Skip to main content

API Reference

Packagesโ€‹

PackageResource types
skiperator.kartverket.no/v1alpha1Application
Routing
SKIPJob
skiperator.kartverket.no/v1beta1SKIPJob

Package skiperator.kartverket.no/v1alpha1โ€‹

Resource types in this package:

Applicationโ€‹

FieldValue
Packageskiperator.kartverket.no/v1alpha1
API versionskiperator.kartverket.no/v1alpha1
KindApplication

Application

Root object for Application resource. An application resource is a resource for easily managing a Dockerized container within the context of a Kartverket cluster. This allows product teams to avoid the need to set up networking on the cluster, as well as a lot of out of the box security features.

NameTypeDescriptionRequired
apiVersionstringskiperator.kartverket.no/v1alpha1true
kindstringApplicationtrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject
false
statusobject

ApplicationStatus is a specialized status specific to the Application kind.

false

Application.specโ€‹

Parent
NameTypeDescriptionRequired
imagestring

The image the application will run. This image will be added to a Deployment resource

true
portinteger

The port the deployment exposes

true
accessPolicyobject

The root AccessPolicy for managing zero trust access to your Application. See AccessPolicy for more information.

false
additionalPorts[]object

An optional list of extra port to expose on a pod level basis,
for example so Instana or other APM tools can reach it

false
appProtocolenum

Protocol that the application speaks.


Enum: http, tcp, udp
Default: http

false
authorizationSettingsobject

Used for allow listing certain default blocked endpoints, such as /actuator/ end points

false
command[]string

Override the command set in the Dockerfile. Usually only used when debugging
or running third-party containers where you don't have control over the Dockerfile

false
enablePDBboolean

Whether to enable automatic Pod Disruption Budget creation for this application.


Default: true

false
env[]object

Environment variables that will be set inside the Deployment's Pod. See https://pkg.go.dev/k8s.io/api/core/v1#EnvVar for examples.

false
envFrom[]object

Environment variables mounted from files. When specified all the keys of the
resource will be assigned as environment variables. Supports both configmaps
and secrets.

For mounting as files see FilesFrom.

false
filesFrom[]object

Mounting volumes into the Deployment are done using the FilesFrom argument

FilesFrom supports ConfigMaps, Secrets and PVCs. The Application resource
assumes these have already been created by you, and will fail if this is not the case.

For mounting environment variables see EnvFrom.

false
gcpobject

GCP is used to configure Google Cloud Platform specific settings for the application.

false
idportenobject

Settings for IDPorten integration with Digitaliseringsdirektoratet

false
ingresses[]string

Any external hostnames that route to this application. Using a skip.statkart.no-address
will make the application reachable for kartverket-clients (internal), other addresses
make the app reachable on the internet. Note that other addresses than skip.statkart.no
(also known as pretty hostnames) requires additional DNS setup.
The below hostnames will also have TLS certificates issued and be reachable on both
HTTP and HTTPS.

Ingresses must be lowercase, contain no spaces, be a non-empty string, and have a hostname/domain separated by a period
They can optionally be suffixed with a plus and name of a custom TLS secret located in the istio-gateways namespace.
E.g. "foo.atkv3-dev.kartverket-intern.cloud+env-wildcard-cert"

false
istioSettingsobject

IstioSettings are used to configure istio specific resources such as telemetry. Currently, adjusting sampling
interval for tracing is the only supported option.
By default, tracing is enabled with a random sampling percentage of 10%.


Default: map[telemetry:map[tracing:[map[randomSamplingPercentage:10]]]]

false
labelsmap[string]string

Labels can be used if you want every resource created by your application to
have the same labels, including your application. This could for example be useful for
metrics, where a certain label and the corresponding resources liveliness can be combined.
Any amount of labels can be added as wanted, and they will all cascade down to all resources.

false
livenessobject

Liveness probes define a resource that returns 200 OK when the app is running
as intended. Returning a non-200 code will make kubernetes restart the app.
Liveness is optional, but when provided, path and port are required

See Probe for structure definition.

false
maskinportenobject

Settings for Maskinporten integration with Digitaliseringsdirektoratet

false
podSettingsobject

PodSettings are used to apply specific settings to the Pod Template used by Skiperator to create Deployments. This allows you to set
things like annotations on the Pod to change the behaviour of sidecars, and set relevant Pod options such as TerminationGracePeriodSeconds.

false
priorityenum

An optional priority. Supported values are 'low', 'medium' and 'high'.
The default value is 'medium'.

Most workloads should not have to specify this field. If you think you
do, please consult with SKIP beforehand.


Enum: low, medium, high
Default: medium

false
prometheusobject

Optional settings for how Prometheus compatible metrics should be scraped.

false
readinessobject

Readiness probes define a resource that returns 200 OK when the app is running
as intended. Kubernetes will wait until the resource returns 200 OK before
marking the pod as Running and progressing with the deployment strategy.
Readiness is optional, but when provided, path and port are required

false
redirectToHTTPSboolean

Controls whether the application will automatically redirect all HTTP calls to HTTPS via the istio VirtualService.
This redirect does not happen on the route /.well-known/acme-challenge/, as the ACME challenge can only be done on port 80.


Default: true

false
replicasJSON

The number of replicas can either be specified as a static number as follows:

replicas: 2

Or by specifying a range between min and max to enable HorizontalPodAutoscaling.
The default value for replicas is:
replicas:
min: 2
max: 5
targetCpuUtilization: 80
targetMemoryUtilization: 80
Using autoscaling is the recommended configuration for replicas.

false
resourceLabelsmap[string]map[string]string

ResourceLabels can be used if you want to add a label to a specific resources created by
the application. One such label could for example be set on a Deployment, such that
the deployment avoids certain rules from Gatekeeper, or similar. Any amount of labels may be added per ResourceLabels item.

false
resourcesobject

ResourceRequirements to apply to the deployment. It's common to set some of these to
prevent the app from swelling in resource usage and consuming all the
resources of other apps on the cluster.

false
startupobject

Kubernetes uses startup probes to know when a container application has started.
If such a probe is configured, it disables liveness and readiness checks until it
succeeds, making sure those probes don't interfere with the application startup.
This can be used to adopt liveness checks on slow starting containers, avoiding them
getting killed by Kubernetes before they are up and running.
Startup is optional, but when provided, path and port are required

false
statefulobject

Stateful, when set with enabled=true, generates a StatefulSet instead of a Deployment.
Requires VolumeClaimTemplates. Disallows Strategy.Type=Recreate and HPA-range replicas.
The enabled flag is immutable - delete and recreate the Application to change.

false
strategyobject

Defines an alternative strategy for the Kubernetes deployment. This is useful when
the default strategy, RollingUpdate, is not usable. Setting type to
Recreate will take down all the pods before starting new pods, whereas the
default of RollingUpdate will try to start the new pods before taking down the
old ones.

Valid values are: RollingUpdate, Recreate. Default is RollingUpdate

false
teamstring

Team specifies the team who owns this particular app.
Usually sourced from the namespace label.

false

Application.spec.accessPolicyโ€‹

Parent

The root AccessPolicy for managing zero trust access to your Application. See AccessPolicy for more information.

NameTypeDescriptionRequired
inboundobject

Inbound specifies the ingress rules. Which apps on the cluster can talk to this app?

false
outboundobject

Outbound specifies egress rules. Which apps on the cluster and the
internet is the Application allowed to send requests to?

false

Application.spec.accessPolicy.inboundโ€‹

Parent

Inbound specifies the ingress rules. Which apps on the cluster can talk to this app?

NameTypeDescriptionRequired
rules[]object

The rules list specifies a list of applications. When no namespace is
specified it refers to an app in the current namespace. For apps in
other namespaces namespace is required

true

Application.spec.accessPolicy.inbound.rules[index]โ€‹

Parent

InternalRule

The rules list specifies a list of applications. When no namespace is specified it refers to an app in the current namespace. For apps in other namespaces, namespace is required.

NameTypeDescriptionRequired
applicationstring

The name of the Application you are allowing traffic to/from. If you wish to allow traffic from a SKIPJob, this field should
be suffixed with -skipjob

true
namespacestring

The namespace in which the Application you are allowing traffic to/from resides. If unset, uses namespace of Application.

false
namespacesByLabelmap[string]string

Namespace label value-pair in which the Application you are allowing traffic to/from resides. If both namespace and namespacesByLabel are set, namespace takes precedence and namespacesByLabel is omitted.

false
ports[]object

The ports to allow for the above application.

false

Application.spec.accessPolicy.inbound.rules[index].ports[index]โ€‹

Parent

NetworkPolicyPort describes a port to allow traffic on

NameTypeDescriptionRequired
endPortinteger

endPort indicates that the range of ports from port to endPort if set, inclusive,
should be allowed by the policy. This field cannot be defined if the port field
is not defined or if the port field is defined as a named (string) port.
The endPort must be equal or greater than port.


Format: int32

false
portint or string

port represents the port on the given protocol. This can either be a numerical or named
port on a pod. If this field is not provided, this matches all port names and
numbers.
If present, only traffic on the specified protocol AND port will be matched.

false
protocolstring

protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
If not specified, this field defaults to TCP.

false

Application.spec.accessPolicy.outboundโ€‹

Parent

Outbound specifies egress rules. Which apps on the cluster and the internet is the Application allowed to send requests to?

NameTypeDescriptionRequired
external[]object

External specifies which applications on the internet the application
can reach. Only host is required unless it is on another port than HTTPS port 443.
If other ports or protocols are required then ports must be specified as well

false
rules[]object

Rules apply the same in-cluster rules as InboundPolicy

false

Application.spec.accessPolicy.outbound.external[index]โ€‹

Parent

ExternalRule

Describes a rule for allowing your Application to route traffic to external applications and hosts.

NameTypeDescriptionRequired
hoststring

The allowed hostname. Note that this does not include subdomains.

true
ipstring

Non-HTTP requests (i.e. using the TCP protocol) need to use IP in addition to hostname
Only required for TCP requests.

Note: Hostname must always be defined even if IP is set statically

false
ports[]object

The ports to allow for the above hostname. When not specified HTTP and
HTTPS on port 80 and 443 respectively are put into the allowlist

false

Application.spec.accessPolicy.outbound.external[index].ports[index]โ€‹

Parent

ExternalPort

A custom port describing an external host

NameTypeDescriptionRequired
namestring

Name is required and is an arbitrary name. Must be unique within all ExternalRule ports.

true
portinteger

The port number of the external host

true
protocolenum

The protocol to use for communication with the host. Supported protocols are: HTTP, HTTPS, TCP and TLS.


Enum: HTTP, HTTPS, TCP, TLS

true

Application.spec.accessPolicy.outbound.rules[index]โ€‹

Parent

InternalRule

The rules list specifies a list of applications. When no namespace is specified it refers to an app in the current namespace. For apps in other namespaces, namespace is required.

NameTypeDescriptionRequired
applicationstring

The name of the Application you are allowing traffic to/from. If you wish to allow traffic from a SKIPJob, this field should
be suffixed with -skipjob

true
namespacestring

The namespace in which the Application you are allowing traffic to/from resides. If unset, uses namespace of Application.

false
namespacesByLabelmap[string]string

Namespace label value-pair in which the Application you are allowing traffic to/from resides. If both namespace and namespacesByLabel are set, namespace takes precedence and namespacesByLabel is omitted.

false
ports[]object

The ports to allow for the above application.

false

Application.spec.accessPolicy.outbound.rules[index].ports[index]โ€‹

Parent

NetworkPolicyPort describes a port to allow traffic on

NameTypeDescriptionRequired
endPortinteger

endPort indicates that the range of ports from port to endPort if set, inclusive,
should be allowed by the policy. This field cannot be defined if the port field
is not defined or if the port field is defined as a named (string) port.
The endPort must be equal or greater than port.


Format: int32

false
portint or string

port represents the port on the given protocol. This can either be a numerical or named
port on a pod. If this field is not provided, this matches all port names and
numbers.
If present, only traffic on the specified protocol AND port will be matched.

false
protocolstring

protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
If not specified, this field defaults to TCP.

false

Application.spec.additionalPorts[index]โ€‹

Parent
NameTypeDescriptionRequired
namestring
true
portinteger

Format: int32

true
protocolenum

Protocol defines network protocols supported for things like container ports.


Enum: TCP, UDP, SCTP

true

Application.spec.authorizationSettingsโ€‹

Parent

Used for allow listing certain default blocked endpoints, such as /actuator/ end points

NameTypeDescriptionRequired
allowAllboolean

Allows all endpoints by not creating an AuthorizationPolicy, and ignores the content of AllowList.
If field is false, the contents of AllowList will be used instead if AllowList is set.


Default: false

false
allowList[]string

Allows specific endpoints. Common endpoints one might want to allow include /actuator/health, /actuator/startup, /actuator/info.

Note that endpoints are matched specifically on the input, so if you allow /actuator/health, you will not allow /actuator/health/

false

Application.spec.env[index]โ€‹

Parent

EnvVar represents an environment variable present in a Container.

NameTypeDescriptionRequired
namestring

Name of the environment variable.
May consist of any printable ASCII characters except '='.

true
valuestring

Variable references $(VAR_NAME) are expanded
using the previously defined environment variables in the container and
any service environment variables. If a variable cannot be resolved,
the reference in the input string will be unchanged. Double $$ are reduced
to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
"$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
Escaped references will never be expanded, regardless of whether the variable
exists or not.
Defaults to "".

false
valueFromobject

Source for the environment variable's value. Cannot be used if value is not empty.

false

Application.spec.env[index].valueFromโ€‹

Parent

Source for the environment variable's value. Cannot be used if value is not empty.

NameTypeDescriptionRequired
configMapKeyRefobject

Selects a key of a ConfigMap.

false
fieldRefobject

Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels['<KEY>'], metadata.annotations['<KEY>'],
spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.

false
fileKeyRefobject

FileKeyRef selects a key of the env file.
Requires the EnvFiles feature gate to be enabled.

false
resourceFieldRefobject

Selects a resource of the container: only resources limits and requests
(limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.

false
secretKeyRefobject

Selects a key of a secret in the pod's namespace

false

Application.spec.env[index].valueFrom.configMapKeyRefโ€‹

Parent

Selects a key of a ConfigMap.

NameTypeDescriptionRequired
keystring

The key to select.

true
namestring

Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names


Default: ``

false
optionalboolean

Specify whether the ConfigMap or its key must be defined

false

Application.spec.env[index].valueFrom.fieldRefโ€‹

Parent

Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels['<KEY>'], metadata.annotations['<KEY>'], spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.

NameTypeDescriptionRequired
fieldPathstring

Path of the field to select in the specified API version.

true
apiVersionstring

Version of the schema the FieldPath is written in terms of, defaults to "v1".

false

Application.spec.env[index].valueFrom.fileKeyRefโ€‹

Parent

FileKeyRef selects a key of the env file. Requires the EnvFiles feature gate to be enabled.

NameTypeDescriptionRequired
keystring

The key within the env file. An invalid key will prevent the pod from starting.
The keys defined within a source may consist of any printable ASCII characters except '='.
During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.

true
pathstring

The path within the volume from which to select the file.
Must be relative and may not contain the '..' path or start with '..'.

true
volumeNamestring

The name of the volume mount containing the env file.

true
optionalboolean

Specify whether the file or its key must be defined. If the file or key
does not exist, then the env var is not published.
If optional is set to true and the specified key does not exist,
the environment variable will not be set in the Pod's containers.

If optional is set to false and the specified key does not exist,
an error will be returned during Pod creation.


Default: false

false

Application.spec.env[index].valueFrom.resourceFieldRefโ€‹

Parent

Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.

NameTypeDescriptionRequired
resourcestring

Required: resource to select

true
containerNamestring

Container name: required for volumes, optional for env vars

false
divisorint or string

Specifies the output format of the exposed resources, defaults to "1"

false

Application.spec.env[index].valueFrom.secretKeyRefโ€‹

Parent

Selects a key of a secret in the pod's namespace

NameTypeDescriptionRequired
keystring

The key of the secret to select from. Must be a valid secret key.

true
namestring

Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names


Default: ``

false
optionalboolean

Specify whether the Secret or its key must be defined

false

Application.spec.envFrom[index]โ€‹

Parent
NameTypeDescriptionRequired
configMapstring

Name of Kubernetes ConfigMap in which the deployment should mount environment variables from. Must be in the same namespace as the Application

false
secretstring

Name of Kubernetes Secret in which the deployment should mount environment variables from. Must be in the same namespace as the Application

false

Application.spec.filesFrom[index]โ€‹

Parent

FilesFrom

Struct representing information needed to mount a Kubernetes resource as a file to a Pod's directory. One of ConfigMap, Secret, EmptyDir or PersistentVolumeClaim must be present, and just represent the name of the resource in question NB. Out-of-the-box, skiperator provides a writable 'emptyDir'-volume at '/tmp'

NameTypeDescriptionRequired
mountPathstring

The path to mount the file in the Pods directory. Required.

true
configMapstring
false
defaultModeinteger

defaultMode is optional: mode bits used to set permissions on created files by default.
Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
Defaults to 0644.
Directories within the path are not affected by this setting.
This might be in conflict with other options that affect the file
mode, like fsGroup, and the result can be other mode bits set.

false
emptyDirstring
false
persistentVolumeClaimstring
false
secretstring
false

Application.spec.gcpโ€‹

Parent

GCP is used to configure Google Cloud Platform specific settings for the application.

NameTypeDescriptionRequired
authobject

Configuration for authenticating a Pod with Google Cloud Platform
For authentication with GCP, to use services like Secret Manager and/or Pub/Sub we need
to set the GCP Service Account Pods should identify as. To allow this, we need the IAM role iam.workloadIdentityUser set on a GCP
service account and bind this to the Pod's Kubernetes SA.
Documentation on how this is done can be found here (Closed Wiki):
https://kartverket.atlassian.net/wiki/spaces/SKIPDOK/pages/422346824/Autentisering+mot+GCP+som+Kubernetes+SA

false
cloudSqlProxyobject

CloudSQL is used to deploy a CloudSQL proxy sidecar in the pod.
This is useful for connecting to CloudSQL databases that require Cloud SQL Auth Proxy.

false

Application.spec.gcp.authโ€‹

Parent

Configuration for authenticating a Pod with Google Cloud Platform For authentication with GCP, to use services like Secret Manager and/or Pub/Sub we need to set the GCP Service Account Pods should identify as. To allow this, we need the IAM role iam.workloadIdentityUser set on a GCP service account and bind this to the Pod's Kubernetes SA. Documentation on how this is done can be found here (Closed Wiki): https://kartverket.atlassian.net/wiki/spaces/SKIPDOK/pages/422346824/Autentisering+mot+GCP+som+Kubernetes+SA

NameTypeDescriptionRequired
serviceAccountstring

Name of the service account in which you are trying to authenticate your pod with
Generally takes the form of some-name@some-project-id.iam.gserviceaccount.com

true

Application.spec.gcp.cloudSqlProxyโ€‹

Parent

CloudSQL is used to deploy a CloudSQL proxy sidecar in the pod. This is useful for connecting to CloudSQL databases that require Cloud SQL Auth Proxy.

NameTypeDescriptionRequired
connectionNamestring

Connection name for the CloudSQL instance. Found in the Google Cloud Console under your CloudSQL resource.
The format is "projectName:region:instanceName" E.g. "skip-prod-bda1:europe-north1:my-db".

true
ipstring

The IP address of the CloudSQL instance. This is used to create a serviceentry for the CloudSQL proxy.

true
serviceAccountstring

Service account used by cloudsql auth proxy. This service account must have the roles/cloudsql.client role.

true
publicIPboolean

Default: false

false
versionstring

Image version for the CloudSQL proxy sidecar.

false

Application.spec.idportenโ€‹

Parent

Settings for IDPorten integration with Digitaliseringsdirektoratet

NameTypeDescriptionRequired
enabledboolean

Whether to enable provisioning of an ID-porten client.
If enabled, an ID-porten client will be provisioned.

true
accessTokenLifetimeinteger

AccessTokenLifetime is the lifetime in seconds for any issued access token from ID-porten.

If unspecified, defaults to 3600 seconds (1 hour).


Minimum: 1
Maximum: 3600

false
clientNamestring

The name of the Client as shown in Digitaliseringsdirektoratet's Samarbeidsportal
Meant to be a human-readable name for separating clients in the portal.

false
clientURIstring

ClientURI is the URL shown to the user at ID-porten when displaying a 'back' button or on errors.

false
frontchannelLogoutPathstring

FrontchannelLogoutPath is a valid path for your application where ID-porten sends a request to whenever the user has
initiated a logout elsewhere as part of a single logout (front channel logout) process.

false
integrationTypeenum

IntegrationType is used to make sensible choices for your client.
Which type of integration you choose will provide guidance on which scopes you can use with the client.
A client can only have one integration type.

NB! It is not possible to change the integration type after creation.


Enum: krr, idporten, api_klient

false
postLogoutRedirectPathstring

PostLogoutRedirectPath is a simpler verison of PostLogoutRedirectURIs
that will be appended to the ingress

false
postLogoutRedirectURIs[]string

PostLogoutRedirectURIs are valid URIs that ID-porten will allow redirecting the end-user to after a single logout
has been initiated and performed by the application.

false
redirectPathstring

RedirectPath is a valid path that ID-porten redirects back to after a successful authorization request.

false
requestAuthenticationobject

RequestAuthentication specifies how incoming JWTs should be validated.

false
scopes[]string

Register different oauth2 Scopes on your client.
You will not be able to add a scope to your client that conflicts with the client's IntegrationType.
For example, you can not add a scope that is limited to the IntegrationType krr of IntegrationType idporten, and vice versa.

Default for IntegrationType krr = ("krr:global/kontaktinformasjon.read", "krr:global/digitalpost.read")
Default for IntegrationType idporten = ("openid", "profile")
IntegrationType api_klient have no Default, checkout Digdir documentation.

false
sessionLifetimeinteger

SessionLifetime is the maximum lifetime in seconds for any given user's session in your application.
The timeout starts whenever the user is redirected from the authorization_endpoint at ID-porten.

If unspecified, defaults to 7200 seconds (2 hours).
Note: Attempting to refresh the user's access_token beyond this timeout will yield an error.


Minimum: 3600
Maximum: 7200

false

Application.spec.idporten.requestAuthenticationโ€‹

Parent

RequestAuthentication specifies how incoming JWTs should be validated.

NameTypeDescriptionRequired
enabledboolean

Whether to enable JWT validation.
If enabled, incoming JWTs will be validated against the issuer specified in the app registration and the generated audience.

true
forwardJwtboolean

If set to true, the original token will be kept for the upstream request. Defaults to true.


Default: true

false
ignorePaths[]string

IgnorePaths specifies paths that do not require an authenticated JWT.

The specified paths must be a valid URI path. It has to start with '/' and cannot end with '/'.
The paths can also contain the wildcard operator '*', but only at the end.

false
outputClaimToHeaders[]object

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.
The header specified in each operation in the list must be unique. Nested claims of type string/int/bool is supported as well.

false
paths[]string

Paths specifies paths that require an authenticated JWT.

The specified paths must be a valid URI path. It has to start with '/' and cannot end with '/'.
The paths can also contain the wildcard operator '*', but only at the end.

false
secretNamestring

The name of the Kubernetes Secret containing OAuth2 credentials.

If omitted, the associated client registration in the application manifest is used for JWT validation.

false
tokenLocationenum

Where to find the JWT in the incoming request

An enum value of header means that the JWT is present in the Authorization header as a Bearer token.
An enum value of cookie means that the JWT is present as a cookie called BearerToken.

If omitted, its default value depends on the provider type:
Defaults to "cookie" for providers supporting user login (e.g. IDPorten).
Defaults to "header" for providers not supporting user login (e.g. Maskinporten).


Enum: header, cookie

false

Application.spec.idporten.requestAuthentication.outputClaimToHeaders[index]โ€‹

Parent
NameTypeDescriptionRequired
claimstring

The claim to be copied.

true
headerstring

The name of the HTTP header for which the specified claim will be copied to.

true

Application.spec.istioSettingsโ€‹

Parent

IstioSettings are used to configure istio specific resources such as telemetry. Currently, adjusting sampling interval for tracing is the only supported option. By default, tracing is enabled with a random sampling percentage of 10%.

NameTypeDescriptionRequired
retriesobject

Retries is configurable automatic retries for requests towards the application.
By default requests falling under: "connect-failure,refused-stream,unavailable,cancelled" will be retried.

false
telemetryobject

Telemetry is a placeholder for all relevant telemetry types, and may be extended in the future to configure additional telemetry settings.


Default: map[tracing:[map[randomSamplingPercentage:10]]]

false

Application.spec.istioSettings.retriesโ€‹

Parent

Retries is configurable automatic retries for requests towards the application. By default requests falling under: "connect-failure,refused-stream,unavailable,cancelled" will be retried.

NameTypeDescriptionRequired
attemptsinteger

Attempts is the number of retries to be allowed for a given request before giving up. The interval between retries will be determined automatically (25ms+).
Default is 2


Format: int32
Minimum: 1

false
perTryTimeoutstring

PerTryTimeout is the timeout per attempt for a given request, including the initial call and any retries. Format: 1h/1m/1s/1ms. MUST be >=1ms.
Default: no timeout


Format: duration

false
retryOnHttpResponseCodes[]int or string

RetryOnHttpResponseCodes HTTP response codes that should trigger a retry. A typical value is [503].
You may also use 5xx and retriable-4xx (only 409).
mixed types are allowed such as [503, "retriable-4xx"]

false

Application.spec.istioSettings.telemetryโ€‹

Parent

Telemetry is a placeholder for all relevant telemetry types, and may be extended in the future to configure additional telemetry settings.

NameTypeDescriptionRequired
tracing[]object

Tracing is a list of tracing configurations for the telemetry resource. Normally only one tracing configuration is needed.


Default: [map[randomSamplingPercentage:10]]

false

Application.spec.istioSettings.telemetry.tracing[index]โ€‹

Parent

Tracing contains relevant settings for tracing in the telemetry configuration

NameTypeDescriptionRequired
randomSamplingPercentageinteger

RandomSamplingPercentage is the percentage of requests that should be sampled for tracing, specified by a whole number between 0-100.
Setting RandomSamplingPercentage to 0 will disable tracing.


Default: 10
Minimum: 0
Maximum: 100

false

Application.spec.livenessโ€‹

Parent

Liveness probes define a resource that returns 200 OK when the app is running as intended. Returning a non-200 code will make kubernetes restart the app. Liveness is optional, but when provided, path and port are required

See Probe for structure definition.

NameTypeDescriptionRequired
pathstring

The path to access on the HTTP server

true
portint or string

Number of the port to access on the container

true
failureThresholdinteger

Minimum consecutive failures for the probe to be considered failed after
having succeeded. Defaults to 3. Minimum value is 1


Format: int32
Default: 3

false
initialDelayinteger

Delay sending the first probe by X seconds. Can be useful for applications that
are slow to start.


Format: int32
Default: 0

false
periodinteger

Number of seconds Kubernetes waits between each probe. Defaults to 10 seconds.


Format: int32
Default: 10

false
successThresholdinteger

Minimum consecutive successes for the probe to be considered successful after having failed.
Defaults to 1. Must be 1 for liveness and startup Probes. Minimum value is 1.


Format: int32
Default: 1

false
timeoutinteger

Number of seconds after which the probe times out. Defaults to 1 second.
Minimum value is 1


Format: int32
Default: 1

false

Application.spec.maskinportenโ€‹

Parent

Settings for Maskinporten integration with Digitaliseringsdirektoratet

NameTypeDescriptionRequired
enabledboolean

If enabled, provisions and configures a Maskinporten client with consumed scopes and/or Exposed scopes with DigDir.

true
clientNamestring

The name of the Client as shown in Digitaliseringsdirektoratet's Samarbeidsportal
Meant to be a human-readable name for separating clients in the portal

false
requestAuthenticationobject

RequestAuthentication specifies how incoming JWTs should be validated.

false
scopesobject

Schema to configure Maskinporten clients with consumed scopes and/or exposed scopes.

false

Application.spec.maskinporten.requestAuthenticationโ€‹

Parent

RequestAuthentication specifies how incoming JWTs should be validated.

NameTypeDescriptionRequired
enabledboolean

Whether to enable JWT validation.
If enabled, incoming JWTs will be validated against the issuer specified in the app registration and the generated audience.

true
forwardJwtboolean

If set to true, the original token will be kept for the upstream request. Defaults to true.


Default: true

false
ignorePaths[]string

IgnorePaths specifies paths that do not require an authenticated JWT.

The specified paths must be a valid URI path. It has to start with '/' and cannot end with '/'.
The paths can also contain the wildcard operator '*', but only at the end.

false
outputClaimToHeaders[]object

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.
The header specified in each operation in the list must be unique. Nested claims of type string/int/bool is supported as well.

false
paths[]string

Paths specifies paths that require an authenticated JWT.

The specified paths must be a valid URI path. It has to start with '/' and cannot end with '/'.
The paths can also contain the wildcard operator '*', but only at the end.

false
secretNamestring

The name of the Kubernetes Secret containing OAuth2 credentials.

If omitted, the associated client registration in the application manifest is used for JWT validation.

false
tokenLocationenum

Where to find the JWT in the incoming request

An enum value of header means that the JWT is present in the Authorization header as a Bearer token.
An enum value of cookie means that the JWT is present as a cookie called BearerToken.

If omitted, its default value depends on the provider type:
Defaults to "cookie" for providers supporting user login (e.g. IDPorten).
Defaults to "header" for providers not supporting user login (e.g. Maskinporten).


Enum: header, cookie

false

Application.spec.maskinporten.requestAuthentication.outputClaimToHeaders[index]โ€‹

Parent
NameTypeDescriptionRequired
claimstring

The claim to be copied.

true
headerstring

The name of the HTTP header for which the specified claim will be copied to.

true

Application.spec.maskinporten.scopesโ€‹

Parent

Schema to configure Maskinporten clients with consumed scopes and/or exposed scopes.

NameTypeDescriptionRequired
consumes[]object

This is the Schema for the consumes and exposes API.
consumes is a list of scopes that your client can request access to.

false
exposes[]object

exposes is a list of scopes your application want to expose to other organization where access to the scope is based on organization number.

false

Application.spec.maskinporten.scopes.consumes[index]โ€‹

Parent
NameTypeDescriptionRequired
namestring

The scope consumed by the application to gain access to an external organization API.
Ensure that the NAV organization has been granted access to the scope prior to requesting access.

true

Application.spec.maskinporten.scopes.exposes[index]โ€‹

Parent
NameTypeDescriptionRequired
enabledboolean

If Enabled the configured scope is available to be used and consumed by organizations granted access.

true
namestring

The actual subscope combined with Product.
Ensure that &lt;Product&gt;&lt;Name&gt; matches Pattern.

true
productstring

The product-area your application belongs to e.g. arbeid, helse ...
This will be included in the final scope nav:&lt;Product&gt;&lt;Name&gt;.

true
accessibleForAllboolean

Allow any organization to access the scope.

false
allowedIntegrations[]string

Whitelisting of integration's allowed.
Default is maskinporten

false
atMaxAgeinteger

Max time in seconds for a issued access_token.
Default is 30 sec.


Minimum: 30
Maximum: 680

false
consumers[]object

External consumers granted access to this scope and able to request access_token.

false
delegationSourceenum

Delegation source for the scope. Default is empty, which means no delegation is allowed.


Enum: altinn

false
separatorstring

Separator is the character that separates product and name in the final scope:
scope := &lt;prefix&gt;:&lt;product&gt;&lt;separator&gt;&lt;name&gt;
This overrides the default separator.
The default separator is :. If name contains /, the default separator is instead /.

false
visibilityenum

Visibility controls the scope's visibility.
Public scopes are visible for everyone.
Private scopes are only visible for the organization that owns the scope as well as
organizations that have been granted consumer access.


Enum: private, public

false

Application.spec.maskinporten.scopes.exposes[index].consumers[index]โ€‹

Parent
NameTypeDescriptionRequired
orgnostring

The external business/organization number.

true
namestring

This is a describing field intended for clarity not used for any other purpose.

false

Application.spec.podSettingsโ€‹

Parent

PodSettings are used to apply specific settings to the Pod Template used by Skiperator to create Deployments. This allows you to set things like annotations on the Pod to change the behaviour of sidecars, and set relevant Pod options such as TerminationGracePeriodSeconds.

NameTypeDescriptionRequired
annotationsmap[string]string

Annotations that are set on Pods created by Skiperator. These annotations can for example be used to change the behaviour of sidecars and similar.

false
disablePodSpreadTopologyConstraintsboolean

DisablePodSpreadTopologyConstraints specifies whether to disable the addition of Pod Topology Spread Constraints to
a given pod.


Default: false

false
terminationGracePeriodSecondsinteger

TerminationGracePeriodSeconds determines how long Kubernetes waits after a SIGTERM signal sent to a Pod before terminating the pod. If your application uses longer than
30 seconds to terminate, you should increase TerminationGracePeriodSeconds.


Format: int64
Default: 30

false

Application.spec.prometheusโ€‹

Parent

Optional settings for how Prometheus compatible metrics should be scraped.

NameTypeDescriptionRequired
portint or string

The port number or name where metrics are exposed (at the Pod level).

true
allowAllMetricsboolean

Setting AllowAllMetrics to true will ensure all exposed metrics are scraped. Otherwise, a list of predefined
metrics will be dropped by default. See util/constants.go for the default list.


Default: false

false
pathstring

The HTTP path where Prometheus compatible metrics exists


Default: /metrics

false
scrapeIntervalstring

ScrapeInterval specifies the interval at which Prometheus should scrape the metrics.
The interval must be at least 15 seconds (if using "Xs") and divisible by 5.
If minutes ("Xm") are used, the value must be at least 1m.


Default: 60s

false

Application.spec.readinessโ€‹

Parent

Readiness probes define a resource that returns 200 OK when the app is running as intended. Kubernetes will wait until the resource returns 200 OK before marking the pod as Running and progressing with the deployment strategy. Readiness is optional, but when provided, path and port are required

NameTypeDescriptionRequired
pathstring

The path to access on the HTTP server

true
portint or string

Number of the port to access on the container

true
failureThresholdinteger

Minimum consecutive failures for the probe to be considered failed after
having succeeded. Defaults to 3. Minimum value is 1


Format: int32
Default: 3

false
initialDelayinteger

Delay sending the first probe by X seconds. Can be useful for applications that
are slow to start.


Format: int32
Default: 0

false
periodinteger

Number of seconds Kubernetes waits between each probe. Defaults to 10 seconds.


Format: int32
Default: 10

false
successThresholdinteger

Minimum consecutive successes for the probe to be considered successful after having failed.
Defaults to 1. Must be 1 for liveness and startup Probes. Minimum value is 1.


Format: int32
Default: 1

false
timeoutinteger

Number of seconds after which the probe times out. Defaults to 1 second.
Minimum value is 1


Format: int32
Default: 1

false

Application.spec.resourcesโ€‹

Parent

ResourceRequirements to apply to the deployment. It's common to set some of these to prevent the app from swelling in resource usage and consuming all the resources of other apps on the cluster.

NameTypeDescriptionRequired
limitsmap[string]int or string

Limits set the maximum the app is allowed to use. Exceeding this limit will
make kubernetes kill the app and restart it.

Limits can be set on the CPU and memory, but it is not recommended to put a limit on CPU, see: https://home.robusta.dev/blog/stop-using-cpu-limits

false
requestsmap[string]int or string

Requests set the initial allocation that is done for the app and will
thus be available to the app on startup. More is allocated on demand
until the limit is reached.

Requests can be set on the CPU and memory.

false

Application.spec.startupโ€‹

Parent

Kubernetes uses startup probes to know when a container application has started. If such a probe is configured, it disables liveness and readiness checks until it succeeds, making sure those probes don't interfere with the application startup. This can be used to adopt liveness checks on slow starting containers, avoiding them getting killed by Kubernetes before they are up and running. Startup is optional, but when provided, path and port are required

NameTypeDescriptionRequired
pathstring

The path to access on the HTTP server

true
portint or string

Number of the port to access on the container

true
failureThresholdinteger

Minimum consecutive failures for the probe to be considered failed after
having succeeded. Defaults to 3. Minimum value is 1


Format: int32
Default: 3

false
initialDelayinteger

Delay sending the first probe by X seconds. Can be useful for applications that
are slow to start.


Format: int32
Default: 0

false
periodinteger

Number of seconds Kubernetes waits between each probe. Defaults to 10 seconds.


Format: int32
Default: 10

false
successThresholdinteger

Minimum consecutive successes for the probe to be considered successful after having failed.
Defaults to 1. Must be 1 for liveness and startup Probes. Minimum value is 1.


Format: int32
Default: 1

false
timeoutinteger

Number of seconds after which the probe times out. Defaults to 1 second.
Minimum value is 1


Format: int32
Default: 1

false

Application.spec.statefulโ€‹

Parent

Stateful, when set with enabled=true, generates a StatefulSet instead of a Deployment. Requires VolumeClaimTemplates. Disallows Strategy.Type=Recreate and HPA-range replicas. The enabled flag is immutable - delete and recreate the Application to change.

NameTypeDescriptionRequired
enabledboolean

When true, generates a StatefulSet instead of a Deployment.
This value is immutable - delete and recreate the Application to change


Default: false

false
partitioninteger

Staged rollouts - only pods with ordinal >= Partition are updated.
Set Partition equal to replicas to pause updates.


Format: int32
Minimum: 0

false
podManagementPolicyenum

Controls pod creation and update order. OrderedReady creates pods one at a time, Parallel creates them simultaneously.


Enum: OrderedReady, Parallel

false
pvcRetentionWhenDeletedenum

PVC fate when the StatefulSet is deleted. Defaults to Retain.


Enum: Retain, Delete

false
pvcRetentionWhenScaledenum

PVC fate when the StatefulSet is scaled down. Defaults to Retain.


Enum: Retain, Delete

false
volumeClaimTemplates[]object

Per-pod PersistentVolumeClaims provisioned by the StatefulSet controller.
Each replica gets its own PVC named &lt;template.metadata.name&gt;-&lt;app&gt;-&lt;ordinal&gt;.

false

Application.spec.stateful.volumeClaimTemplates[index]โ€‹

Parent

VolumeClaimTemplate describes a per-pod PersistentVolumeClaim provisioned by the StatefulSet controller. Name serves as both the pod volume reference and the PVC prefix

NameTypeDescriptionRequired
mountPathstring

Where the volume is mounted inside the container

true
namestring

Pod volume name and PVC name prefix. Resulting PVCs are named &lt;name&gt;-&lt;app&gt;-&lt;ordinal&gt;

true
specobject

PVC spec

true
annotationsmap[string]string

Optional annotations applied to PVCs

false
labelsmap[string]string

Optional labels applied to PVCs

false
subPathstring

Subpath within the volume to mount instead of its root

false

Application.spec.stateful.volumeClaimTemplates[index].specโ€‹

Parent

PVC spec

NameTypeDescriptionRequired
accessModes[]string

accessModes contains the desired access modes the volume should have.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1

false
dataSourceobject

dataSource field can be used to specify either:
* An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)
* An existing PVC (PersistentVolumeClaim)
If the provisioner or an external controller can support the specified data source,
it will create a new volume based on the contents of the specified data source.
When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,
and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.
If the namespace is specified, then dataSourceRef will not be copied to dataSource.

false
dataSourceRefobject

dataSourceRef specifies the object from which to populate the volume with data, if a non-empty
volume is desired. This may be any object from a non-empty API group (non
core object) or a PersistentVolumeClaim object.
When this field is specified, volume binding will only succeed if the type of
the specified object matches some installed volume populator or dynamic
provisioner.
This field will replace the functionality of the dataSource field and as such
if both fields are non-empty, they must have the same value. For backwards
compatibility, when namespace isn't specified in dataSourceRef,
both fields (dataSource and dataSourceRef) will be set to the same
value automatically if one of them is empty and the other is non-empty.
When namespace is specified in dataSourceRef,
dataSource isn't set to the same value and must be empty.
There are three important differences between dataSource and dataSourceRef:
* While dataSource only allows two specific types of objects, dataSourceRef
allows any non-core object, as well as PersistentVolumeClaim objects.
* While dataSource ignores disallowed values (dropping them), dataSourceRef
preserves all values, and generates an error if a disallowed value is
specified.
* While dataSource only allows local objects, dataSourceRef allows objects
in any namespaces.
(Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.
(Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.

false
resourcesobject

resources represents the minimum resources the volume should have.
Users are allowed to specify resource requirements
that are lower than previous value but must still be higher than capacity recorded in the
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources

false
selectorobject

selector is a label query over volumes to consider for binding.

false
storageClassNamestring

storageClassName is the name of the StorageClass required by the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1

false
volumeAttributesClassNamestring

volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
If specified, the CSI driver will create or update the volume with the attributes defined
in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
it can be changed after the claim is created. An empty string or nil value indicates that no
VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
this field can be reset to its previous value (including nil) to cancel the modification.
If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
exists.
More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/

false
volumeModestring

volumeMode defines what type of volume is required by the claim.
Value of Filesystem is implied when not included in claim spec.

false
volumeNamestring

volumeName is the binding reference to the PersistentVolume backing this claim.

false

Application.spec.stateful.volumeClaimTemplates[index].spec.dataSourceโ€‹

Parent

dataSource field can be used to specify either:

  • An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)
  • An existing PVC (PersistentVolumeClaim) If the provisioner or an external controller can support the specified data source, it will create a new volume based on the contents of the specified data source. When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. If the namespace is specified, then dataSourceRef will not be copied to dataSource.
NameTypeDescriptionRequired
kindstring

Kind is the type of resource being referenced

true
namestring

Name is the name of resource being referenced

true
apiGroupstring

APIGroup is the group for the resource being referenced.
If APIGroup is not specified, the specified Kind must be in the core API group.
For any other third-party types, APIGroup is required.

false

Application.spec.stateful.volumeClaimTemplates[index].spec.dataSourceRefโ€‹

Parent

dataSourceRef specifies the object from which to populate the volume with data, if a non-empty volume is desired. This may be any object from a non-empty API group (non core object) or a PersistentVolumeClaim object. When this field is specified, volume binding will only succeed if the type of the specified object matches some installed volume populator or dynamic provisioner. This field will replace the functionality of the dataSource field and as such if both fields are non-empty, they must have the same value. For backwards compatibility, when namespace isn't specified in dataSourceRef, both fields (dataSource and dataSourceRef) will be set to the same value automatically if one of them is empty and the other is non-empty. When namespace is specified in dataSourceRef, dataSource isn't set to the same value and must be empty. There are three important differences between dataSource and dataSourceRef:

  • While dataSource only allows two specific types of objects, dataSourceRef allows any non-core object, as well as PersistentVolumeClaim objects.
  • While dataSource ignores disallowed values (dropping them), dataSourceRef preserves all values, and generates an error if a disallowed value is specified.
  • While dataSource only allows local objects, dataSourceRef allows objects in any namespaces. (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
NameTypeDescriptionRequired
kindstring

Kind is the type of resource being referenced

true
namestring

Name is the name of resource being referenced

true
apiGroupstring

APIGroup is the group for the resource being referenced.
If APIGroup is not specified, the specified Kind must be in the core API group.
For any other third-party types, APIGroup is required.

false
namespacestring

Namespace is the namespace of resource being referenced
Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.
(Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.

false

Application.spec.stateful.volumeClaimTemplates[index].spec.resourcesโ€‹

Parent

resources represents the minimum resources the volume should have. Users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources

NameTypeDescriptionRequired
limitsmap[string]int or string

Limits describes the maximum amount of compute resources allowed.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

false
requestsmap[string]int or string

Requests describes the minimum amount of compute resources required.
If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
otherwise to an implementation-defined value. Requests cannot exceed Limits.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

false

Application.spec.stateful.volumeClaimTemplates[index].spec.selectorโ€‹

Parent

selector is a label query over volumes to consider for binding.

NameTypeDescriptionRequired
matchExpressions[]object

matchExpressions is a list of label selector requirements. The requirements are ANDed.

false
matchLabelsmap[string]string

matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.

false

Application.spec.stateful.volumeClaimTemplates[index].spec.selector.matchExpressions[index]โ€‹

Parent

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

NameTypeDescriptionRequired
keystring

key is the label key that the selector applies to.

true
operatorstring

operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.

true
values[]string

values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.

false

Application.spec.strategyโ€‹

Parent

Defines an alternative strategy for the Kubernetes deployment. This is useful when the default strategy, RollingUpdate, is not usable. Setting type to Recreate will take down all the pods before starting new pods, whereas the default of RollingUpdate will try to start the new pods before taking down the old ones.

Valid values are: RollingUpdate, Recreate. Default is RollingUpdate

NameTypeDescriptionRequired
typeenum

Valid values are: RollingUpdate, Recreate. Default is RollingUpdate


Enum: RollingUpdate, Recreate
Default: RollingUpdate

false

Application.statusโ€‹

Parent

ApplicationStatus is a specialized status specific to the Application kind.

NameTypeDescriptionRequired
accessPoliciesstring

Indicates if access policies are valid

true
conditions[]object
true
subresourcesmap[string]object
true
summaryobject

Status

true
applicationKindstring

Kind generated for this Application after a successful reconcile.
Used to prevent switching between Deployment and StatefulSet.

false

Application.status.conditions[index]โ€‹

Parent

Condition contains details for one aspect of the current state of this API Resource.

NameTypeDescriptionRequired
lastTransitionTimestring

lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.


Format: date-time

true
messagestring

message is a human readable message indicating details about the transition.
This may be an empty string.

true
reasonstring

reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.

true
statusenum

status of the condition, one of True, False, Unknown.


Enum: True, False, Unknown

true
typestring

type of condition in CamelCase or in foo.example.com/CamelCase.

true
observedGenerationinteger

observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.


Format: int64
Minimum: 0

false

Application.status.subresources[key]โ€‹

Parent

Status

NameTypeDescriptionRequired
messagestring

Default: Resource accepted by Kubernetes. Waiting for Skiperator to become aware of the resource and start processing.

true
statusstring

Default: Pending

true
timestampstring
true

Application.status.summaryโ€‹

Parent

Status

NameTypeDescriptionRequired
messagestring

Default: Resource accepted by Kubernetes. Waiting for Skiperator to become aware of the resource and start processing.

true
statusstring

Default: Pending

true
timestampstring
true

Routingโ€‹

FieldValue
Packageskiperator.kartverket.no/v1alpha1
API versionskiperator.kartverket.no/v1alpha1
KindRouting
NameTypeDescriptionRequired
apiVersionstringskiperator.kartverket.no/v1alpha1true
kindstringRoutingtrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject
true
statusobject

SkiperatorStatus

A status field shown on a Skiperator resource which contains information regarding deployment of the resource.

false

Routing.specโ€‹

Parent
NameTypeDescriptionRequired
hostnamestring
true
routes[]object
true
redirectToHTTPSboolean

Default: true

false

Routing.spec.routes[index]โ€‹

Parent
NameTypeDescriptionRequired
pathPrefixstring
true
targetAppstring
true
portinteger

Format: int32

false
rewriteUriboolean

Default: false

false

Routing.statusโ€‹

Parent

SkiperatorStatus

A status field shown on a Skiperator resource which contains information regarding deployment of the resource.

NameTypeDescriptionRequired
accessPoliciesstring

Indicates if access policies are valid

true
conditions[]object
true
subresourcesmap[string]object
true
summaryobject

Status

true

Routing.status.conditions[index]โ€‹

Parent

Condition contains details for one aspect of the current state of this API Resource.

NameTypeDescriptionRequired
lastTransitionTimestring

lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.


Format: date-time

true
messagestring

message is a human readable message indicating details about the transition.
This may be an empty string.

true
reasonstring

reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.

true
statusenum

status of the condition, one of True, False, Unknown.


Enum: True, False, Unknown

true
typestring

type of condition in CamelCase or in foo.example.com/CamelCase.

true
observedGenerationinteger

observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.


Format: int64
Minimum: 0

false

Routing.status.subresources[key]โ€‹

Parent

Status

NameTypeDescriptionRequired
messagestring

Default: Resource accepted by Kubernetes. Waiting for Skiperator to become aware of the resource and start processing.

true
statusstring

Default: Pending

true
timestampstring
true

Routing.status.summaryโ€‹

Parent

Status

NameTypeDescriptionRequired
messagestring

Default: Resource accepted by Kubernetes. Waiting for Skiperator to become aware of the resource and start processing.

true
statusstring

Default: Pending

true
timestampstring
true

SKIPJobโ€‹

FieldValue
Packageskiperator.kartverket.no/v1alpha1
API versionskiperator.kartverket.no/v1alpha1
KindSKIPJob

SKIPJob is the deprecated schema for the SKIPJobs API. Please migrate to v1beta1.

NameTypeDescriptionRequired
apiVersionstringskiperator.kartverket.no/v1alpha1true
kindstringSKIPJobtrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

SKIPJobSpec defines the desired state of SKIPJob

A SKIPJob is either defined as a one-off or a scheduled job. If the Cron field is set for SKIPJob, it may not be removed. If the Cron field is unset, it may not be added.
The Container field of a SKIPJob is only mutable if the Cron field is set. If unset, you must delete your SKIPJob to change container settings.

true
statusobject

SkiperatorStatus

A status field shown on a Skiperator resource which contains information regarding deployment of the resource.

false

SKIPJob.specโ€‹

Parent

SKIPJobSpec defines the desired state of SKIPJob

A SKIPJob is either defined as a one-off or a scheduled job. If the Cron field is set for SKIPJob, it may not be removed. If the Cron field is unset, it may not be added. The Container field of a SKIPJob is only mutable if the Cron field is set. If unset, you must delete your SKIPJob to change container settings.

NameTypeDescriptionRequired
containerobject

Settings for the Pods running in the job. Fields are mostly the same as an Application, and are (probably) better documented there. Some fields are omitted, but none added.
Once set, you may not change Container without deleting your current SKIPJob

true
cronobject

Settings for the Job if you are running a scheduled job. Optional as Jobs may be one-off.

false
istioSettingsobject

IstioSettings are used to configure istio specific resources such as telemetry. Currently, adjusting sampling
interval for tracing is the only supported option.
By default, tracing is enabled with a random sampling percentage of 10%.


Default: map[telemetry:map[tracing:[map[randomSamplingPercentage:10]]]]

false
jobobject

Settings for the actual Job. If you use a scheduled job, the settings in here will also specify the template of the job.

false
labelsmap[string]string

Labels can be used if you want every resource created by your SKIPJob to
have the same labels, including the Job/CronJob itself. This could for example be useful for
metrics, where a certain label and the corresponding resources liveliness can be combined.
Any amount of labels can be added as wanted, and they will all cascade down to all resources.

false
prometheusobject

Prometheus settings for pod running in job. Fields are identical to Application and if set,
a podmonitoring object is created.

false
teamstring

Team specifies the team who owns this particular SKIPJob.
Usually sourced from the namespace label.

false

SKIPJob.spec.containerโ€‹

Parent

Settings for the Pods running in the job. Fields are mostly the same as an Application, and are (probably) better documented there. Some fields are omitted, but none added. Once set, you may not change Container without deleting your current SKIPJob

NameTypeDescriptionRequired
imagestring
true
accessPolicyobject

AccessPolicy

Zero trust dictates that only applications with a reason for being able
to access another resource should be able to reach it. This is set up by
default by denying all ingress and egress traffic from the Pods in the
Deployment. The AccessPolicy field is an allowlist of other applications and hostnames
that are allowed to talk with this Application and which resources this app can talk to

false
additionalPorts[]object
false
command[]string
false
env[]object
false
envFrom[]object
false
filesFrom[]object
false
gcpobject

GCP

Configuration for interacting with Google Cloud Platform

false
livenessobject

Probe

Type configuration for all types of Kubernetes probes.

false
podSettingsobject

PodSettings

false
priorityenum

Enum: low, medium, high
Default: medium

false
readinessobject

Probe

Type configuration for all types of Kubernetes probes.

false
resourcesobject

ResourceRequirements

A simplified version of the Kubernetes native ResourceRequirement field, in which only Limits and Requests are present.
For the units used for resources, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes

false
restartPolicyenum

RestartPolicy describes how the container should be restarted.
Only one of the following restart policies may be specified.
If none of the following policies is specified, the default one
is RestartPolicyAlways.


Enum: OnFailure, Never
Default: Never

false
startupobject

Probe

Type configuration for all types of Kubernetes probes.

false

SKIPJob.spec.container.accessPolicyโ€‹

Parent

AccessPolicy

Zero trust dictates that only applications with a reason for being able to access another resource should be able to reach it. This is set up by default by denying all ingress and egress traffic from the Pods in the Deployment. The AccessPolicy field is an allowlist of other applications and hostnames that are allowed to talk with this Application and which resources this app can talk to

NameTypeDescriptionRequired
inboundobject

Inbound specifies the ingress rules. Which apps on the cluster can talk to this app?

false
outboundobject

Outbound specifies egress rules. Which apps on the cluster and the
internet is the Application allowed to send requests to?

false

SKIPJob.spec.container.accessPolicy.inboundโ€‹

Parent

Inbound specifies the ingress rules. Which apps on the cluster can talk to this app?

NameTypeDescriptionRequired
rules[]object

The rules list specifies a list of applications. When no namespace is
specified it refers to an app in the current namespace. For apps in
other namespaces namespace is required

true

SKIPJob.spec.container.accessPolicy.inbound.rules[index]โ€‹

Parent

InternalRule

The rules list specifies a list of applications. When no namespace is specified it refers to an app in the current namespace. For apps in other namespaces, namespace is required.

NameTypeDescriptionRequired
applicationstring

The name of the Application you are allowing traffic to/from. If you wish to allow traffic from a SKIPJob, this field should
be suffixed with -skipjob

true
namespacestring

The namespace in which the Application you are allowing traffic to/from resides. If unset, uses namespace of Application.

false
namespacesByLabelmap[string]string

Namespace label value-pair in which the Application you are allowing traffic to/from resides. If both namespace and namespacesByLabel are set, namespace takes precedence and namespacesByLabel is omitted.

false
ports[]object

The ports to allow for the above application.

false

SKIPJob.spec.container.accessPolicy.inbound.rules[index].ports[index]โ€‹

Parent

NetworkPolicyPort describes a port to allow traffic on

NameTypeDescriptionRequired
endPortinteger

endPort indicates that the range of ports from port to endPort if set, inclusive,
should be allowed by the policy. This field cannot be defined if the port field
is not defined or if the port field is defined as a named (string) port.
The endPort must be equal or greater than port.


Format: int32

false
portint or string

port represents the port on the given protocol. This can either be a numerical or named
port on a pod. If this field is not provided, this matches all port names and
numbers.
If present, only traffic on the specified protocol AND port will be matched.

false
protocolstring

protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
If not specified, this field defaults to TCP.

false

SKIPJob.spec.container.accessPolicy.outboundโ€‹

Parent

Outbound specifies egress rules. Which apps on the cluster and the internet is the Application allowed to send requests to?

NameTypeDescriptionRequired
external[]object

External specifies which applications on the internet the application
can reach. Only host is required unless it is on another port than HTTPS port 443.
If other ports or protocols are required then ports must be specified as well

false
rules[]object

Rules apply the same in-cluster rules as InboundPolicy

false

SKIPJob.spec.container.accessPolicy.outbound.external[index]โ€‹

Parent

ExternalRule

Describes a rule for allowing your Application to route traffic to external applications and hosts.

NameTypeDescriptionRequired
hoststring

The allowed hostname. Note that this does not include subdomains.

true
ipstring

Non-HTTP requests (i.e. using the TCP protocol) need to use IP in addition to hostname
Only required for TCP requests.

Note: Hostname must always be defined even if IP is set statically

false
ports[]object

The ports to allow for the above hostname. When not specified HTTP and
HTTPS on port 80 and 443 respectively are put into the allowlist

false

SKIPJob.spec.container.accessPolicy.outbound.external[index].ports[index]โ€‹

Parent

ExternalPort

A custom port describing an external host

NameTypeDescriptionRequired
namestring

Name is required and is an arbitrary name. Must be unique within all ExternalRule ports.

true
portinteger

The port number of the external host

true
protocolenum

The protocol to use for communication with the host. Supported protocols are: HTTP, HTTPS, TCP and TLS.


Enum: HTTP, HTTPS, TCP, TLS

true

SKIPJob.spec.container.accessPolicy.outbound.rules[index]โ€‹

Parent

InternalRule

The rules list specifies a list of applications. When no namespace is specified it refers to an app in the current namespace. For apps in other namespaces, namespace is required.

NameTypeDescriptionRequired
applicationstring

The name of the Application you are allowing traffic to/from. If you wish to allow traffic from a SKIPJob, this field should
be suffixed with -skipjob

true
namespacestring

The namespace in which the Application you are allowing traffic to/from resides. If unset, uses namespace of Application.

false
namespacesByLabelmap[string]string

Namespace label value-pair in which the Application you are allowing traffic to/from resides. If both namespace and namespacesByLabel are set, namespace takes precedence and namespacesByLabel is omitted.

false
ports[]object

The ports to allow for the above application.

false

SKIPJob.spec.container.accessPolicy.outbound.rules[index].ports[index]โ€‹

Parent

NetworkPolicyPort describes a port to allow traffic on

NameTypeDescriptionRequired
endPortinteger

endPort indicates that the range of ports from port to endPort if set, inclusive,
should be allowed by the policy. This field cannot be defined if the port field
is not defined or if the port field is defined as a named (string) port.
The endPort must be equal or greater than port.


Format: int32

false
portint or string

port represents the port on the given protocol. This can either be a numerical or named
port on a pod. If this field is not provided, this matches all port names and
numbers.
If present, only traffic on the specified protocol AND port will be matched.

false
protocolstring

protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
If not specified, this field defaults to TCP.

false

SKIPJob.spec.container.additionalPorts[index]โ€‹

Parent
NameTypeDescriptionRequired
namestring
true
portinteger

Format: int32

true
protocolenum

Protocol defines network protocols supported for things like container ports.


Enum: TCP, UDP, SCTP

true

SKIPJob.spec.container.env[index]โ€‹

Parent

EnvVar represents an environment variable present in a Container.

NameTypeDescriptionRequired
namestring

Name of the environment variable.
May consist of any printable ASCII characters except '='.

true
valuestring

Variable references $(VAR_NAME) are expanded
using the previously defined environment variables in the container and
any service environment variables. If a variable cannot be resolved,
the reference in the input string will be unchanged. Double $$ are reduced
to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
"$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
Escaped references will never be expanded, regardless of whether the variable
exists or not.
Defaults to "".

false
valueFromobject

Source for the environment variable's value. Cannot be used if value is not empty.

false

SKIPJob.spec.container.env[index].valueFromโ€‹

Parent

Source for the environment variable's value. Cannot be used if value is not empty.

NameTypeDescriptionRequired
configMapKeyRefobject

Selects a key of a ConfigMap.

false
fieldRefobject

Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels[&#39;&lt;KEY&gt;&#39;], metadata.annotations[&#39;&lt;KEY&gt;&#39;],
spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.

false
fileKeyRefobject

FileKeyRef selects a key of the env file.
Requires the EnvFiles feature gate to be enabled.

false
resourceFieldRefobject

Selects a resource of the container: only resources limits and requests
(limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.

false
secretKeyRefobject

Selects a key of a secret in the pod's namespace

false

SKIPJob.spec.container.env[index].valueFrom.configMapKeyRefโ€‹

Parent

Selects a key of a ConfigMap.

NameTypeDescriptionRequired
keystring

The key to select.

true
namestring

Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names


Default: ``

false
optionalboolean

Specify whether the ConfigMap or its key must be defined

false

SKIPJob.spec.container.env[index].valueFrom.fieldRefโ€‹

Parent

Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels['<KEY>'], metadata.annotations['<KEY>'], spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.

NameTypeDescriptionRequired
fieldPathstring

Path of the field to select in the specified API version.

true
apiVersionstring

Version of the schema the FieldPath is written in terms of, defaults to "v1".

false

SKIPJob.spec.container.env[index].valueFrom.fileKeyRefโ€‹

Parent

FileKeyRef selects a key of the env file. Requires the EnvFiles feature gate to be enabled.

NameTypeDescriptionRequired
keystring

The key within the env file. An invalid key will prevent the pod from starting.
The keys defined within a source may consist of any printable ASCII characters except '='.
During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.

true
pathstring

The path within the volume from which to select the file.
Must be relative and may not contain the '..' path or start with '..'.

true
volumeNamestring

The name of the volume mount containing the env file.

true
optionalboolean

Specify whether the file or its key must be defined. If the file or key
does not exist, then the env var is not published.
If optional is set to true and the specified key does not exist,
the environment variable will not be set in the Pod's containers.

If optional is set to false and the specified key does not exist,
an error will be returned during Pod creation.


Default: false

false

SKIPJob.spec.container.env[index].valueFrom.resourceFieldRefโ€‹

Parent

Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.

NameTypeDescriptionRequired
resourcestring

Required: resource to select

true
containerNamestring

Container name: required for volumes, optional for env vars

false
divisorint or string

Specifies the output format of the exposed resources, defaults to "1"

false

SKIPJob.spec.container.env[index].valueFrom.secretKeyRefโ€‹

Parent

Selects a key of a secret in the pod's namespace

NameTypeDescriptionRequired
keystring

The key of the secret to select from. Must be a valid secret key.

true
namestring

Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names


Default: ``

false
optionalboolean

Specify whether the Secret or its key must be defined

false

SKIPJob.spec.container.envFrom[index]โ€‹

Parent
NameTypeDescriptionRequired
configMapstring

Name of Kubernetes ConfigMap in which the deployment should mount environment variables from. Must be in the same namespace as the Application

false
secretstring

Name of Kubernetes Secret in which the deployment should mount environment variables from. Must be in the same namespace as the Application

false

SKIPJob.spec.container.filesFrom[index]โ€‹

Parent

FilesFrom

Struct representing information needed to mount a Kubernetes resource as a file to a Pod's directory. One of ConfigMap, Secret, EmptyDir or PersistentVolumeClaim must be present, and just represent the name of the resource in question NB. Out-of-the-box, skiperator provides a writable 'emptyDir'-volume at '/tmp'

NameTypeDescriptionRequired
mountPathstring

The path to mount the file in the Pods directory. Required.

true
configMapstring
false
defaultModeinteger

defaultMode is optional: mode bits used to set permissions on created files by default.
Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
Defaults to 0644.
Directories within the path are not affected by this setting.
This might be in conflict with other options that affect the file
mode, like fsGroup, and the result can be other mode bits set.

false
emptyDirstring
false
persistentVolumeClaimstring
false
secretstring
false

SKIPJob.spec.container.gcpโ€‹

Parent

GCP

Configuration for interacting with Google Cloud Platform

NameTypeDescriptionRequired
authobject

Configuration for authenticating a Pod with Google Cloud Platform
For authentication with GCP, to use services like Secret Manager and/or Pub/Sub we need
to set the GCP Service Account Pods should identify as. To allow this, we need the IAM role iam.workloadIdentityUser set on a GCP
service account and bind this to the Pod's Kubernetes SA.
Documentation on how this is done can be found here (Closed Wiki):
https://kartverket.atlassian.net/wiki/spaces/SKIPDOK/pages/422346824/Autentisering+mot+GCP+som+Kubernetes+SA

false
cloudSqlProxyobject

CloudSQL is used to deploy a CloudSQL proxy sidecar in the pod.
This is useful for connecting to CloudSQL databases that require Cloud SQL Auth Proxy.

false

SKIPJob.spec.container.gcp.authโ€‹

Parent

Configuration for authenticating a Pod with Google Cloud Platform For authentication with GCP, to use services like Secret Manager and/or Pub/Sub we need to set the GCP Service Account Pods should identify as. To allow this, we need the IAM role iam.workloadIdentityUser set on a GCP service account and bind this to the Pod's Kubernetes SA. Documentation on how this is done can be found here (Closed Wiki): https://kartverket.atlassian.net/wiki/spaces/SKIPDOK/pages/422346824/Autentisering+mot+GCP+som+Kubernetes+SA

NameTypeDescriptionRequired
serviceAccountstring

Name of the service account in which you are trying to authenticate your pod with
Generally takes the form of some-name@some-project-id.iam.gserviceaccount.com

true

SKIPJob.spec.container.gcp.cloudSqlProxyโ€‹

Parent

CloudSQL is used to deploy a CloudSQL proxy sidecar in the pod. This is useful for connecting to CloudSQL databases that require Cloud SQL Auth Proxy.

NameTypeDescriptionRequired
connectionNamestring

Connection name for the CloudSQL instance. Found in the Google Cloud Console under your CloudSQL resource.
The format is "projectName:region:instanceName" E.g. "skip-prod-bda1:europe-north1:my-db".

true
ipstring

The IP address of the CloudSQL instance. This is used to create a serviceentry for the CloudSQL proxy.

true
serviceAccountstring

Service account used by cloudsql auth proxy. This service account must have the roles/cloudsql.client role.

true
publicIPboolean

Default: false

false
versionstring

Image version for the CloudSQL proxy sidecar.

false

SKIPJob.spec.container.livenessโ€‹

Parent

Probe

Type configuration for all types of Kubernetes probes.

NameTypeDescriptionRequired
pathstring

The path to access on the HTTP server

true
portint or string

Number of the port to access on the container

true
failureThresholdinteger

Minimum consecutive failures for the probe to be considered failed after
having succeeded. Defaults to 3. Minimum value is 1


Format: int32
Default: 3

false
initialDelayinteger

Delay sending the first probe by X seconds. Can be useful for applications that
are slow to start.


Format: int32
Default: 0

false
periodinteger

Number of seconds Kubernetes waits between each probe. Defaults to 10 seconds.


Format: int32
Default: 10

false
successThresholdinteger

Minimum consecutive successes for the probe to be considered successful after having failed.
Defaults to 1. Must be 1 for liveness and startup Probes. Minimum value is 1.


Format: int32
Default: 1

false
timeoutinteger

Number of seconds after which the probe times out. Defaults to 1 second.
Minimum value is 1


Format: int32
Default: 1

false

SKIPJob.spec.container.podSettingsโ€‹

Parent

PodSettings

NameTypeDescriptionRequired
annotationsmap[string]string

Annotations that are set on Pods created by Skiperator. These annotations can for example be used to change the behaviour of sidecars and similar.

false
disablePodSpreadTopologyConstraintsboolean

DisablePodSpreadTopologyConstraints specifies whether to disable the addition of Pod Topology Spread Constraints to
a given pod.


Default: false

false
terminationGracePeriodSecondsinteger

TerminationGracePeriodSeconds determines how long Kubernetes waits after a SIGTERM signal sent to a Pod before terminating the pod. If your application uses longer than
30 seconds to terminate, you should increase TerminationGracePeriodSeconds.


Format: int64
Default: 30

false

SKIPJob.spec.container.readinessโ€‹

Parent

Probe

Type configuration for all types of Kubernetes probes.

NameTypeDescriptionRequired
pathstring

The path to access on the HTTP server

true
portint or string

Number of the port to access on the container

true
failureThresholdinteger

Minimum consecutive failures for the probe to be considered failed after
having succeeded. Defaults to 3. Minimum value is 1


Format: int32
Default: 3

false
initialDelayinteger

Delay sending the first probe by X seconds. Can be useful for applications that
are slow to start.


Format: int32
Default: 0

false
periodinteger

Number of seconds Kubernetes waits between each probe. Defaults to 10 seconds.


Format: int32
Default: 10

false
successThresholdinteger

Minimum consecutive successes for the probe to be considered successful after having failed.
Defaults to 1. Must be 1 for liveness and startup Probes. Minimum value is 1.


Format: int32
Default: 1

false
timeoutinteger

Number of seconds after which the probe times out. Defaults to 1 second.
Minimum value is 1


Format: int32
Default: 1

false

SKIPJob.spec.container.resourcesโ€‹

Parent

ResourceRequirements

A simplified version of the Kubernetes native ResourceRequirement field, in which only Limits and Requests are present. For the units used for resources, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes

NameTypeDescriptionRequired
limitsmap[string]int or string

Limits set the maximum the app is allowed to use. Exceeding this limit will
make kubernetes kill the app and restart it.

Limits can be set on the CPU and memory, but it is not recommended to put a limit on CPU, see: https://home.robusta.dev/blog/stop-using-cpu-limits

false
requestsmap[string]int or string

Requests set the initial allocation that is done for the app and will
thus be available to the app on startup. More is allocated on demand
until the limit is reached.

Requests can be set on the CPU and memory.

false

SKIPJob.spec.container.startupโ€‹

Parent

Probe

Type configuration for all types of Kubernetes probes.

NameTypeDescriptionRequired
pathstring

The path to access on the HTTP server

true
portint or string

Number of the port to access on the container

true
failureThresholdinteger

Minimum consecutive failures for the probe to be considered failed after
having succeeded. Defaults to 3. Minimum value is 1


Format: int32
Default: 3

false
initialDelayinteger

Delay sending the first probe by X seconds. Can be useful for applications that
are slow to start.


Format: int32
Default: 0

false
periodinteger

Number of seconds Kubernetes waits between each probe. Defaults to 10 seconds.


Format: int32
Default: 10

false
successThresholdinteger

Minimum consecutive successes for the probe to be considered successful after having failed.
Defaults to 1. Must be 1 for liveness and startup Probes. Minimum value is 1.


Format: int32
Default: 1

false
timeoutinteger

Number of seconds after which the probe times out. Defaults to 1 second.
Minimum value is 1


Format: int32
Default: 1

false

SKIPJob.spec.cronโ€‹

Parent

Settings for the Job if you are running a scheduled job. Optional as Jobs may be one-off.

NameTypeDescriptionRequired
schedulestring

A CronJob string for denoting the schedule of this job. See https://crontab.guru/ for help creating CronJob strings.
Kubernetes CronJobs also include the extended "Vixie cron" step values: https://man.freebsd.org/cgi/man.cgi?crontab%285%29.

true
allowConcurrencyenum

Denotes how Kubernetes should react to multiple instances of the Job being started at the same time.
Allow will allow concurrent jobs. Forbid will not allow this, and instead skip the newer schedule Job.
Replace will replace the current active Job with the newer scheduled Job.


Enum: Allow, Forbid, Replace
Default: Allow

false
startingDeadlineSecondsinteger

Denotes the deadline in seconds for starting a job on its schedule, if for some reason the Job's controller was not ready upon the scheduled time.
If unset, Jobs missing their deadline will be considered failed jobs and will not start.


Format: int64

false
suspendboolean

If set to true, this tells Kubernetes to suspend this Job till the field is set to false. If the Job is active while this field is set to true,
all running Pods will be terminated.

false
timeZonestring

The time zone name for the given schedule, see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones. If not specified,
this will default to the time zone of the cluster.

Example: "Europe/Oslo"

false

SKIPJob.spec.istioSettingsโ€‹

Parent

IstioSettings are used to configure istio specific resources such as telemetry. Currently, adjusting sampling interval for tracing is the only supported option. By default, tracing is enabled with a random sampling percentage of 10%.

NameTypeDescriptionRequired
telemetryobject

Telemetry is a placeholder for all relevant telemetry types, and may be extended in the future to configure additional telemetry settings.


Default: map[tracing:[map[randomSamplingPercentage:10]]]

false

SKIPJob.spec.istioSettings.telemetryโ€‹

Parent

Telemetry is a placeholder for all relevant telemetry types, and may be extended in the future to configure additional telemetry settings.

NameTypeDescriptionRequired
tracing[]object

Tracing is a list of tracing configurations for the telemetry resource. Normally only one tracing configuration is needed.


Default: [map[randomSamplingPercentage:10]]

false

SKIPJob.spec.istioSettings.telemetry.tracing[index]โ€‹

Parent

Tracing contains relevant settings for tracing in the telemetry configuration

NameTypeDescriptionRequired
randomSamplingPercentageinteger

RandomSamplingPercentage is the percentage of requests that should be sampled for tracing, specified by a whole number between 0-100.
Setting RandomSamplingPercentage to 0 will disable tracing.


Default: 10
Minimum: 0
Maximum: 100

false

SKIPJob.spec.jobโ€‹

Parent

Settings for the actual Job. If you use a scheduled job, the settings in here will also specify the template of the job.

NameTypeDescriptionRequired
activeDeadlineSecondsinteger

ActiveDeadlineSeconds denotes a duration in seconds started from when the job is first active. If the deadline is reached during the job's workload
the job and its Pods are terminated. If the job is suspended using the Suspend field, this timer is stopped and reset when unsuspended.


Format: int64

false
backoffLimitinteger

Specifies the number of retry attempts before determining the job as failed. Defaults to 6.


Format: int32

false
suspendboolean

If set to true, this tells Kubernetes to suspend this Job till the field is set to false. If the Job is active while this field is set to false,
all running Pods will be terminated.

false
ttlSecondsAfterFinishedinteger

The number of seconds to wait before removing the Job after it has finished. If unset, Job will not be cleaned up.
It is recommended to set this to avoid clutter in your resource tree.


Format: int32

false

SKIPJob.spec.prometheusโ€‹

Parent

Prometheus settings for pod running in job. Fields are identical to Application and if set, a podmonitoring object is created.

NameTypeDescriptionRequired
portint or string

The port number or name where metrics are exposed (at the Pod level).

true
allowAllMetricsboolean

Setting AllowAllMetrics to true will ensure all exposed metrics are scraped. Otherwise, a list of predefined
metrics will be dropped by default. See util/constants.go for the default list.


Default: false

false
pathstring

The HTTP path where Prometheus compatible metrics exists


Default: /metrics

false
scrapeIntervalstring

ScrapeInterval specifies the interval at which Prometheus should scrape the metrics.
The interval must be at least 15 seconds (if using "Xs") and divisible by 5.
If minutes ("Xm") are used, the value must be at least 1m.


Default: 60s

false

SKIPJob.statusโ€‹

Parent

SkiperatorStatus

A status field shown on a Skiperator resource which contains information regarding deployment of the resource.

NameTypeDescriptionRequired
accessPoliciesstring

Indicates if access policies are valid

true
conditions[]object
true
subresourcesmap[string]object
true
summaryobject

Status

true

SKIPJob.status.conditions[index]โ€‹

Parent

Condition contains details for one aspect of the current state of this API Resource.

NameTypeDescriptionRequired
lastTransitionTimestring

lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.


Format: date-time

true
messagestring

message is a human readable message indicating details about the transition.
This may be an empty string.

true
reasonstring

reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.

true
statusenum

status of the condition, one of True, False, Unknown.


Enum: True, False, Unknown

true
typestring

type of condition in CamelCase or in foo.example.com/CamelCase.

true
observedGenerationinteger

observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.


Format: int64
Minimum: 0

false

SKIPJob.status.subresources[key]โ€‹

Parent

Status

NameTypeDescriptionRequired
messagestring

Default: Resource accepted by Kubernetes. Waiting for Skiperator to become aware of the resource and start processing.

true
statusstring

Default: Pending

true
timestampstring
true

SKIPJob.status.summaryโ€‹

Parent

Status

NameTypeDescriptionRequired
messagestring

Default: Resource accepted by Kubernetes. Waiting for Skiperator to become aware of the resource and start processing.

true
statusstring

Default: Pending

true
timestampstring
true

Package skiperator.kartverket.no/v1beta1โ€‹

Resource types in this package:

SKIPJobโ€‹

FieldValue
Packageskiperator.kartverket.no/v1beta1
API versionskiperator.kartverket.no/v1beta1
KindSKIPJob

SKIPJob is the supported schema for the SKIPJobs API.

NameTypeDescriptionRequired
apiVersionstringskiperator.kartverket.no/v1beta1true
kindstringSKIPJobtrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

SKIPJobSpec defines the desired state of SKIPJob

A SKIPJob is either defined as a one-off or a scheduled job. If the Cron field is set for SKIPJob, it may not be removed. If the Cron field is unset, it may not be added.

true
statusobject

SkiperatorStatus

A status field shown on a Skiperator resource which contains information regarding deployment of the resource.

false

SKIPJob.specโ€‹

Parent

SKIPJobSpec defines the desired state of SKIPJob

A SKIPJob is either defined as a one-off or a scheduled job. If the Cron field is set for SKIPJob, it may not be removed. If the Cron field is unset, it may not be added.

NameTypeDescriptionRequired
imagestring
true
accessPolicyobject

AccessPolicy

Zero trust dictates that only applications with a reason for being able
to access another resource should be able to reach it. This is set up by
default by denying all ingress and egress traffic from the Pods in the
Deployment. The AccessPolicy field is an allowlist of other applications and hostnames
that are allowed to talk with this Application and which resources this app can talk to

false
additionalPorts[]object
false
command[]string
false
cronobject

Settings for the Job if you are running a scheduled job. Optional as Jobs may be one-off.

false
env[]object
false
envFrom[]object
false
filesFrom[]object
false
gcpobject

GCP

Configuration for interacting with Google Cloud Platform

false
istioSettingsobject

IstioSettings are used to configure istio specific resources such as telemetry. Currently, adjusting sampling
interval for tracing is the only supported option.
By default, tracing is enabled with a random sampling percentage of 10%.


Default: map[telemetry:map[tracing:[map[randomSamplingPercentage:10]]]]

false
jobobject

Settings for the actual Job. If you use a scheduled job, the settings in here will also specify the template of the job.

false
labelsmap[string]string

Labels can be used if you want every resource created by your SKIPJob to
have the same labels, including the Job/CronJob itself. This could for example be useful for
metrics, where a certain label and the corresponding resources liveliness can be combined.
Any amount of labels can be added as wanted, and they will all cascade down to all resources.

false
livenessobject

Probe

Type configuration for all types of Kubernetes probes.

false
podSettingsobject

PodSettings

false
priorityenum

Enum: low, medium, high
Default: medium

false
prometheusobject

Prometheus settings for pod running in job. Fields are identical to Application and if set,
a podmonitoring object is created.

false
readinessobject

Probe

Type configuration for all types of Kubernetes probes.

false
resourcesobject

ResourceRequirements

A simplified version of the Kubernetes native ResourceRequirement field, in which only Limits and Requests are present.
For the units used for resources, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes

false
restartPolicyenum

RestartPolicy describes how the container should be restarted.
Only one of the following restart policies may be specified.
If none of the following policies is specified, the default one
is RestartPolicyAlways.


Enum: OnFailure, Never
Default: Never

false
startupobject

Probe

Type configuration for all types of Kubernetes probes.

false
teamstring

Team specifies the team who owns this particular SKIPJob.
Usually sourced from the namespace label.

false

SKIPJob.spec.accessPolicyโ€‹

Parent

AccessPolicy

Zero trust dictates that only applications with a reason for being able to access another resource should be able to reach it. This is set up by default by denying all ingress and egress traffic from the Pods in the Deployment. The AccessPolicy field is an allowlist of other applications and hostnames that are allowed to talk with this Application and which resources this app can talk to

NameTypeDescriptionRequired
inboundobject

Inbound specifies the ingress rules. Which apps on the cluster can talk to this app?

false
outboundobject

Outbound specifies egress rules. Which apps on the cluster and the
internet is the Application allowed to send requests to?

false

SKIPJob.spec.accessPolicy.inboundโ€‹

Parent

Inbound specifies the ingress rules. Which apps on the cluster can talk to this app?

NameTypeDescriptionRequired
rules[]object

The rules list specifies a list of applications. When no namespace is
specified it refers to an app in the current namespace. For apps in
other namespaces namespace is required

true

SKIPJob.spec.accessPolicy.inbound.rules[index]โ€‹

Parent

InternalRule

The rules list specifies a list of applications. When no namespace is specified it refers to an app in the current namespace. For apps in other namespaces, namespace is required.

NameTypeDescriptionRequired
applicationstring

The name of the Application you are allowing traffic to/from. If you wish to allow traffic from a SKIPJob, this field should
be suffixed with -skipjob

true
namespacestring

The namespace in which the Application you are allowing traffic to/from resides. If unset, uses namespace of Application.

false
namespacesByLabelmap[string]string

Namespace label value-pair in which the Application you are allowing traffic to/from resides. If both namespace and namespacesByLabel are set, namespace takes precedence and namespacesByLabel is omitted.

false
ports[]object

The ports to allow for the above application.

false

SKIPJob.spec.accessPolicy.inbound.rules[index].ports[index]โ€‹

Parent

NetworkPolicyPort describes a port to allow traffic on

NameTypeDescriptionRequired
endPortinteger

endPort indicates that the range of ports from port to endPort if set, inclusive,
should be allowed by the policy. This field cannot be defined if the port field
is not defined or if the port field is defined as a named (string) port.
The endPort must be equal or greater than port.


Format: int32

false
portint or string

port represents the port on the given protocol. This can either be a numerical or named
port on a pod. If this field is not provided, this matches all port names and
numbers.
If present, only traffic on the specified protocol AND port will be matched.

false
protocolstring

protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
If not specified, this field defaults to TCP.

false

SKIPJob.spec.accessPolicy.outboundโ€‹

Parent

Outbound specifies egress rules. Which apps on the cluster and the internet is the Application allowed to send requests to?

NameTypeDescriptionRequired
external[]object

External specifies which applications on the internet the application
can reach. Only host is required unless it is on another port than HTTPS port 443.
If other ports or protocols are required then ports must be specified as well

false
rules[]object

Rules apply the same in-cluster rules as InboundPolicy

false

SKIPJob.spec.accessPolicy.outbound.external[index]โ€‹

Parent

ExternalRule

Describes a rule for allowing your Application to route traffic to external applications and hosts.

NameTypeDescriptionRequired
hoststring

The allowed hostname. Note that this does not include subdomains.

true
ipstring

Non-HTTP requests (i.e. using the TCP protocol) need to use IP in addition to hostname
Only required for TCP requests.

Note: Hostname must always be defined even if IP is set statically

false
ports[]object

The ports to allow for the above hostname. When not specified HTTP and
HTTPS on port 80 and 443 respectively are put into the allowlist

false

SKIPJob.spec.accessPolicy.outbound.external[index].ports[index]โ€‹

Parent

ExternalPort

A custom port describing an external host

NameTypeDescriptionRequired
namestring

Name is required and is an arbitrary name. Must be unique within all ExternalRule ports.

true
portinteger

The port number of the external host

true
protocolenum

The protocol to use for communication with the host. Supported protocols are: HTTP, HTTPS, TCP and TLS.


Enum: HTTP, HTTPS, TCP, TLS

true

SKIPJob.spec.accessPolicy.outbound.rules[index]โ€‹

Parent

InternalRule

The rules list specifies a list of applications. When no namespace is specified it refers to an app in the current namespace. For apps in other namespaces, namespace is required.

NameTypeDescriptionRequired
applicationstring

The name of the Application you are allowing traffic to/from. If you wish to allow traffic from a SKIPJob, this field should
be suffixed with -skipjob

true
namespacestring

The namespace in which the Application you are allowing traffic to/from resides. If unset, uses namespace of Application.

false
namespacesByLabelmap[string]string

Namespace label value-pair in which the Application you are allowing traffic to/from resides. If both namespace and namespacesByLabel are set, namespace takes precedence and namespacesByLabel is omitted.

false
ports[]object

The ports to allow for the above application.

false

SKIPJob.spec.accessPolicy.outbound.rules[index].ports[index]โ€‹

Parent

NetworkPolicyPort describes a port to allow traffic on

NameTypeDescriptionRequired
endPortinteger

endPort indicates that the range of ports from port to endPort if set, inclusive,
should be allowed by the policy. This field cannot be defined if the port field
is not defined or if the port field is defined as a named (string) port.
The endPort must be equal or greater than port.


Format: int32

false
portint or string

port represents the port on the given protocol. This can either be a numerical or named
port on a pod. If this field is not provided, this matches all port names and
numbers.
If present, only traffic on the specified protocol AND port will be matched.

false
protocolstring

protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
If not specified, this field defaults to TCP.

false

SKIPJob.spec.additionalPorts[index]โ€‹

Parent
NameTypeDescriptionRequired
namestring
true
portinteger

Format: int32

true
protocolenum

Protocol defines network protocols supported for things like container ports.


Enum: TCP, UDP, SCTP

true

SKIPJob.spec.cronโ€‹

Parent

Settings for the Job if you are running a scheduled job. Optional as Jobs may be one-off.

NameTypeDescriptionRequired
schedulestring

A CronJob string for denoting the schedule of this job. See https://crontab.guru/ for help creating CronJob strings.
Kubernetes CronJobs also include the extended "Vixie cron" step values: https://man.freebsd.org/cgi/man.cgi?crontab%285%29.

true
allowConcurrencyenum

Denotes how Kubernetes should react to multiple instances of the Job being started at the same time.
Allow will allow concurrent jobs. Forbid will not allow this, and instead skip the newer schedule Job.
Replace will replace the current active Job with the newer scheduled Job.


Enum: Allow, Forbid, Replace
Default: Allow

false
startingDeadlineSecondsinteger

Denotes the deadline in seconds for starting a job on its schedule, if for some reason the Job's controller was not ready upon the scheduled time.
If unset, Jobs missing their deadline will be considered failed jobs and will not start.


Format: int64

false
suspendboolean

If set to true, this tells Kubernetes to suspend this Job till the field is set to false. If the Job is active while this field is set to true,
all running Pods will be terminated.

false
timeZonestring

The time zone name for the given schedule, see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones. If not specified,
this will default to the time zone of the cluster.

Example: "Europe/Oslo"

false

SKIPJob.spec.env[index]โ€‹

Parent

EnvVar represents an environment variable present in a Container.

NameTypeDescriptionRequired
namestring

Name of the environment variable.
May consist of any printable ASCII characters except '='.

true
valuestring

Variable references $(VAR_NAME) are expanded
using the previously defined environment variables in the container and
any service environment variables. If a variable cannot be resolved,
the reference in the input string will be unchanged. Double $$ are reduced
to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
"$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
Escaped references will never be expanded, regardless of whether the variable
exists or not.
Defaults to "".

false
valueFromobject

Source for the environment variable's value. Cannot be used if value is not empty.

false

SKIPJob.spec.env[index].valueFromโ€‹

Parent

Source for the environment variable's value. Cannot be used if value is not empty.

NameTypeDescriptionRequired
configMapKeyRefobject

Selects a key of a ConfigMap.

false
fieldRefobject

Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels[&#39;&lt;KEY&gt;&#39;], metadata.annotations[&#39;&lt;KEY&gt;&#39;],
spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.

false
fileKeyRefobject

FileKeyRef selects a key of the env file.
Requires the EnvFiles feature gate to be enabled.

false
resourceFieldRefobject

Selects a resource of the container: only resources limits and requests
(limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.

false
secretKeyRefobject

Selects a key of a secret in the pod's namespace

false

SKIPJob.spec.env[index].valueFrom.configMapKeyRefโ€‹

Parent

Selects a key of a ConfigMap.

NameTypeDescriptionRequired
keystring

The key to select.

true
namestring

Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names


Default: ``

false
optionalboolean

Specify whether the ConfigMap or its key must be defined

false

SKIPJob.spec.env[index].valueFrom.fieldRefโ€‹

Parent

Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels['<KEY>'], metadata.annotations['<KEY>'], spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.

NameTypeDescriptionRequired
fieldPathstring

Path of the field to select in the specified API version.

true
apiVersionstring

Version of the schema the FieldPath is written in terms of, defaults to "v1".

false

SKIPJob.spec.env[index].valueFrom.fileKeyRefโ€‹

Parent

FileKeyRef selects a key of the env file. Requires the EnvFiles feature gate to be enabled.

NameTypeDescriptionRequired
keystring

The key within the env file. An invalid key will prevent the pod from starting.
The keys defined within a source may consist of any printable ASCII characters except '='.
During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.

true
pathstring

The path within the volume from which to select the file.
Must be relative and may not contain the '..' path or start with '..'.

true
volumeNamestring

The name of the volume mount containing the env file.

true
optionalboolean

Specify whether the file or its key must be defined. If the file or key
does not exist, then the env var is not published.
If optional is set to true and the specified key does not exist,
the environment variable will not be set in the Pod's containers.

If optional is set to false and the specified key does not exist,
an error will be returned during Pod creation.


Default: false

false

SKIPJob.spec.env[index].valueFrom.resourceFieldRefโ€‹

Parent

Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.

NameTypeDescriptionRequired
resourcestring

Required: resource to select

true
containerNamestring

Container name: required for volumes, optional for env vars

false
divisorint or string

Specifies the output format of the exposed resources, defaults to "1"

false

SKIPJob.spec.env[index].valueFrom.secretKeyRefโ€‹

Parent

Selects a key of a secret in the pod's namespace

NameTypeDescriptionRequired
keystring

The key of the secret to select from. Must be a valid secret key.

true
namestring

Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names


Default: ``

false
optionalboolean

Specify whether the Secret or its key must be defined

false

SKIPJob.spec.envFrom[index]โ€‹

Parent
NameTypeDescriptionRequired
configMapstring

Name of Kubernetes ConfigMap in which the deployment should mount environment variables from. Must be in the same namespace as the Application

false
secretstring

Name of Kubernetes Secret in which the deployment should mount environment variables from. Must be in the same namespace as the Application

false

SKIPJob.spec.filesFrom[index]โ€‹

Parent

FilesFrom

Struct representing information needed to mount a Kubernetes resource as a file to a Pod's directory. One of ConfigMap, Secret, EmptyDir or PersistentVolumeClaim must be present, and just represent the name of the resource in question NB. Out-of-the-box, skiperator provides a writable 'emptyDir'-volume at '/tmp'

NameTypeDescriptionRequired
mountPathstring

The path to mount the file in the Pods directory. Required.

true
configMapstring
false
defaultModeinteger

defaultMode is optional: mode bits used to set permissions on created files by default.
Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
Defaults to 0644.
Directories within the path are not affected by this setting.
This might be in conflict with other options that affect the file
mode, like fsGroup, and the result can be other mode bits set.

false
emptyDirstring
false
persistentVolumeClaimstring
false
secretstring
false

SKIPJob.spec.gcpโ€‹

Parent

GCP

Configuration for interacting with Google Cloud Platform

NameTypeDescriptionRequired
authobject

Configuration for authenticating a Pod with Google Cloud Platform
For authentication with GCP, to use services like Secret Manager and/or Pub/Sub we need
to set the GCP Service Account Pods should identify as. To allow this, we need the IAM role iam.workloadIdentityUser set on a GCP
service account and bind this to the Pod's Kubernetes SA.
Documentation on how this is done can be found here (Closed Wiki):
https://kartverket.atlassian.net/wiki/spaces/SKIPDOK/pages/422346824/Autentisering+mot+GCP+som+Kubernetes+SA

false
cloudSqlProxyobject

CloudSQL is used to deploy a CloudSQL proxy sidecar in the pod.
This is useful for connecting to CloudSQL databases that require Cloud SQL Auth Proxy.

false

SKIPJob.spec.gcp.authโ€‹

Parent

Configuration for authenticating a Pod with Google Cloud Platform For authentication with GCP, to use services like Secret Manager and/or Pub/Sub we need to set the GCP Service Account Pods should identify as. To allow this, we need the IAM role iam.workloadIdentityUser set on a GCP service account and bind this to the Pod's Kubernetes SA. Documentation on how this is done can be found here (Closed Wiki): https://kartverket.atlassian.net/wiki/spaces/SKIPDOK/pages/422346824/Autentisering+mot+GCP+som+Kubernetes+SA

NameTypeDescriptionRequired
serviceAccountstring

Name of the service account in which you are trying to authenticate your pod with
Generally takes the form of some-name@some-project-id.iam.gserviceaccount.com

true

SKIPJob.spec.gcp.cloudSqlProxyโ€‹

Parent

CloudSQL is used to deploy a CloudSQL proxy sidecar in the pod. This is useful for connecting to CloudSQL databases that require Cloud SQL Auth Proxy.

NameTypeDescriptionRequired
connectionNamestring

Connection name for the CloudSQL instance. Found in the Google Cloud Console under your CloudSQL resource.
The format is "projectName:region:instanceName" E.g. "skip-prod-bda1:europe-north1:my-db".

true
ipstring

The IP address of the CloudSQL instance. This is used to create a serviceentry for the CloudSQL proxy.

true
serviceAccountstring

Service account used by cloudsql auth proxy. This service account must have the roles/cloudsql.client role.

true
publicIPboolean

Default: false

false
versionstring

Image version for the CloudSQL proxy sidecar.

false

SKIPJob.spec.istioSettingsโ€‹

Parent

IstioSettings are used to configure istio specific resources such as telemetry. Currently, adjusting sampling interval for tracing is the only supported option. By default, tracing is enabled with a random sampling percentage of 10%.

NameTypeDescriptionRequired
telemetryobject

Telemetry is a placeholder for all relevant telemetry types, and may be extended in the future to configure additional telemetry settings.


Default: map[tracing:[map[randomSamplingPercentage:10]]]

false

SKIPJob.spec.istioSettings.telemetryโ€‹

Parent

Telemetry is a placeholder for all relevant telemetry types, and may be extended in the future to configure additional telemetry settings.

NameTypeDescriptionRequired
tracing[]object

Tracing is a list of tracing configurations for the telemetry resource. Normally only one tracing configuration is needed.


Default: [map[randomSamplingPercentage:10]]

false

SKIPJob.spec.istioSettings.telemetry.tracing[index]โ€‹

Parent

Tracing contains relevant settings for tracing in the telemetry configuration

NameTypeDescriptionRequired
randomSamplingPercentageinteger

RandomSamplingPercentage is the percentage of requests that should be sampled for tracing, specified by a whole number between 0-100.
Setting RandomSamplingPercentage to 0 will disable tracing.


Default: 10
Minimum: 0
Maximum: 100

false

SKIPJob.spec.jobโ€‹

Parent

Settings for the actual Job. If you use a scheduled job, the settings in here will also specify the template of the job.

NameTypeDescriptionRequired
activeDeadlineSecondsinteger

ActiveDeadlineSeconds denotes a duration in seconds started from when the job is first active. If the deadline is reached during the job's workload
the job and its Pods are terminated. If the job is suspended using the Suspend field, this timer is stopped and reset when unsuspended.


Format: int64

false
backoffLimitinteger

Specifies the number of retry attempts before determining the job as failed. Defaults to 6.


Format: int32

false
suspendboolean

If set to true, this tells Kubernetes to suspend this Job till the field is set to false. If the Job is active while this field is set to false,
all running Pods will be terminated.

false
ttlSecondsAfterFinishedinteger

The number of seconds to wait before removing the Job after it has finished. If unset, Job will not be cleaned up.
It is recommended to set this to avoid clutter in your resource tree.


Format: int32

false

SKIPJob.spec.livenessโ€‹

Parent

Probe

Type configuration for all types of Kubernetes probes.

NameTypeDescriptionRequired
pathstring

The path to access on the HTTP server

true
portint or string

Number of the port to access on the container

true
failureThresholdinteger

Minimum consecutive failures for the probe to be considered failed after
having succeeded. Defaults to 3. Minimum value is 1


Format: int32
Default: 3

false
initialDelayinteger

Delay sending the first probe by X seconds. Can be useful for applications that
are slow to start.


Format: int32
Default: 0

false
periodinteger

Number of seconds Kubernetes waits between each probe. Defaults to 10 seconds.


Format: int32
Default: 10

false
successThresholdinteger

Minimum consecutive successes for the probe to be considered successful after having failed.
Defaults to 1. Must be 1 for liveness and startup Probes. Minimum value is 1.


Format: int32
Default: 1

false
timeoutinteger

Number of seconds after which the probe times out. Defaults to 1 second.
Minimum value is 1


Format: int32
Default: 1

false

SKIPJob.spec.podSettingsโ€‹

Parent

PodSettings

NameTypeDescriptionRequired
annotationsmap[string]string

Annotations that are set on Pods created by Skiperator. These annotations can for example be used to change the behaviour of sidecars and similar.

false
disablePodSpreadTopologyConstraintsboolean

DisablePodSpreadTopologyConstraints specifies whether to disable the addition of Pod Topology Spread Constraints to
a given pod.


Default: false

false
terminationGracePeriodSecondsinteger

TerminationGracePeriodSeconds determines how long Kubernetes waits after a SIGTERM signal sent to a Pod before terminating the pod. If your application uses longer than
30 seconds to terminate, you should increase TerminationGracePeriodSeconds.


Format: int64
Default: 30

false

SKIPJob.spec.prometheusโ€‹

Parent

Prometheus settings for pod running in job. Fields are identical to Application and if set, a podmonitoring object is created.

NameTypeDescriptionRequired
portint or string

The port number or name where metrics are exposed (at the Pod level).

true
allowAllMetricsboolean

Setting AllowAllMetrics to true will ensure all exposed metrics are scraped. Otherwise, a list of predefined
metrics will be dropped by default. See util/constants.go for the default list.


Default: false

false
pathstring

The HTTP path where Prometheus compatible metrics exists


Default: /metrics

false
scrapeIntervalstring

ScrapeInterval specifies the interval at which Prometheus should scrape the metrics.
The interval must be at least 15 seconds (if using "Xs") and divisible by 5.
If minutes ("Xm") are used, the value must be at least 1m.


Default: 60s

false

SKIPJob.spec.readinessโ€‹

Parent

Probe

Type configuration for all types of Kubernetes probes.

NameTypeDescriptionRequired
pathstring

The path to access on the HTTP server

true
portint or string

Number of the port to access on the container

true
failureThresholdinteger

Minimum consecutive failures for the probe to be considered failed after
having succeeded. Defaults to 3. Minimum value is 1


Format: int32
Default: 3

false
initialDelayinteger

Delay sending the first probe by X seconds. Can be useful for applications that
are slow to start.


Format: int32
Default: 0

false
periodinteger

Number of seconds Kubernetes waits between each probe. Defaults to 10 seconds.


Format: int32
Default: 10

false
successThresholdinteger

Minimum consecutive successes for the probe to be considered successful after having failed.
Defaults to 1. Must be 1 for liveness and startup Probes. Minimum value is 1.


Format: int32
Default: 1

false
timeoutinteger

Number of seconds after which the probe times out. Defaults to 1 second.
Minimum value is 1


Format: int32
Default: 1

false

SKIPJob.spec.resourcesโ€‹

Parent

ResourceRequirements

A simplified version of the Kubernetes native ResourceRequirement field, in which only Limits and Requests are present. For the units used for resources, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes

NameTypeDescriptionRequired
limitsmap[string]int or string

Limits set the maximum the app is allowed to use. Exceeding this limit will
make kubernetes kill the app and restart it.

Limits can be set on the CPU and memory, but it is not recommended to put a limit on CPU, see: https://home.robusta.dev/blog/stop-using-cpu-limits

false
requestsmap[string]int or string

Requests set the initial allocation that is done for the app and will
thus be available to the app on startup. More is allocated on demand
until the limit is reached.

Requests can be set on the CPU and memory.

false

SKIPJob.spec.startupโ€‹

Parent

Probe

Type configuration for all types of Kubernetes probes.

NameTypeDescriptionRequired
pathstring

The path to access on the HTTP server

true
portint or string

Number of the port to access on the container

true
failureThresholdinteger

Minimum consecutive failures for the probe to be considered failed after
having succeeded. Defaults to 3. Minimum value is 1


Format: int32
Default: 3

false
initialDelayinteger

Delay sending the first probe by X seconds. Can be useful for applications that
are slow to start.


Format: int32
Default: 0

false
periodinteger

Number of seconds Kubernetes waits between each probe. Defaults to 10 seconds.


Format: int32
Default: 10

false
successThresholdinteger

Minimum consecutive successes for the probe to be considered successful after having failed.
Defaults to 1. Must be 1 for liveness and startup Probes. Minimum value is 1.


Format: int32
Default: 1

false
timeoutinteger

Number of seconds after which the probe times out. Defaults to 1 second.
Minimum value is 1


Format: int32
Default: 1

false

SKIPJob.statusโ€‹

Parent

SkiperatorStatus

A status field shown on a Skiperator resource which contains information regarding deployment of the resource.

NameTypeDescriptionRequired
accessPoliciesstring

Indicates if access policies are valid

true
conditions[]object
true
subresourcesmap[string]object
true
summaryobject

Status

true

SKIPJob.status.conditions[index]โ€‹

Parent

Condition contains details for one aspect of the current state of this API Resource.

NameTypeDescriptionRequired
lastTransitionTimestring

lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.


Format: date-time

true
messagestring

message is a human readable message indicating details about the transition.
This may be an empty string.

true
reasonstring

reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.

true
statusenum

status of the condition, one of True, False, Unknown.


Enum: True, False, Unknown

true
typestring

type of condition in CamelCase or in foo.example.com/CamelCase.

true
observedGenerationinteger

observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.


Format: int64
Minimum: 0

false

SKIPJob.status.subresources[key]โ€‹

Parent

Status

NameTypeDescriptionRequired
messagestring

Default: Resource accepted by Kubernetes. Waiting for Skiperator to become aware of the resource and start processing.

true
statusstring

Default: Pending

true
timestampstring
true

SKIPJob.status.summaryโ€‹

Parent

Status

NameTypeDescriptionRequired
messagestring

Default: Resource accepted by Kubernetes. Waiting for Skiperator to become aware of the resource and start processing.

true
statusstring

Default: Pending

true
timestampstring
true