Level is SELinux level label that applies to the container. - |
- false | -
role | -string | -
- Role is a SELinux role label that applies to the container. - |
- false | -
type | -string | -
- Type is a SELinux type label that applies to the container. - |
- false | -
user | -string | -
- User is a SELinux user label that applies to the container. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
type | -string | -
- type indicates which kind of seccomp profile will be applied.
-Valid options are:
-
-Localhost - a profile defined in a file on the node should be used.
-RuntimeDefault - the container runtime default profile should be used.
-Unconfined - no profile should be applied. - |
- true | -
localhostProfile | -string | -
- localhostProfile indicates a profile defined in a file on the node should be used.
-The profile must be preconfigured on the node to work.
-Must be a descending path, relative to the kubelet's configured seccomp profile location.
-Must be set if type is "Localhost". Must NOT be set for any other type. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
gmsaCredentialSpec | -string | -
- GMSACredentialSpec is where the GMSA admission webhook
-(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
-GMSA credential spec named by the GMSACredentialSpecName field. - |
- false | -
gmsaCredentialSpecName | -string | -
- GMSACredentialSpecName is the name of the GMSA credential spec to use. - |
- false | -
hostProcess | -boolean | -
- HostProcess determines if a container should be run as a 'Host Process' container.
-All of a Pod's containers must have the same effective HostProcess value
-(it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
-In addition, if HostProcess is true then HostNetwork must also be set to true. - |
- false | -
runAsUserName | -string | -
- The UserName in Windows to run the entrypoint of the container process.
-Defaults to the user specified in image metadata if unspecified.
-May also be set in PodSecurityContext. If set in both SecurityContext and
-PodSecurityContext, the value specified in SecurityContext takes precedence. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
env | -[]object | -
- List of environment variables to set in the container.
-https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables
-Note that environment variables provided here will take precedence
-over Tailscale-specific environment variables set by the operator,
-however running proxies with custom values for Tailscale environment
-variables (i.e TS_USERSPACE) is not recommended and might break in
-the future. - |
- false | -
image | -string | -
- Container image name. By default images are pulled from
-docker.io/tailscale/tailscale, but the official images are also
-available at ghcr.io/tailscale/tailscale. Specifying image name here
-will override any proxy image values specified via the Kubernetes
-operator's Helm chart values or PROXY_IMAGE env var in the operator
-Deployment.
-https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#image - |
- false | -
imagePullPolicy | -enum | -
- Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always.
-https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#image - - Enum: Always, Never, IfNotPresent - |
- false | -
resources | -object | -
- Container resource requirements.
-By default Tailscale Kubernetes operator does not apply any resource
-requirements. The amount of resources required wil depend on the
-amount of resources the operator needs to parse, usage patterns and
-cluster size.
-https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources - |
- false | -
securityContext | -object | -
- Container security context.
-Security context specified here will override the security context by the operator.
-By default the operator:
-- sets 'privileged: true' for the init container
-- set NET_ADMIN capability for tailscale container for proxies that
-are created for Services or Connector.
-https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
name | -string | -
- Name of the environment variable. Must be a C_IDENTIFIER. - |
- true | -
value | -string | -
- Variable references $(VAR_NAME) are expanded using the previously defined
- environment variables in the container and any service environment
-variables. If a variable cannot be resolved, the reference in the input
-string will be unchanged. Double $$ are reduced to a single $, which
-allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
-produce the string literal "$(VAR_NAME)". Escaped references will never
-be expanded, regardless of whether the variable exists or not. Defaults
-to "". - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
claims | -[]object | -
- Claims lists the names of resources, defined in spec.resourceClaims,
-that are used by this container.
-
-This is an alpha field and requires enabling the
-DynamicResourceAllocation feature gate.
-
-This field is immutable. It can only be set for containers. - |
- false | -
limits | -map[string]int or string | -
- Limits describes the maximum amount of compute resources allowed.
-More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - |
- false | -
requests | -map[string]int or string | -
- Requests describes the minimum amount of compute resources required.
-If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
-otherwise to an implementation-defined value. Requests cannot exceed Limits.
-More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
name | -string | -
- Name must match the name of one entry in pod.spec.resourceClaims of
-the Pod where this field is used. It makes that resource available
-inside a container. - |
- true | -
Name | -Type | -Description | -Required | -
---|---|---|---|
allowPrivilegeEscalation | -boolean | -
- AllowPrivilegeEscalation controls whether a process can gain more
-privileges than its parent process. This bool directly controls if
-the no_new_privs flag will be set on the container process.
-AllowPrivilegeEscalation is true always when the container is:
-1) run as Privileged
-2) has CAP_SYS_ADMIN
-Note that this field cannot be set when spec.os.name is windows. - |
- false | -
appArmorProfile | -object | -
- appArmorProfile is the AppArmor options to use by this container. If set, this profile
-overrides the pod's appArmorProfile.
-Note that this field cannot be set when spec.os.name is windows. - |
- false | -
capabilities | -object | -
- The capabilities to add/drop when running containers.
-Defaults to the default set of capabilities granted by the container runtime.
-Note that this field cannot be set when spec.os.name is windows. - |
- false | -
privileged | -boolean | -
- Run container in privileged mode.
-Processes in privileged containers are essentially equivalent to root on the host.
-Defaults to false.
-Note that this field cannot be set when spec.os.name is windows. - |
- false | -
procMount | -string | -
- procMount denotes the type of proc mount to use for the containers.
-The default is DefaultProcMount which uses the container runtime defaults for
-readonly paths and masked paths.
-This requires the ProcMountType feature flag to be enabled.
-Note that this field cannot be set when spec.os.name is windows. - |
- false | -
readOnlyRootFilesystem | -boolean | -
- Whether this container has a read-only root filesystem.
-Default is false.
-Note that this field cannot be set when spec.os.name is windows. - |
- false | -
runAsGroup | -integer | -
- The GID to run the entrypoint of the container process.
-Uses runtime default if unset.
-May also be set in PodSecurityContext. If set in both SecurityContext and
-PodSecurityContext, the value specified in SecurityContext takes precedence.
-Note that this field cannot be set when spec.os.name is windows. - - Format: int64 - |
- false | -
runAsNonRoot | -boolean | -
- Indicates that the container must run as a non-root user.
-If true, the Kubelet will validate the image at runtime to ensure that it
-does not run as UID 0 (root) and fail to start the container if it does.
-If unset or false, no such validation will be performed.
-May also be set in PodSecurityContext. If set in both SecurityContext and
-PodSecurityContext, the value specified in SecurityContext takes precedence. - |
- false | -
runAsUser | -integer | -
- The UID to run the entrypoint of the container process.
-Defaults to user specified in image metadata if unspecified.
-May also be set in PodSecurityContext. If set in both SecurityContext and
-PodSecurityContext, the value specified in SecurityContext takes precedence.
-Note that this field cannot be set when spec.os.name is windows. - - Format: int64 - |
- false | -
seLinuxOptions | -object | -
- The SELinux context to be applied to the container.
-If unspecified, the container runtime will allocate a random SELinux context for each
-container. May also be set in PodSecurityContext. If set in both SecurityContext and
-PodSecurityContext, the value specified in SecurityContext takes precedence.
-Note that this field cannot be set when spec.os.name is windows. - |
- false | -
seccompProfile | -object | -
- The seccomp options to use by this container. If seccomp options are
-provided at both the pod & container level, the container options
-override the pod options.
-Note that this field cannot be set when spec.os.name is windows. - |
- false | -
windowsOptions | -object | -
- The Windows specific settings applied to all containers.
-If unspecified, the options from the PodSecurityContext will be used.
-If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
-Note that this field cannot be set when spec.os.name is linux. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
type | -string | -
- type indicates which kind of AppArmor profile will be applied.
-Valid options are:
- Localhost - a profile pre-loaded on the node.
- RuntimeDefault - the container runtime's default profile.
- Unconfined - no AppArmor enforcement. - |
- true | -
localhostProfile | -string | -
- localhostProfile indicates a profile loaded on the node that should be used.
-The profile must be preconfigured on the node to work.
-Must match the loaded name of the profile.
-Must be set if and only if type is "Localhost". - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
add | -[]string | -
- Added capabilities - |
- false | -
drop | -[]string | -
- Removed capabilities - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
level | -string | -
- Level is SELinux level label that applies to the container. - |
- false | -
role | -string | -
- Role is a SELinux role label that applies to the container. - |
- false | -
type | -string | -
- Type is a SELinux type label that applies to the container. - |
- false | -
user | -string | -
- User is a SELinux user label that applies to the container. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
type | -string | -
- type indicates which kind of seccomp profile will be applied.
-Valid options are:
-
-Localhost - a profile defined in a file on the node should be used.
-RuntimeDefault - the container runtime default profile should be used.
-Unconfined - no profile should be applied. - |
- true | -
localhostProfile | -string | -
- localhostProfile indicates a profile defined in a file on the node should be used.
-The profile must be preconfigured on the node to work.
-Must be a descending path, relative to the kubelet's configured seccomp profile location.
-Must be set if type is "Localhost". Must NOT be set for any other type. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
gmsaCredentialSpec | -string | -
- GMSACredentialSpec is where the GMSA admission webhook
-(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
-GMSA credential spec named by the GMSACredentialSpecName field. - |
- false | -
gmsaCredentialSpecName | -string | -
- GMSACredentialSpecName is the name of the GMSA credential spec to use. - |
- false | -
hostProcess | -boolean | -
- HostProcess determines if a container should be run as a 'Host Process' container.
-All of a Pod's containers must have the same effective HostProcess value
-(it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
-In addition, if HostProcess is true then HostNetwork must also be set to true. - |
- false | -
runAsUserName | -string | -
- The UserName in Windows to run the entrypoint of the container process.
-Defaults to the user specified in image metadata if unspecified.
-May also be set in PodSecurityContext. If set in both SecurityContext and
-PodSecurityContext, the value specified in SecurityContext takes precedence. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
effect | -string | -
- Effect indicates the taint effect to match. Empty means match all taint effects.
-When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - |
- false | -
key | -string | -
- Key is the taint key that the toleration applies to. Empty means match all taint keys.
-If the key is empty, operator must be Exists; this combination means to match all values and all keys. - |
- false | -
operator | -string | -
- Operator represents a key's relationship to the value.
-Valid operators are Exists and Equal. Defaults to Equal.
-Exists is equivalent to wildcard for value, so that a pod can
-tolerate all taints of a particular category. - |
- false | -
tolerationSeconds | -integer | -
- TolerationSeconds represents the period of time the toleration (which must be
-of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
-it is not set, which means tolerate the taint forever (do not evict). Zero and
-negative values will be treated as 0 (evict immediately) by the system. - - Format: int64 - |
- false | -
value | -string | -
- Value is the taint value the toleration matches to.
-If the operator is Exists, the value should be empty, otherwise just a regular string. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
acceptRoutes | -boolean | -
- AcceptRoutes can be set to true to make the proxy instance accept
-routes advertized by other nodes on the tailnet, such as subnet
-routes.
-This is equivalent of passing --accept-routes flag to a tailscale Linux client.
-https://tailscale.com/kb/1019/subnets#use-your-subnet-routes-from-other-machines
-Defaults to false. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
conditions | -[]object | -
- List of status conditions to indicate the status of the ProxyClass.
-Known condition types are `ProxyClassReady`. - |
- false | -
Name | -Type | -Description | -Required | -
---|---|---|---|
lastTransitionTime | -string | -
- lastTransitionTime is the last time the condition transitioned from one status to another.
-This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - - Format: date-time - |
- true | -
message | -string | -
- message is a human readable message indicating details about the transition.
-This may be an empty string. - |
- true | -
reason | -string | -
- reason contains a programmatic identifier indicating the reason for the condition's last transition.
-Producers of specific condition types may define expected values and meanings for this field,
-and whether the values are considered a guaranteed API.
-The value should be a CamelCase string.
-This field may not be empty. - |
- true | -
status | -enum | -
- status of the condition, one of True, False, Unknown. - - Enum: True, False, Unknown - |
- true | -
type | -string | -
- type of condition in CamelCase or in foo.example.com/CamelCase. - |
- true | -
observedGeneration | -integer | -
- observedGeneration represents the .metadata.generation that the condition was set based upon.
-For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
-with respect to the current state of the instance. - - Format: int64 - Minimum: 0 - |
- false | -