API Reference

Packages:

• skiperator.kartverket.no/v1alpha1

skiperator.kartverket.no/v1alpha1

Resource Types:

• Application

• Routing

• SKIPJob

Application

Application

Root object for Application resource. An application resource is a resource for easily managing a Dockerized container within the context of a Kartverket cluster. This allows product teams to avoid the need to set up networking on the cluster, as well as a lot of out of the box security features.

Name	Type	Description	Required
apiVersion	string	skiperator.kartverket.no/v1alpha1	true
kind	string	Application	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the metadata field.	true
spec	object		false
status	object	SkiperatorStatus A status field shown on a Skiperator resource which contains information regarding deployment of the resource.	false

Application.spec

^{↩ Parent}

Name	Type	Description	Required
image	string	The image the application will run. This image will be added to a Deployment resource	true
port	integer	The port the deployment exposes	true
accessPolicy	object	The root AccessPolicy for managing zero trust access to your Application. See AccessPolicy for more information.	false
additionalPorts	[]object	An optional list of extra port to expose on a pod level basis, for example so Instana or other APM tools can reach it	false
appProtocol	enum	Protocol that the application speaks. Enum: http, tcp, udp Default: http	false
authorizationSettings	object	Used for allow listing certain default blocked endpoints, such as /actuator/ end points	false
command	[]string	Override the command set in the Dockerfile. Usually only used when debugging or running third-party containers where you don't have control over the Dockerfile	false
enablePDB	boolean	Whether to enable automatic Pod Disruption Budget creation for this application. Default: true	false
env	[]object	Environment variables that will be set inside the Deployment's Pod. See https://pkg.go.dev/k8s.io/api/core/v1#EnvVar for examples.	false
envFrom	[]object	Environment variables mounted from files. When specified all the keys of the resource will be assigned as environment variables. Supports both configmaps and secrets. For mounting as files see FilesFrom.	false
filesFrom	[]object	Mounting volumes into the Deployment are done using the FilesFrom argument FilesFrom supports ConfigMaps, Secrets and PVCs. The Application resource assumes these have already been created by you, and will fail if this is not the case. For mounting environment variables see EnvFrom.	false
gcp	object	GCP is used to configure Google Cloud Platform specific settings for the application.	false
idporten	object	Settings for IDPorten integration with Digitaliseringsdirektoratet	false
ingresses	[]string	Any external hostnames that route to this application. Using a skip.statkart.no-address will make the application reachable for kartverket-clients (internal), other addresses make the app reachable on the internet. Note that other addresses than skip.statkart.no (also known as pretty hostnames) requires additional DNS setup. The below hostnames will also have TLS certificates issued and be reachable on both HTTP and HTTPS. Ingresses must be lowercase, contain no spaces, be a non-empty string, and have a hostname/domain separated by a period They can optionally be suffixed with a plus and name of a custom TLS secret located in the istio-gateways namespace. E.g. "foo.atkv3-dev.kartverket-intern.cloud+env-wildcard-cert"	false
istioSettings	object	IstioSettings are used to configure istio specific resources such as telemetry. Currently, adjusting sampling interval for tracing is the only supported option. By default, tracing is enabled with a random sampling percentage of 10%. Default: map[telemetry:map[tracing:[map[randomSamplingPercentage:10]]]]	false
labels	map[string]string	Labels can be used if you want every resource created by your application to have the same labels, including your application. This could for example be useful for metrics, where a certain label and the corresponding resources liveliness can be combined. Any amount of labels can be added as wanted, and they will all cascade down to all resources.	false
liveness	object	Liveness probes define a resource that returns 200 OK when the app is running as intended. Returning a non-200 code will make kubernetes restart the app. Liveness is optional, but when provided, path and port are required See Probe for structure definition.	false
maskinporten	object	Settings for Maskinporten integration with Digitaliseringsdirektoratet	false
podSettings	object	PodSettings are used to apply specific settings to the Pod Template used by Skiperator to create Deployments. This allows you to set things like annotations on the Pod to change the behaviour of sidecars, and set relevant Pod options such as TerminationGracePeriodSeconds.	false
priority	enum	An optional priority. Supported values are 'low', 'medium' and 'high'. The default value is 'medium'. Most workloads should not have to specify this field. If you think you do, please consult with SKIP beforehand. Enum: low, medium, high Default: medium	false
prometheus	object	Optional settings for how Prometheus compatible metrics should be scraped.	false
readiness	object	Readiness probes define a resource that returns 200 OK when the app is running as intended. Kubernetes will wait until the resource returns 200 OK before marking the pod as Running and progressing with the deployment strategy. Readiness is optional, but when provided, path and port are required	false
redirectToHTTPS	boolean	Controls whether the application will automatically redirect all HTTP calls to HTTPS via the istio VirtualService. This redirect does not happen on the route /.well-known/acme-challenge/, as the ACME challenge can only be done on port 80. Default: true	false
replicas	JSON	The number of replicas can either be specified as a static number as follows: replicas: 2 Or by specifying a range between min and max to enable HorizontalPodAutoscaling. The default value for replicas is: replicas: min: 2 max: 5 targetCpuUtilization: 80 Using autoscaling is the recommended configuration for replicas.	false
resourceLabels	map[string]map[string]string	ResourceLabels can be used if you want to add a label to a specific resources created by the application. One such label could for example be set on a Deployment, such that the deployment avoids certain rules from Gatekeeper, or similar. Any amount of labels may be added per ResourceLabels item.	false
resources	object	ResourceRequirements to apply to the deployment. It's common to set some of these to prevent the app from swelling in resource usage and consuming all the resources of other apps on the cluster.	false
startup	object	Kubernetes uses startup probes to know when a container application has started. If such a probe is configured, it disables liveness and readiness checks until it succeeds, making sure those probes don't interfere with the application startup. This can be used to adopt liveness checks on slow starting containers, avoiding them getting killed by Kubernetes before they are up and running. Startup is optional, but when provided, path and port are required	false
strategy	object	Defines an alternative strategy for the Kubernetes deployment. This is useful when the default strategy, RollingUpdate, is not usable. Setting type to Recreate will take down all the pods before starting new pods, whereas the default of RollingUpdate will try to start the new pods before taking down the old ones. Valid values are: RollingUpdate, Recreate. Default is RollingUpdate	false
team	string	Team specifies the team who owns this particular app. Usually sourced from the namespace label.	false

Application.spec.accessPolicy

^{↩ Parent}

The root AccessPolicy for managing zero trust access to your Application. See AccessPolicy for more information.

Name	Type	Description	Required
inbound	object	Inbound specifies the ingress rules. Which apps on the cluster can talk to this app?	false
outbound	object	Outbound specifies egress rules. Which apps on the cluster and the internet is the Application allowed to send requests to?	false

Application.spec.accessPolicy.inbound

^{↩ Parent}

Inbound specifies the ingress rules. Which apps on the cluster can talk to this app?

Name	Type	Description	Required
rules	[]object	The rules list specifies a list of applications. When no namespace is specified it refers to an app in the current namespace. For apps in other namespaces namespace is required	true

Application.spec.accessPolicy.inbound.rules[index]

^{↩ Parent}

InternalRule

The rules list specifies a list of applications. When no namespace is specified it refers to an app in the current namespace. For apps in other namespaces, namespace is required.

Name	Type	Description	Required
application	string	The name of the Application you are allowing traffic to/from. If you wish to allow traffic from a SKIPJob, this field should be suffixed with -skipjob	true
namespace	string	The namespace in which the Application you are allowing traffic to/from resides. If unset, uses namespace of Application.	false
namespacesByLabel	map[string]string	Namespace label value-pair in which the Application you are allowing traffic to/from resides. If both namespace and namespacesByLabel are set, namespace takes precedence and namespacesByLabel is omitted.	false
ports	[]object	The ports to allow for the above application.	false

Application.spec.accessPolicy.inbound.rules[index].ports[index]

^{↩ Parent}

NetworkPolicyPort describes a port to allow traffic on

Name	Type	Description	Required
endPort	integer	endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. Format: int32	false
port	int or string	port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.	false
protocol	string	protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.	false

Application.spec.accessPolicy.outbound

^{↩ Parent}

Outbound specifies egress rules. Which apps on the cluster and the internet is the Application allowed to send requests to?

Name	Type	Description	Required
external	[]object	External specifies which applications on the internet the application can reach. Only host is required unless it is on another port than HTTPS port 443. If other ports or protocols are required then ports must be specified as well	false
rules	[]object	Rules apply the same in-cluster rules as InboundPolicy	false

Application.spec.accessPolicy.outbound.external[index]

^{↩ Parent}

ExternalRule

Describes a rule for allowing your Application to route traffic to external applications and hosts.

Name	Type	Description	Required
host	string	The allowed hostname. Note that this does not include subdomains.	true
ip	string	Non-HTTP requests (i.e. using the TCP protocol) need to use IP in addition to hostname Only required for TCP requests. Note: Hostname must always be defined even if IP is set statically	false
ports	[]object	The ports to allow for the above hostname. When not specified HTTP and HTTPS on port 80 and 443 respectively are put into the allowlist	false

Application.spec.accessPolicy.outbound.external[index].ports[index]

^{↩ Parent}

ExternalPort

A custom port describing an external host

Name	Type	Description	Required
name	string	Name is required and is an arbitrary name. Must be unique within all ExternalRule ports.	true
port	integer	The port number of the external host	true
protocol	enum	The protocol to use for communication with the host. Supported protocols are: HTTP, HTTPS, TCP and TLS. Enum: HTTP, HTTPS, TCP, TLS	true

Application.spec.accessPolicy.outbound.rules[index]

^{↩ Parent}

InternalRule

The rules list specifies a list of applications. When no namespace is specified it refers to an app in the current namespace. For apps in other namespaces, namespace is required.

Name	Type	Description	Required
application	string	The name of the Application you are allowing traffic to/from. If you wish to allow traffic from a SKIPJob, this field should be suffixed with -skipjob	true
namespace	string	The namespace in which the Application you are allowing traffic to/from resides. If unset, uses namespace of Application.	false
namespacesByLabel	map[string]string	Namespace label value-pair in which the Application you are allowing traffic to/from resides. If both namespace and namespacesByLabel are set, namespace takes precedence and namespacesByLabel is omitted.	false
ports	[]object	The ports to allow for the above application.	false

Application.spec.accessPolicy.outbound.rules[index].ports[index]

^{↩ Parent}

NetworkPolicyPort describes a port to allow traffic on

Name	Type	Description	Required
endPort	integer	endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. Format: int32	false
port	int or string	port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.	false
protocol	string	protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.	false

Application.spec.additionalPorts[index]

^{↩ Parent}

Name	Type	Description	Required
name	string		true
port	integer	Format: int32	true
protocol	enum	Protocol defines network protocols supported for things like container ports. Enum: TCP, UDP, SCTP	true

Application.spec.authorizationSettings

^{↩ Parent}

Used for allow listing certain default blocked endpoints, such as /actuator/ end points

Name	Type	Description	Required
allowAll	boolean	Allows all endpoints by not creating an AuthorizationPolicy, and ignores the content of AllowList. If field is false, the contents of AllowList will be used instead if AllowList is set. Default: false	false
allowList	[]string	Allows specific endpoints. Common endpoints one might want to allow include /actuator/health, /actuator/startup, /actuator/info. Note that endpoints are matched specifically on the input, so if you allow /actuator/health, you will not allow /actuator/health/	false

Application.spec.env[index]

^{↩ Parent}

EnvVar represents an environment variable present in a Container.

Name	Type	Description	Required
name	string	Name of the environment variable. May consist of any printable ASCII characters except '='.	true
value	string	Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".	false
valueFrom	object	Source for the environment variable's value. Cannot be used if value is not empty.	false

Application.spec.env[index].valueFrom

^{↩ Parent}

Source for the environment variable's value. Cannot be used if value is not empty.

Name	Type	Description	Required
configMapKeyRef	object	Selects a key of a ConfigMap.	false
fieldRef	object	Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels['<KEY>'], metadata.annotations['<KEY>'], spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.	false
fileKeyRef	object	FileKeyRef selects a key of the env file. Requires the EnvFiles feature gate to be enabled.	false
resourceFieldRef	object	Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.	false
secretKeyRef	object	Selects a key of a secret in the pod's namespace	false

Application.spec.env[index].valueFrom.configMapKeyRef

^{↩ Parent}

Selects a key of a ConfigMap.

Name	Type	Description	Required
key	string	The key to select.	true
name	string	Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names Default: ``	false
optional	boolean	Specify whether the ConfigMap or its key must be defined	false

Application.spec.env[index].valueFrom.fieldRef

^{↩ Parent}

Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels['<KEY>'], metadata.annotations['<KEY>'], spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.

Name	Type	Description	Required
fieldPath	string	Path of the field to select in the specified API version.	true
apiVersion	string	Version of the schema the FieldPath is written in terms of, defaults to "v1".	false

Application.spec.env[index].valueFrom.fileKeyRef

^{↩ Parent}

FileKeyRef selects a key of the env file. Requires the EnvFiles feature gate to be enabled.

Name	Type	Description	Required
key	string	The key within the env file. An invalid key will prevent the pod from starting. The keys defined within a source may consist of any printable ASCII characters except '='. During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.	true
path	string	The path within the volume from which to select the file. Must be relative and may not contain the '..' path or start with '..'.	true
volumeName	string	The name of the volume mount containing the env file.	true
optional	boolean	Specify whether the file or its key must be defined. If the file or key does not exist, then the env var is not published. If optional is set to true and the specified key does not exist, the environment variable will not be set in the Pod's containers. If optional is set to false and the specified key does not exist, an error will be returned during Pod creation. Default: false	false

Application.spec.env[index].valueFrom.resourceFieldRef

^{↩ Parent}

Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.

Name	Type	Description	Required
resource	string	Required: resource to select	true
containerName	string	Container name: required for volumes, optional for env vars	false
divisor	int or string	Specifies the output format of the exposed resources, defaults to "1"	false

Application.spec.env[index].valueFrom.secretKeyRef

^{↩ Parent}

Selects a key of a secret in the pod's namespace

Name	Type	Description	Required
key	string	The key of the secret to select from. Must be a valid secret key.	true
name	string	Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names Default: ``	false
optional	boolean	Specify whether the Secret or its key must be defined	false

Application.spec.envFrom[index]

^{↩ Parent}

Name	Type	Description	Required
configMap	string	Name of Kubernetes ConfigMap in which the deployment should mount environment variables from. Must be in the same namespace as the Application	false
secret	string	Name of Kubernetes Secret in which the deployment should mount environment variables from. Must be in the same namespace as the Application	false

Application.spec.filesFrom[index]

^{↩ Parent}

FilesFrom

Struct representing information needed to mount a Kubernetes resource as a file to a Pod's directory. One of ConfigMap, Secret, EmptyDir or PersistentVolumeClaim must be present, and just represent the name of the resource in question NB. Out-of-the-box, skiperator provides a writable 'emptyDir'-volume at '/tmp'

Name	Type	Description	Required
mountPath	string	The path to mount the file in the Pods directory. Required.	true
configMap	string		false
defaultMode	integer	defaultMode is optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.	false
emptyDir	string		false
persistentVolumeClaim	string		false
secret	string		false

Application.spec.gcp

^{↩ Parent}

GCP is used to configure Google Cloud Platform specific settings for the application.

Name	Type	Description	Required
auth	object	Configuration for authenticating a Pod with Google Cloud Platform For authentication with GCP, to use services like Secret Manager and/or Pub/Sub we need to set the GCP Service Account Pods should identify as. To allow this, we need the IAM role iam.workloadIdentityUser set on a GCP service account and bind this to the Pod's Kubernetes SA. Documentation on how this is done can be found here (Closed Wiki): https://kartverket.atlassian.net/wiki/spaces/SKIPDOK/pages/422346824/Autentisering+mot+GCP+som+Kubernetes+SA	false
cloudSqlProxy	object	CloudSQL is used to deploy a CloudSQL proxy sidecar in the pod. This is useful for connecting to CloudSQL databases that require Cloud SQL Auth Proxy.	false

Application.spec.gcp.auth

^{↩ Parent}

Configuration for authenticating a Pod with Google Cloud Platform For authentication with GCP, to use services like Secret Manager and/or Pub/Sub we need to set the GCP Service Account Pods should identify as. To allow this, we need the IAM role iam.workloadIdentityUser set on a GCP service account and bind this to the Pod's Kubernetes SA. Documentation on how this is done can be found here (Closed Wiki): https://kartverket.atlassian.net/wiki/spaces/SKIPDOK/pages/422346824/Autentisering+mot+GCP+som+Kubernetes+SA

Name	Type	Description	Required
serviceAccount	string	Name of the service account in which you are trying to authenticate your pod with Generally takes the form of some-name@some-project-id.iam.gserviceaccount.com	true

Application.spec.gcp.cloudSqlProxy

^{↩ Parent}

CloudSQL is used to deploy a CloudSQL proxy sidecar in the pod. This is useful for connecting to CloudSQL databases that require Cloud SQL Auth Proxy.

Name	Type	Description	Required
connectionName	string	Connection name for the CloudSQL instance. Found in the Google Cloud Console under your CloudSQL resource. The format is "projectName:region:instanceName" E.g. "skip-prod-bda1:europe-north1:my-db".	true
ip	string	The IP address of the CloudSQL instance. This is used to create a serviceentry for the CloudSQL proxy.	true
serviceAccount	string	Service account used by cloudsql auth proxy. This service account must have the roles/cloudsql.client role.	true
publicIP	boolean	Default: false	false
version	string	Image version for the CloudSQL proxy sidecar.	false

Application.spec.idporten

^{↩ Parent}

Settings for IDPorten integration with Digitaliseringsdirektoratet

Name	Type	Description	Required
enabled	boolean	Whether to enable provisioning of an ID-porten client. If enabled, an ID-porten client will be provisioned.	true
accessTokenLifetime	integer	AccessTokenLifetime is the lifetime in seconds for any issued access token from ID-porten. If unspecified, defaults to 3600 seconds (1 hour). Minimum: 1 Maximum: 3600	false
clientName	string	The name of the Client as shown in Digitaliseringsdirektoratet's Samarbeidsportal Meant to be a human-readable name for separating clients in the portal.	false
clientURI	string	ClientURI is the URL shown to the user at ID-porten when displaying a 'back' button or on errors.	false
frontchannelLogoutPath	string	FrontchannelLogoutPath is a valid path for your application where ID-porten sends a request to whenever the user has initiated a logout elsewhere as part of a single logout (front channel logout) process.	false
integrationType	enum	IntegrationType is used to make sensible choices for your client. Which type of integration you choose will provide guidance on which scopes you can use with the client. A client can only have one integration type. NB! It is not possible to change the integration type after creation. Enum: krr, idporten, api_klient	false
postLogoutRedirectPath	string	PostLogoutRedirectPath is a simpler verison of PostLogoutRedirectURIs that will be appended to the ingress	false
postLogoutRedirectURIs	[]string	PostLogoutRedirectURIs are valid URIs that ID-porten will allow redirecting the end-user to after a single logout has been initiated and performed by the application.	false
redirectPath	string	RedirectPath is a valid path that ID-porten redirects back to after a successful authorization request.	false
requestAuthentication	object	RequestAuthentication specifies how incoming JWTs should be validated.	false
scopes	[]string	Register different oauth2 Scopes on your client. You will not be able to add a scope to your client that conflicts with the client's IntegrationType. For example, you can not add a scope that is limited to the IntegrationType krr of IntegrationType idporten, and vice versa. Default for IntegrationType krr = ("krr:global/kontaktinformasjon.read", "krr:global/digitalpost.read") Default for IntegrationType idporten = ("openid", "profile") IntegrationType api_klient have no Default, checkout Digdir documentation.	false
sessionLifetime	integer	SessionLifetime is the maximum lifetime in seconds for any given user's session in your application. The timeout starts whenever the user is redirected from the authorization_endpoint at ID-porten. If unspecified, defaults to 7200 seconds (2 hours). Note: Attempting to refresh the user's access_token beyond this timeout will yield an error. Minimum: 3600 Maximum: 7200	false

Application.spec.idporten.requestAuthentication

^{↩ Parent}

RequestAuthentication specifies how incoming JWTs should be validated.

Name	Type	Description	Required
enabled	boolean	Whether to enable JWT validation. If enabled, incoming JWTs will be validated against the issuer specified in the app registration and the generated audience.	true
forwardJwt	boolean	If set to true, the original token will be kept for the upstream request. Defaults to true. Default: true	false
ignorePaths	[]string	IgnorePaths specifies paths that do not require an authenticated JWT. The specified paths must be a valid URI path. It has to start with '/' and cannot end with '/'. The paths can also contain the wildcard operator '*', but only at the end.	false
outputClaimToHeaders	[]object	This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. The header specified in each operation in the list must be unique. Nested claims of type string/int/bool is supported as well.	false
paths	[]string	Paths specifies paths that require an authenticated JWT. The specified paths must be a valid URI path. It has to start with '/' and cannot end with '/'. The paths can also contain the wildcard operator '*', but only at the end.	false
secretName	string	The name of the Kubernetes Secret containing OAuth2 credentials. If omitted, the associated client registration in the application manifest is used for JWT validation.	false
tokenLocation	enum	Where to find the JWT in the incoming request An enum value of header means that the JWT is present in the Authorization header as a Bearer token. An enum value of cookie means that the JWT is present as a cookie called BearerToken. If omitted, its default value depends on the provider type: Defaults to "cookie" for providers supporting user login (e.g. IDPorten). Defaults to "header" for providers not supporting user login (e.g. Maskinporten). Enum: header, cookie	false

Application.spec.idporten.requestAuthentication.outputClaimToHeaders[index]

^{↩ Parent}

Name	Type	Description	Required
claim	string	The claim to be copied.	true
header	string	The name of the HTTP header for which the specified claim will be copied to.	true

Application.spec.istioSettings

^{↩ Parent}

IstioSettings are used to configure istio specific resources such as telemetry. Currently, adjusting sampling interval for tracing is the only supported option. By default, tracing is enabled with a random sampling percentage of 10%.

Name	Type	Description	Required
retries	object	Retries is configurable automatic retries for requests towards the application. By default requests falling under: "connect-failure,refused-stream,unavailable,cancelled" will be retried.	false
telemetry	object	Telemetry is a placeholder for all relevant telemetry types, and may be extended in the future to configure additional telemetry settings. Default: map[tracing:[map[randomSamplingPercentage:10]]]	false

Application.spec.istioSettings.retries

^{↩ Parent}

Retries is configurable automatic retries for requests towards the application. By default requests falling under: "connect-failure,refused-stream,unavailable,cancelled" will be retried.

Name	Type	Description	Required
attempts	integer	Attempts is the number of retries to be allowed for a given request before giving up. The interval between retries will be determined automatically (25ms+). Default is 2 Format: int32 Minimum: 1	false
perTryTimeout	string	PerTryTimeout is the timeout per attempt for a given request, including the initial call and any retries. Format: 1h/1m/1s/1ms. MUST be >=1ms. Default: no timeout Format: duration	false
retryOnHttpResponseCodes	[]enum	RetryOnHttpResponseCodes HTTP response codes that should trigger a retry. A typical value is [503]. You may also use 5xx and retriable-4xx (only 409). mixed types are allowed such as [503, "retriable-4xx"] Enum: 500, 500, 501, 501, 502, 502, 503, 503, 504, 504, 505, 505, 506, 506, 507, 507, 508, 508, 510, 510, 511, 511, 409, 409, retriable-4xx, 5xx	false

Application.spec.istioSettings.telemetry

^{↩ Parent}

Telemetry is a placeholder for all relevant telemetry types, and may be extended in the future to configure additional telemetry settings.

Name	Type	Description	Required
tracing	[]object	Tracing is a list of tracing configurations for the telemetry resource. Normally only one tracing configuration is needed. Default: [map[randomSamplingPercentage:10]]	false

Application.spec.istioSettings.telemetry.tracing[index]

^{↩ Parent}

Tracing contains relevant settings for tracing in the telemetry configuration

Name	Type	Description	Required
randomSamplingPercentage	integer	RandomSamplingPercentage is the percentage of requests that should be sampled for tracing, specified by a whole number between 0-100. Setting RandomSamplingPercentage to 0 will disable tracing. Default: 10 Minimum: 0 Maximum: 100	false

Application.spec.liveness

^{↩ Parent}

Liveness probes define a resource that returns 200 OK when the app is running as intended. Returning a non-200 code will make kubernetes restart the app. Liveness is optional, but when provided, path and port are required

See Probe for structure definition.

Name	Type	Description	Required
path	string	The path to access on the HTTP server	true
port	int or string	Number of the port to access on the container	true
failureThreshold	integer	Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1 Format: int32 Default: 3	false
initialDelay	integer	Delay sending the first probe by X seconds. Can be useful for applications that are slow to start. Format: int32 Default: 0	false
period	integer	Number of seconds Kubernetes waits between each probe. Defaults to 10 seconds. Format: int32 Default: 10	false
successThreshold	integer	Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup Probes. Minimum value is 1. Format: int32 Default: 1	false
timeout	integer	Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1 Format: int32 Default: 1	false

Application.spec.maskinporten

^{↩ Parent}

Settings for Maskinporten integration with Digitaliseringsdirektoratet

Name	Type	Description	Required
enabled	boolean	If enabled, provisions and configures a Maskinporten client with consumed scopes and/or Exposed scopes with DigDir.	true
clientName	string	The name of the Client as shown in Digitaliseringsdirektoratet's Samarbeidsportal Meant to be a human-readable name for separating clients in the portal	false
requestAuthentication	object	RequestAuthentication specifies how incoming JWTs should be validated.	false
scopes	object	Schema to configure Maskinporten clients with consumed scopes and/or exposed scopes.	false

Application.spec.maskinporten.requestAuthentication

^{↩ Parent}

RequestAuthentication specifies how incoming JWTs should be validated.

Name	Type	Description	Required
enabled	boolean	Whether to enable JWT validation. If enabled, incoming JWTs will be validated against the issuer specified in the app registration and the generated audience.	true
forwardJwt	boolean	If set to true, the original token will be kept for the upstream request. Defaults to true. Default: true	false
ignorePaths	[]string	IgnorePaths specifies paths that do not require an authenticated JWT. The specified paths must be a valid URI path. It has to start with '/' and cannot end with '/'. The paths can also contain the wildcard operator '*', but only at the end.	false
outputClaimToHeaders	[]object	This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. The header specified in each operation in the list must be unique. Nested claims of type string/int/bool is supported as well.	false
paths	[]string	Paths specifies paths that require an authenticated JWT. The specified paths must be a valid URI path. It has to start with '/' and cannot end with '/'. The paths can also contain the wildcard operator '*', but only at the end.	false
secretName	string	The name of the Kubernetes Secret containing OAuth2 credentials. If omitted, the associated client registration in the application manifest is used for JWT validation.	false
tokenLocation	enum	Where to find the JWT in the incoming request An enum value of header means that the JWT is present in the Authorization header as a Bearer token. An enum value of cookie means that the JWT is present as a cookie called BearerToken. If omitted, its default value depends on the provider type: Defaults to "cookie" for providers supporting user login (e.g. IDPorten). Defaults to "header" for providers not supporting user login (e.g. Maskinporten). Enum: header, cookie	false

Application.spec.maskinporten.requestAuthentication.outputClaimToHeaders[index]

^{↩ Parent}

Name	Type	Description	Required
claim	string	The claim to be copied.	true
header	string	The name of the HTTP header for which the specified claim will be copied to.	true

Application.spec.maskinporten.scopes

^{↩ Parent}

Schema to configure Maskinporten clients with consumed scopes and/or exposed scopes.

Name	Type	Description	Required
consumes	[]object	This is the Schema for the consumes and exposes API. consumes is a list of scopes that your client can request access to.	false
exposes	[]object	exposes is a list of scopes your application want to expose to other organization where access to the scope is based on organization number.	false

Application.spec.maskinporten.scopes.consumes[index]

^{↩ Parent}

Name	Type	Description	Required
name	string	The scope consumed by the application to gain access to an external organization API. Ensure that the NAV organization has been granted access to the scope prior to requesting access.	true

Application.spec.maskinporten.scopes.exposes[index]

^{↩ Parent}

Name	Type	Description	Required
enabled	boolean	If Enabled the configured scope is available to be used and consumed by organizations granted access.	true
name	string	The actual subscope combined with Product. Ensure that <Product><Name> matches Pattern.	true
product	string	The product-area your application belongs to e.g. arbeid, helse ... This will be included in the final scope nav:<Product><Name>.	true
accessibleForAll	boolean	Allow any organization to access the scope.	false
allowedIntegrations	[]string	Whitelisting of integration's allowed. Default is maskinporten	false
atMaxAge	integer	Max time in seconds for a issued access_token. Default is 30 sec. Minimum: 30 Maximum: 680	false
consumers	[]object	External consumers granted access to this scope and able to request access_token.	false
delegationSource	enum	Delegation source for the scope. Default is empty, which means no delegation is allowed. Enum: altinn	false
separator	string	Separator is the character that separates product and name in the final scope: scope := <prefix>:<product><separator><name> This overrides the default separator. The default separator is :. If name contains /, the default separator is instead /.	false
visibility	enum	Visibility controls the scope's visibility. Public scopes are visible for everyone. Private scopes are only visible for the organization that owns the scope as well as organizations that have been granted consumer access. Enum: private, public	false

Application.spec.maskinporten.scopes.exposes[index].consumers[index]

^{↩ Parent}

Name	Type	Description	Required
orgno	string	The external business/organization number.	true
name	string	This is a describing field intended for clarity not used for any other purpose.	false

Application.spec.podSettings

^{↩ Parent}

PodSettings are used to apply specific settings to the Pod Template used by Skiperator to create Deployments. This allows you to set things like annotations on the Pod to change the behaviour of sidecars, and set relevant Pod options such as TerminationGracePeriodSeconds.

Name	Type	Description	Required
annotations	map[string]string	Annotations that are set on Pods created by Skiperator. These annotations can for example be used to change the behaviour of sidecars and similar.	false
disablePodSpreadTopologyConstraints	boolean	DisablePodSpreadTopologyConstraints specifies whether to disable the addition of Pod Topology Spread Constraints to a given pod. Default: false	false
terminationGracePeriodSeconds	integer	TerminationGracePeriodSeconds determines how long Kubernetes waits after a SIGTERM signal sent to a Pod before terminating the pod. If your application uses longer than 30 seconds to terminate, you should increase TerminationGracePeriodSeconds. Format: int64 Default: 30	false

Application.spec.prometheus

^{↩ Parent}

Optional settings for how Prometheus compatible metrics should be scraped.

Name	Type	Description	Required
port	int or string	The port number or name where metrics are exposed (at the Pod level).	true
allowAllMetrics	boolean	Setting AllowAllMetrics to true will ensure all exposed metrics are scraped. Otherwise, a list of predefined metrics will be dropped by default. See util/constants.go for the default list. Default: false	false
path	string	The HTTP path where Prometheus compatible metrics exists Default: /metrics	false
scrapeInterval	string	ScrapeInterval specifies the interval at which Prometheus should scrape the metrics. The interval must be at least 15 seconds (if using "Xs") and divisible by 5. If minutes ("Xm") are used, the value must be at least 1m. Validations: self == '' || self.matches('^([0-9]+[sm])+$'): self == '' || (self.endsWith('m') && int(self.split('m')[0]) >= 1) || (self.endsWith('s') && int(self.split('s')[0]) >= 15 && int(self.split('s')[0]) % 5 == 0): Default: 60s	false

Application.spec.readiness

^{↩ Parent}

Readiness probes define a resource that returns 200 OK when the app is running as intended. Kubernetes will wait until the resource returns 200 OK before marking the pod as Running and progressing with the deployment strategy. Readiness is optional, but when provided, path and port are required

Name	Type	Description	Required
path	string	The path to access on the HTTP server	true
port	int or string	Number of the port to access on the container	true
failureThreshold	integer	Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1 Format: int32 Default: 3	false
initialDelay	integer	Delay sending the first probe by X seconds. Can be useful for applications that are slow to start. Format: int32 Default: 0	false
period	integer	Number of seconds Kubernetes waits between each probe. Defaults to 10 seconds. Format: int32 Default: 10	false
successThreshold	integer	Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup Probes. Minimum value is 1. Format: int32 Default: 1	false
timeout	integer	Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1 Format: int32 Default: 1	false

Application.spec.resources

^{↩ Parent}

ResourceRequirements to apply to the deployment. It's common to set some of these to prevent the app from swelling in resource usage and consuming all the resources of other apps on the cluster.

Name	Type	Description	Required
limits	map[string]int or string	Limits set the maximum the app is allowed to use. Exceeding this limit will make kubernetes kill the app and restart it. Limits can be set on the CPU and memory, but it is not recommended to put a limit on CPU, see: https://home.robusta.dev/blog/stop-using-cpu-limits	false
requests	map[string]int or string	Requests set the initial allocation that is done for the app and will thus be available to the app on startup. More is allocated on demand until the limit is reached. Requests can be set on the CPU and memory.	false

Application.spec.startup

^{↩ Parent}

Kubernetes uses startup probes to know when a container application has started. If such a probe is configured, it disables liveness and readiness checks until it succeeds, making sure those probes don't interfere with the application startup. This can be used to adopt liveness checks on slow starting containers, avoiding them getting killed by Kubernetes before they are up and running. Startup is optional, but when provided, path and port are required

Name	Type	Description	Required
path	string	The path to access on the HTTP server	true
port	int or string	Number of the port to access on the container	true
failureThreshold	integer	Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1 Format: int32 Default: 3	false
initialDelay	integer	Delay sending the first probe by X seconds. Can be useful for applications that are slow to start. Format: int32 Default: 0	false
period	integer	Number of seconds Kubernetes waits between each probe. Defaults to 10 seconds. Format: int32 Default: 10	false
successThreshold	integer	Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup Probes. Minimum value is 1. Format: int32 Default: 1	false
timeout	integer	Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1 Format: int32 Default: 1	false

Application.spec.strategy

^{↩ Parent}

Defines an alternative strategy for the Kubernetes deployment. This is useful when the default strategy, RollingUpdate, is not usable. Setting type to Recreate will take down all the pods before starting new pods, whereas the default of RollingUpdate will try to start the new pods before taking down the old ones.

Valid values are: RollingUpdate, Recreate. Default is RollingUpdate

Name	Type	Description	Required
type	enum	Valid values are: RollingUpdate, Recreate. Default is RollingUpdate Enum: RollingUpdate, Recreate Default: RollingUpdate	false

Application.status

^{↩ Parent}

SkiperatorStatus

A status field shown on a Skiperator resource which contains information regarding deployment of the resource.

Name	Type	Description	Required
accessPolicies	string	Indicates if access policies are valid	true
conditions	[]object		true
subresources	map[string]object		true
summary	object	Status	true

Application.status.conditions[index]

^{↩ Parent}

Condition contains details for one aspect of the current state of this API Resource.

Name	Type	Description	Required
lastTransitionTime	string	lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. Format: date-time	true
message	string	message is a human readable message indicating details about the transition. This may be an empty string.	true
reason	string	reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.	true
status	enum	status of the condition, one of True, False, Unknown. Enum: True, False, Unknown	true
type	string	type of condition in CamelCase or in foo.example.com/CamelCase.	true
observedGeneration	integer	observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. Format: int64 Minimum: 0	false

Application.status.subresources[key]

^{↩ Parent}

Status

Name	Type	Description	Required
message	string	Default: hello	true
status	string	Default: Synced	true
timestamp	string	Default: hello	true

Application.status.summary

^{↩ Parent}

Status

Name	Type	Description	Required
message	string	Default: hello	true
status	string	Default: Synced	true
timestamp	string	Default: hello	true

Routing

Name	Type	Description	Required
apiVersion	string	skiperator.kartverket.no/v1alpha1	true
kind	string	Routing	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the metadata field.	true
spec	object		true
status	object	SkiperatorStatus A status field shown on a Skiperator resource which contains information regarding deployment of the resource.	false

Routing.spec

^{↩ Parent}

Name	Type	Description	Required
hostname	string		true
routes	[]object		true
redirectToHTTPS	boolean	Default: true	false

Routing.spec.routes[index]

^{↩ Parent}

Name	Type	Description	Required
pathPrefix	string		true
targetApp	string		true
port	integer	Format: int32	false
rewriteUri	boolean	Default: false	false

Routing.status

^{↩ Parent}

SkiperatorStatus

A status field shown on a Skiperator resource which contains information regarding deployment of the resource.

Name	Type	Description	Required
accessPolicies	string	Indicates if access policies are valid	true
conditions	[]object		true
subresources	map[string]object		true
summary	object	Status	true

Routing.status.conditions[index]

^{↩ Parent}

Condition contains details for one aspect of the current state of this API Resource.

Name	Type	Description	Required
lastTransitionTime	string	lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. Format: date-time	true
message	string	message is a human readable message indicating details about the transition. This may be an empty string.	true
reason	string	reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.	true
status	enum	status of the condition, one of True, False, Unknown. Enum: True, False, Unknown	true
type	string	type of condition in CamelCase or in foo.example.com/CamelCase.	true
observedGeneration	integer	observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. Format: int64 Minimum: 0	false

Routing.status.subresources[key]

^{↩ Parent}

Status

Name	Type	Description	Required
message	string	Default: hello	true
status	string	Default: Synced	true
timestamp	string	Default: hello	true

Routing.status.summary

^{↩ Parent}

Status

Name	Type	Description	Required
message	string	Default: hello	true
status	string	Default: Synced	true
timestamp	string	Default: hello	true

SKIPJob

SKIPJob is the Schema for the skipjobs API

Name	Type	Description	Required
apiVersion	string	skiperator.kartverket.no/v1alpha1	true
kind	string	SKIPJob	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the metadata field.	true
spec	object	SKIPJobSpec defines the desired state of SKIPJob A SKIPJob is either defined as a one-off or a scheduled job. If the Cron field is set for SKIPJob, it may not be removed. If the Cron field is unset, it may not be added. The Container field of a SKIPJob is only mutable if the Cron field is set. If unset, you must delete your SKIPJob to change container settings. Validations: (has(oldSelf.cron) && has(self.cron)) || (!has(oldSelf.cron) && !has(self.cron)): After creation of a SKIPJob you may not remove the Cron field if it was previously present, or add it if it was previously omitted. Please delete the SKIPJob to change its nature from a one-off/scheduled job. ((!has(self.cron) && (oldSelf.container == self.container)) || has(self.cron)): The field Container is immutable for one-off jobs. Please delete your SKIPJob to change the containers settings.	true
status	object	SkiperatorStatus A status field shown on a Skiperator resource which contains information regarding deployment of the resource.	false

SKIPJob.spec

^{↩ Parent}

SKIPJobSpec defines the desired state of SKIPJob

A SKIPJob is either defined as a one-off or a scheduled job. If the Cron field is set for SKIPJob, it may not be removed. If the Cron field is unset, it may not be added. The Container field of a SKIPJob is only mutable if the Cron field is set. If unset, you must delete your SKIPJob to change container settings.

Name	Type	Description	Required
container	object	Settings for the Pods running in the job. Fields are mostly the same as an Application, and are (probably) better documented there. Some fields are omitted, but none added. Once set, you may not change Container without deleting your current SKIPJob	true
cron	object	Settings for the Job if you are running a scheduled job. Optional as Jobs may be one-off.	false
istioSettings	object	IstioSettings are used to configure istio specific resources such as telemetry. Currently, adjusting sampling interval for tracing is the only supported option. By default, tracing is enabled with a random sampling percentage of 10%. Default: map[telemetry:map[tracing:[map[randomSamplingPercentage:10]]]]	false
job	object	Settings for the actual Job. If you use a scheduled job, the settings in here will also specify the template of the job.	false
prometheus	object	Prometheus settings for pod running in job. Fields are identical to Application and if set, a podmonitoring object is created.	false

SKIPJob.spec.container

^{↩ Parent}

Settings for the Pods running in the job. Fields are mostly the same as an Application, and are (probably) better documented there. Some fields are omitted, but none added. Once set, you may not change Container without deleting your current SKIPJob

Name	Type	Description	Required
image	string		true
accessPolicy	object	AccessPolicy Zero trust dictates that only applications with a reason for being able to access another resource should be able to reach it. This is set up by default by denying all ingress and egress traffic from the Pods in the Deployment. The AccessPolicy field is an allowlist of other applications and hostnames that are allowed to talk with this Application and which resources this app can talk to	false
additionalPorts	[]object		false
command	[]string		false
env	[]object		false
envFrom	[]object		false
filesFrom	[]object		false
gcp	object	GCP Configuration for interacting with Google Cloud Platform	false
liveness	object	Probe Type configuration for all types of Kubernetes probes.	false
podSettings	object	PodSettings	false
priority	enum	Enum: low, medium, high Default: medium	false
readiness	object	Probe Type configuration for all types of Kubernetes probes.	false
resources	object	ResourceRequirements A simplified version of the Kubernetes native ResourceRequirement field, in which only Limits and Requests are present. For the units used for resources, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes	false
restartPolicy	enum	RestartPolicy describes how the container should be restarted. Only one of the following restart policies may be specified. If none of the following policies is specified, the default one is RestartPolicyAlways. Enum: OnFailure, Never Default: Never	false
startup	object	Probe Type configuration for all types of Kubernetes probes.	false

SKIPJob.spec.container.accessPolicy

^{↩ Parent}

AccessPolicy

Zero trust dictates that only applications with a reason for being able to access another resource should be able to reach it. This is set up by default by denying all ingress and egress traffic from the Pods in the Deployment. The AccessPolicy field is an allowlist of other applications and hostnames that are allowed to talk with this Application and which resources this app can talk to

Name	Type	Description	Required
inbound	object	Inbound specifies the ingress rules. Which apps on the cluster can talk to this app?	false
outbound	object	Outbound specifies egress rules. Which apps on the cluster and the internet is the Application allowed to send requests to?	false

SKIPJob.spec.container.accessPolicy.inbound

^{↩ Parent}

Inbound specifies the ingress rules. Which apps on the cluster can talk to this app?

Name	Type	Description	Required
rules	[]object	The rules list specifies a list of applications. When no namespace is specified it refers to an app in the current namespace. For apps in other namespaces namespace is required	true

SKIPJob.spec.container.accessPolicy.inbound.rules[index]

^{↩ Parent}

InternalRule

The rules list specifies a list of applications. When no namespace is specified it refers to an app in the current namespace. For apps in other namespaces, namespace is required.

Name	Type	Description	Required
application	string	The name of the Application you are allowing traffic to/from. If you wish to allow traffic from a SKIPJob, this field should be suffixed with -skipjob	true
namespace	string	The namespace in which the Application you are allowing traffic to/from resides. If unset, uses namespace of Application.	false
namespacesByLabel	map[string]string	Namespace label value-pair in which the Application you are allowing traffic to/from resides. If both namespace and namespacesByLabel are set, namespace takes precedence and namespacesByLabel is omitted.	false
ports	[]object	The ports to allow for the above application.	false

SKIPJob.spec.container.accessPolicy.inbound.rules[index].ports[index]

^{↩ Parent}

NetworkPolicyPort describes a port to allow traffic on

Name	Type	Description	Required
endPort	integer	endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. Format: int32	false
port	int or string	port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.	false
protocol	string	protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.	false

SKIPJob.spec.container.accessPolicy.outbound

^{↩ Parent}

Outbound specifies egress rules. Which apps on the cluster and the internet is the Application allowed to send requests to?

Name	Type	Description	Required
external	[]object	External specifies which applications on the internet the application can reach. Only host is required unless it is on another port than HTTPS port 443. If other ports or protocols are required then ports must be specified as well	false
rules	[]object	Rules apply the same in-cluster rules as InboundPolicy	false

SKIPJob.spec.container.accessPolicy.outbound.external[index]

^{↩ Parent}

ExternalRule

Describes a rule for allowing your Application to route traffic to external applications and hosts.

Name	Type	Description	Required
host	string	The allowed hostname. Note that this does not include subdomains.	true
ip	string	Non-HTTP requests (i.e. using the TCP protocol) need to use IP in addition to hostname Only required for TCP requests. Note: Hostname must always be defined even if IP is set statically	false
ports	[]object	The ports to allow for the above hostname. When not specified HTTP and HTTPS on port 80 and 443 respectively are put into the allowlist	false

SKIPJob.spec.container.accessPolicy.outbound.external[index].ports[index]

^{↩ Parent}

ExternalPort

A custom port describing an external host

Name	Type	Description	Required
name	string	Name is required and is an arbitrary name. Must be unique within all ExternalRule ports.	true
port	integer	The port number of the external host	true
protocol	enum	The protocol to use for communication with the host. Supported protocols are: HTTP, HTTPS, TCP and TLS. Enum: HTTP, HTTPS, TCP, TLS	true

SKIPJob.spec.container.accessPolicy.outbound.rules[index]

^{↩ Parent}

InternalRule

The rules list specifies a list of applications. When no namespace is specified it refers to an app in the current namespace. For apps in other namespaces, namespace is required.

Name	Type	Description	Required
application	string	The name of the Application you are allowing traffic to/from. If you wish to allow traffic from a SKIPJob, this field should be suffixed with -skipjob	true
namespace	string	The namespace in which the Application you are allowing traffic to/from resides. If unset, uses namespace of Application.	false
namespacesByLabel	map[string]string	Namespace label value-pair in which the Application you are allowing traffic to/from resides. If both namespace and namespacesByLabel are set, namespace takes precedence and namespacesByLabel is omitted.	false
ports	[]object	The ports to allow for the above application.	false

SKIPJob.spec.container.accessPolicy.outbound.rules[index].ports[index]

^{↩ Parent}

NetworkPolicyPort describes a port to allow traffic on

Name	Type	Description	Required
endPort	integer	endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. Format: int32	false
port	int or string	port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.	false
protocol	string	protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.	false

SKIPJob.spec.container.additionalPorts[index]

^{↩ Parent}

Name	Type	Description	Required
name	string		true
port	integer	Format: int32	true
protocol	enum	Protocol defines network protocols supported for things like container ports. Enum: TCP, UDP, SCTP	true

SKIPJob.spec.container.env[index]

^{↩ Parent}

EnvVar represents an environment variable present in a Container.

Name	Type	Description	Required
name	string	Name of the environment variable. May consist of any printable ASCII characters except '='.	true
value	string	Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".	false
valueFrom	object	Source for the environment variable's value. Cannot be used if value is not empty.	false

SKIPJob.spec.container.env[index].valueFrom

^{↩ Parent}

Source for the environment variable's value. Cannot be used if value is not empty.

Name	Type	Description	Required
configMapKeyRef	object	Selects a key of a ConfigMap.	false
fieldRef	object	Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels['<KEY>'], metadata.annotations['<KEY>'], spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.	false
fileKeyRef	object	FileKeyRef selects a key of the env file. Requires the EnvFiles feature gate to be enabled.	false
resourceFieldRef	object	Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.	false
secretKeyRef	object	Selects a key of a secret in the pod's namespace	false

SKIPJob.spec.container.env[index].valueFrom.configMapKeyRef

^{↩ Parent}

Selects a key of a ConfigMap.

Name	Type	Description	Required
key	string	The key to select.	true
name	string	Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names Default: ``	false
optional	boolean	Specify whether the ConfigMap or its key must be defined	false

SKIPJob.spec.container.env[index].valueFrom.fieldRef

^{↩ Parent}

Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels['<KEY>'], metadata.annotations['<KEY>'], spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.

Name	Type	Description	Required
fieldPath	string	Path of the field to select in the specified API version.	true
apiVersion	string	Version of the schema the FieldPath is written in terms of, defaults to "v1".	false

SKIPJob.spec.container.env[index].valueFrom.fileKeyRef

^{↩ Parent}

FileKeyRef selects a key of the env file. Requires the EnvFiles feature gate to be enabled.

Name	Type	Description	Required
key	string	The key within the env file. An invalid key will prevent the pod from starting. The keys defined within a source may consist of any printable ASCII characters except '='. During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.	true
path	string	The path within the volume from which to select the file. Must be relative and may not contain the '..' path or start with '..'.	true
volumeName	string	The name of the volume mount containing the env file.	true
optional	boolean	Specify whether the file or its key must be defined. If the file or key does not exist, then the env var is not published. If optional is set to true and the specified key does not exist, the environment variable will not be set in the Pod's containers. If optional is set to false and the specified key does not exist, an error will be returned during Pod creation. Default: false	false

SKIPJob.spec.container.env[index].valueFrom.resourceFieldRef

^{↩ Parent}

Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.

Name	Type	Description	Required
resource	string	Required: resource to select	true
containerName	string	Container name: required for volumes, optional for env vars	false
divisor	int or string	Specifies the output format of the exposed resources, defaults to "1"	false

SKIPJob.spec.container.env[index].valueFrom.secretKeyRef

^{↩ Parent}

Selects a key of a secret in the pod's namespace

Name	Type	Description	Required
key	string	The key of the secret to select from. Must be a valid secret key.	true
name	string	Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names Default: ``	false
optional	boolean	Specify whether the Secret or its key must be defined	false

SKIPJob.spec.container.envFrom[index]

^{↩ Parent}

Name	Type	Description	Required
configMap	string	Name of Kubernetes ConfigMap in which the deployment should mount environment variables from. Must be in the same namespace as the Application	false
secret	string	Name of Kubernetes Secret in which the deployment should mount environment variables from. Must be in the same namespace as the Application	false

SKIPJob.spec.container.filesFrom[index]

^{↩ Parent}

FilesFrom

Struct representing information needed to mount a Kubernetes resource as a file to a Pod's directory. One of ConfigMap, Secret, EmptyDir or PersistentVolumeClaim must be present, and just represent the name of the resource in question NB. Out-of-the-box, skiperator provides a writable 'emptyDir'-volume at '/tmp'

Name	Type	Description	Required
mountPath	string	The path to mount the file in the Pods directory. Required.	true
configMap	string		false
defaultMode	integer	defaultMode is optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.	false
emptyDir	string		false
persistentVolumeClaim	string		false
secret	string		false

SKIPJob.spec.container.gcp

^{↩ Parent}

GCP

Configuration for interacting with Google Cloud Platform

Name	Type	Description	Required
auth	object	Configuration for authenticating a Pod with Google Cloud Platform For authentication with GCP, to use services like Secret Manager and/or Pub/Sub we need to set the GCP Service Account Pods should identify as. To allow this, we need the IAM role iam.workloadIdentityUser set on a GCP service account and bind this to the Pod's Kubernetes SA. Documentation on how this is done can be found here (Closed Wiki): https://kartverket.atlassian.net/wiki/spaces/SKIPDOK/pages/422346824/Autentisering+mot+GCP+som+Kubernetes+SA	false
cloudSqlProxy	object	CloudSQL is used to deploy a CloudSQL proxy sidecar in the pod. This is useful for connecting to CloudSQL databases that require Cloud SQL Auth Proxy.	false

SKIPJob.spec.container.gcp.auth

^{↩ Parent}

Configuration for authenticating a Pod with Google Cloud Platform For authentication with GCP, to use services like Secret Manager and/or Pub/Sub we need to set the GCP Service Account Pods should identify as. To allow this, we need the IAM role iam.workloadIdentityUser set on a GCP service account and bind this to the Pod's Kubernetes SA. Documentation on how this is done can be found here (Closed Wiki): https://kartverket.atlassian.net/wiki/spaces/SKIPDOK/pages/422346824/Autentisering+mot+GCP+som+Kubernetes+SA

Name	Type	Description	Required
serviceAccount	string	Name of the service account in which you are trying to authenticate your pod with Generally takes the form of some-name@some-project-id.iam.gserviceaccount.com	true

SKIPJob.spec.container.gcp.cloudSqlProxy

^{↩ Parent}

CloudSQL is used to deploy a CloudSQL proxy sidecar in the pod. This is useful for connecting to CloudSQL databases that require Cloud SQL Auth Proxy.

Name	Type	Description	Required
connectionName	string	Connection name for the CloudSQL instance. Found in the Google Cloud Console under your CloudSQL resource. The format is "projectName:region:instanceName" E.g. "skip-prod-bda1:europe-north1:my-db".	true
ip	string	The IP address of the CloudSQL instance. This is used to create a serviceentry for the CloudSQL proxy.	true
serviceAccount	string	Service account used by cloudsql auth proxy. This service account must have the roles/cloudsql.client role.	true
publicIP	boolean	Default: false	false
version	string	Image version for the CloudSQL proxy sidecar.	false

SKIPJob.spec.container.liveness

^{↩ Parent}

Probe

Type configuration for all types of Kubernetes probes.

Name	Type	Description	Required
path	string	The path to access on the HTTP server	true
port	int or string	Number of the port to access on the container	true
failureThreshold	integer	Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1 Format: int32 Default: 3	false
initialDelay	integer	Delay sending the first probe by X seconds. Can be useful for applications that are slow to start. Format: int32 Default: 0	false
period	integer	Number of seconds Kubernetes waits between each probe. Defaults to 10 seconds. Format: int32 Default: 10	false
successThreshold	integer	Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup Probes. Minimum value is 1. Format: int32 Default: 1	false
timeout	integer	Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1 Format: int32 Default: 1	false

SKIPJob.spec.container.podSettings

^{↩ Parent}

PodSettings

Name	Type	Description	Required
annotations	map[string]string	Annotations that are set on Pods created by Skiperator. These annotations can for example be used to change the behaviour of sidecars and similar.	false
disablePodSpreadTopologyConstraints	boolean	DisablePodSpreadTopologyConstraints specifies whether to disable the addition of Pod Topology Spread Constraints to a given pod. Default: false	false
terminationGracePeriodSeconds	integer	TerminationGracePeriodSeconds determines how long Kubernetes waits after a SIGTERM signal sent to a Pod before terminating the pod. If your application uses longer than 30 seconds to terminate, you should increase TerminationGracePeriodSeconds. Format: int64 Default: 30	false

SKIPJob.spec.container.readiness

^{↩ Parent}

Probe

Type configuration for all types of Kubernetes probes.

Name	Type	Description	Required
path	string	The path to access on the HTTP server	true
port	int or string	Number of the port to access on the container	true
failureThreshold	integer	Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1 Format: int32 Default: 3	false
initialDelay	integer	Delay sending the first probe by X seconds. Can be useful for applications that are slow to start. Format: int32 Default: 0	false
period	integer	Number of seconds Kubernetes waits between each probe. Defaults to 10 seconds. Format: int32 Default: 10	false
successThreshold	integer	Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup Probes. Minimum value is 1. Format: int32 Default: 1	false
timeout	integer	Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1 Format: int32 Default: 1	false

SKIPJob.spec.container.resources

^{↩ Parent}

ResourceRequirements

A simplified version of the Kubernetes native ResourceRequirement field, in which only Limits and Requests are present. For the units used for resources, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes

Name	Type	Description	Required
limits	map[string]int or string	Limits set the maximum the app is allowed to use. Exceeding this limit will make kubernetes kill the app and restart it. Limits can be set on the CPU and memory, but it is not recommended to put a limit on CPU, see: https://home.robusta.dev/blog/stop-using-cpu-limits	false
requests	map[string]int or string	Requests set the initial allocation that is done for the app and will thus be available to the app on startup. More is allocated on demand until the limit is reached. Requests can be set on the CPU and memory.	false

SKIPJob.spec.container.startup

^{↩ Parent}

Probe

Type configuration for all types of Kubernetes probes.

Name	Type	Description	Required
path	string	The path to access on the HTTP server	true
port	int or string	Number of the port to access on the container	true
failureThreshold	integer	Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1 Format: int32 Default: 3	false
initialDelay	integer	Delay sending the first probe by X seconds. Can be useful for applications that are slow to start. Format: int32 Default: 0	false
period	integer	Number of seconds Kubernetes waits between each probe. Defaults to 10 seconds. Format: int32 Default: 10	false
successThreshold	integer	Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup Probes. Minimum value is 1. Format: int32 Default: 1	false
timeout	integer	Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1 Format: int32 Default: 1	false

SKIPJob.spec.cron

^{↩ Parent}

Settings for the Job if you are running a scheduled job. Optional as Jobs may be one-off.

Name	Type	Description	Required
schedule	string	A CronJob string for denoting the schedule of this job. See https://crontab.guru/ for help creating CronJob strings. Kubernetes CronJobs also include the extended "Vixie cron" step values: https://man.freebsd.org/cgi/man.cgi?crontab%285%29.	true
allowConcurrency	enum	Denotes how Kubernetes should react to multiple instances of the Job being started at the same time. Allow will allow concurrent jobs. Forbid will not allow this, and instead skip the newer schedule Job. Replace will replace the current active Job with the newer scheduled Job. Enum: Allow, Forbid, Replace Default: Allow	false
startingDeadlineSeconds	integer	Denotes the deadline in seconds for starting a job on its schedule, if for some reason the Job's controller was not ready upon the scheduled time. If unset, Jobs missing their deadline will be considered failed jobs and will not start. Format: int64	false
suspend	boolean	If set to true, this tells Kubernetes to suspend this Job till the field is set to false. If the Job is active while this field is set to true, all running Pods will be terminated.	false
timeZone	string	The time zone name for the given schedule, see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones. If not specified, this will default to the time zone of the cluster. Example: "Europe/Oslo"	false

SKIPJob.spec.istioSettings

^{↩ Parent}

IstioSettings are used to configure istio specific resources such as telemetry. Currently, adjusting sampling interval for tracing is the only supported option. By default, tracing is enabled with a random sampling percentage of 10%.

Name	Type	Description	Required
telemetry	object	Telemetry is a placeholder for all relevant telemetry types, and may be extended in the future to configure additional telemetry settings. Default: map[tracing:[map[randomSamplingPercentage:10]]]	false

SKIPJob.spec.istioSettings.telemetry

^{↩ Parent}

Telemetry is a placeholder for all relevant telemetry types, and may be extended in the future to configure additional telemetry settings.

Name	Type	Description	Required
tracing	[]object	Tracing is a list of tracing configurations for the telemetry resource. Normally only one tracing configuration is needed. Default: [map[randomSamplingPercentage:10]]	false

SKIPJob.spec.istioSettings.telemetry.tracing[index]

^{↩ Parent}

Tracing contains relevant settings for tracing in the telemetry configuration

Name	Type	Description	Required
randomSamplingPercentage	integer	RandomSamplingPercentage is the percentage of requests that should be sampled for tracing, specified by a whole number between 0-100. Setting RandomSamplingPercentage to 0 will disable tracing. Default: 10 Minimum: 0 Maximum: 100	false

SKIPJob.spec.job

^{↩ Parent}

Settings for the actual Job. If you use a scheduled job, the settings in here will also specify the template of the job.

Name	Type	Description	Required
activeDeadlineSeconds	integer	ActiveDeadlineSeconds denotes a duration in seconds started from when the job is first active. If the deadline is reached during the job's workload the job and its Pods are terminated. If the job is suspended using the Suspend field, this timer is stopped and reset when unsuspended. Format: int64	false
backoffLimit	integer	Specifies the number of retry attempts before determining the job as failed. Defaults to 6. Format: int32	false
suspend	boolean	If set to true, this tells Kubernetes to suspend this Job till the field is set to false. If the Job is active while this field is set to false, all running Pods will be terminated.	false
ttlSecondsAfterFinished	integer	The number of seconds to wait before removing the Job after it has finished. If unset, Job will not be cleaned up. It is recommended to set this to avoid clutter in your resource tree. Format: int32	false

SKIPJob.spec.prometheus

^{↩ Parent}

Prometheus settings for pod running in job. Fields are identical to Application and if set, a podmonitoring object is created.

Name	Type	Description	Required
port	int or string	The port number or name where metrics are exposed (at the Pod level).	true
allowAllMetrics	boolean	Setting AllowAllMetrics to true will ensure all exposed metrics are scraped. Otherwise, a list of predefined metrics will be dropped by default. See util/constants.go for the default list. Default: false	false
path	string	The HTTP path where Prometheus compatible metrics exists Default: /metrics	false
scrapeInterval	string	ScrapeInterval specifies the interval at which Prometheus should scrape the metrics. The interval must be at least 15 seconds (if using "Xs") and divisible by 5. If minutes ("Xm") are used, the value must be at least 1m. Validations: self == '' || self.matches('^([0-9]+[sm])+$'): self == '' || (self.endsWith('m') && int(self.split('m')[0]) >= 1) || (self.endsWith('s') && int(self.split('s')[0]) >= 15 && int(self.split('s')[0]) % 5 == 0): Default: 60s	false

SKIPJob.status

^{↩ Parent}

SkiperatorStatus

A status field shown on a Skiperator resource which contains information regarding deployment of the resource.

Name	Type	Description	Required
accessPolicies	string	Indicates if access policies are valid	true
conditions	[]object		true
subresources	map[string]object		true
summary	object	Status	true

SKIPJob.status.conditions[index]

^{↩ Parent}

Condition contains details for one aspect of the current state of this API Resource.

Name	Type	Description	Required
lastTransitionTime	string	lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. Format: date-time	true
message	string	message is a human readable message indicating details about the transition. This may be an empty string.	true
reason	string	reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.	true
status	enum	status of the condition, one of True, False, Unknown. Enum: True, False, Unknown	true
type	string	type of condition in CamelCase or in foo.example.com/CamelCase.	true
observedGeneration	integer	observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. Format: int64 Minimum: 0	false

SKIPJob.status.subresources[key]

^{↩ Parent}

Status

Name	Type	Description	Required
message	string	Default: hello	true
status	string	Default: Synced	true
timestamp	string	Default: hello	true

SKIPJob.status.summary

^{↩ Parent}

Status

Name	Type	Description	Required
message	string	Default: hello	true
status	string	Default: Synced	true
timestamp	string	Default: hello	true