API Reference
Packages:
skiperator.kartverket.no/v1alpha1
Resource Types:
Applicationβ
β© ParentApplication
Root object for Application resource. An application resource is a resource for easily managing a Dockerized container within the context of a Kartverket cluster. This allows product teams to avoid the need to set up networking on the cluster, as well as a lot of out of the box security features.
Name | Type | Description | Required |
---|---|---|---|
apiVersion | string | skiperator.kartverket.no/v1alpha1 | true |
kind | string | Application | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | false | |
status | object | SkiperatorStatus A status field shown on a Skiperator resource which contains information regarding deployment of the resource. | false |
Application.specβ
β© ParentName | Type | Description | Required |
---|---|---|---|
image | string | The image the application will run. This image will be added to a Deployment resource | true |
port | integer | The port the deployment exposes | true |
accessPolicy | object | The root AccessPolicy for managing zero trust access to your Application. See AccessPolicy for more information. | false |
additionalPorts | []object | An optional list of extra port to expose on a pod level basis,
for example so Instana or other APM tools can reach it | false |
appProtocol | enum | Protocol that the application speaks. Enum: http, tcp, udp | false |
authorizationSettings | object | Used for allow listing certain default blocked endpoints, such as /actuator/ end points | false |
command | []string | Override the command set in the Dockerfile. Usually only used when debugging
or running third-party containers where you don't have control over the Dockerfile | false |
enablePDB | boolean | Whether to enable automatic Pod Disruption Budget creation for this application. Default: true | false |
env | []object | Environment variables that will be set inside the Deployment's Pod. See https://pkg.go.dev/k8s.io/api/core/v1#EnvVar for examples. | false |
envFrom | []object | Environment variables mounted from files. When specified all the keys of the resource will be assigned as environment variables. Supports both configmaps and secrets. For mounting as files see FilesFrom. | false |
filesFrom | []object | Mounting volumes into the Deployment are done using the FilesFrom argument FilesFrom supports ConfigMaps, Secrets and PVCs. The Application resource assumes these have already been created by you, and will fail if this is not the case. For mounting environment variables see EnvFrom. | false |
gcp | object | GCP is used to configure Google Cloud Platform specific settings for the application. | false |
idporten | object | Settings for IDPorten integration with Digitaliseringsdirektoratet | false |
ingresses | []string | Any external hostnames that route to this application. Using a skip.statkart.no-address will make the application reachable for kartverket-clients (internal), other addresses make the app reachable on the internet. Note that other addresses than skip.statkart.no (also known as pretty hostnames) requires additional DNS setup. The below hostnames will also have TLS certificates issued and be reachable on both HTTP and HTTPS. Ingresses must be lowercase, contain no spaces, be a non-empty string, and have a hostname/domain separated by a period
They can optionally be suffixed with a plus and name of a custom TLS secret located in the istio-gateways namespace.
E.g. "foo.atkv3-dev.kartverket-intern.cloud+env-wildcard-cert" | false |
istioSettings | object | IstioSettings are used to configure istio specific resources such as telemetry. Currently, adjusting sampling
interval for tracing is the only supported option.
By default, tracing is enabled with a random sampling percentage of 10%. Default: map[telemetry tracing:[map[randomSamplingPercentage:10]] ] | false |
labels | map[string]string | Labels can be used if you want every resource created by your application to
have the same labels, including your application. This could for example be useful for
metrics, where a certain label and the corresponding resources liveliness can be combined.
Any amount of labels can be added as wanted, and they will all cascade down to all resources. | false |
liveness | object | Liveness probes define a resource that returns 200 OK when the app is running as intended. Returning a non-200 code will make kubernetes restart the app. Liveness is optional, but when provided, path and port are required See Probe for structure definition. | false |
maskinporten | object | Settings for Maskinporten integration with Digitaliseringsdirektoratet | false |
podSettings | object | PodSettings are used to apply specific settings to the Pod Template used by Skiperator to create Deployments. This allows you to set
things like annotations on the Pod to change the behaviour of sidecars, and set relevant Pod options such as TerminationGracePeriodSeconds. | false |
priority | enum | An optional priority. Supported values are 'low', 'medium' and 'high'. The default value is 'medium'. Most workloads should not have to specify this field. If you think you
do, please consult with SKIP beforehand. Enum: low, medium, high | false |
prometheus | object | Optional settings for how Prometheus compatible metrics should be scraped. | false |
readiness | object | Readiness probes define a resource that returns 200 OK when the app is running
as intended. Kubernetes will wait until the resource returns 200 OK before
marking the pod as Running and progressing with the deployment strategy.
Readiness is optional, but when provided, path and port are required | false |
redirectToHTTPS | boolean | Controls whether the application will automatically redirect all HTTP calls to HTTPS via the istio VirtualService.
This redirect does not happen on the route /.well-known/acme-challenge/, as the ACME challenge can only be done on port 80. Default: true | false |
replicas | JSON | The number of replicas can either be specified as a static number as follows: replicas: 2 Or by specifying a range between min and max to enable HorizontalPodAutoscaling.
The default value for replicas is:
replicas:
min: 2
max: 5
targetCpuUtilization: 80
Using autoscaling is the recommended configuration for replicas. | false |
resourceLabels | map[string]map[string]string | ResourceLabels can be used if you want to add a label to a specific resources created by
the application. One such label could for example be set on a Deployment, such that
the deployment avoids certain rules from Gatekeeper, or similar. Any amount of labels may be added per ResourceLabels item. | false |
resources | object | ResourceRequirements to apply to the deployment. It's common to set some of these to
prevent the app from swelling in resource usage and consuming all the
resources of other apps on the cluster. | false |
startup | object | Kubernetes uses startup probes to know when a container application has started.
If such a probe is configured, it disables liveness and readiness checks until it
succeeds, making sure those probes don't interfere with the application startup.
This can be used to adopt liveness checks on slow starting containers, avoiding them
getting killed by Kubernetes before they are up and running.
Startup is optional, but when provided, path and port are required | false |
strategy | object | Defines an alternative strategy for the Kubernetes deployment. This is useful when the default strategy, RollingUpdate, is not usable. Setting type to Recreate will take down all the pods before starting new pods, whereas the default of RollingUpdate will try to start the new pods before taking down the old ones. Valid values are: RollingUpdate, Recreate. Default is RollingUpdate | false |
team | string | Team specifies the team who owns this particular app.
Usually sourced from the namespace label. | false |
Application.spec.accessPolicyβ
β© ParentThe root AccessPolicy for managing zero trust access to your Application. See AccessPolicy for more information.
Name | Type | Description | Required |
---|---|---|---|
inbound | object | Inbound specifies the ingress rules. Which apps on the cluster can talk to this app? | false |
outbound | object | Outbound specifies egress rules. Which apps on the cluster and the
internet is the Application allowed to send requests to? | false |
Application.spec.accessPolicy.inboundβ
β© ParentInbound specifies the ingress rules. Which apps on the cluster can talk to this app?
Name | Type | Description | Required |
---|---|---|---|
rules | []object | The rules list specifies a list of applications. When no namespace is
specified it refers to an app in the current namespace. For apps in
other namespaces namespace is required | true |
Application.spec.accessPolicy.inbound.rules[index]β
β© ParentInternalRule
The rules list specifies a list of applications. When no namespace is specified it refers to an app in the current namespace. For apps in other namespaces, namespace is required.
Name | Type | Description | Required |
---|---|---|---|
application | string | The name of the Application you are allowing traffic to/from. If you wish to allow traffic from a SKIPJob, this field should
be suffixed with -skipjob | true |
namespace | string | The namespace in which the Application you are allowing traffic to/from resides. If unset, uses namespace of Application. | false |
namespacesByLabel | map[string]string | Namespace label value-pair in which the Application you are allowing traffic to/from resides. If both namespace and namespacesByLabel are set, namespace takes precedence and namespacesByLabel is omitted. | false |
ports | []object | The ports to allow for the above application. | false |
Application.spec.accessPolicy.inbound.rules[index].ports[index]β
β© ParentNetworkPolicyPort describes a port to allow traffic on
Name | Type | Description | Required |
---|---|---|---|
endPort | integer | endPort indicates that the range of ports from port to endPort if set, inclusive,
should be allowed by the policy. This field cannot be defined if the port field
is not defined or if the port field is defined as a named (string) port.
The endPort must be equal or greater than port. Format: int32 | false |
port | int or string | port represents the port on the given protocol. This can either be a numerical or named
port on a pod. If this field is not provided, this matches all port names and
numbers.
If present, only traffic on the specified protocol AND port will be matched. | false |
protocol | string | protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
If not specified, this field defaults to TCP. | false |
Application.spec.accessPolicy.outboundβ
β© ParentOutbound specifies egress rules. Which apps on the cluster and the internet is the Application allowed to send requests to?
Name | Type | Description | Required |
---|---|---|---|
external | []object | External specifies which applications on the internet the application
can reach. Only host is required unless it is on another port than HTTPS port 443.
If other ports or protocols are required then | false |
rules | []object | Rules apply the same in-cluster rules as InboundPolicy | false |
Application.spec.accessPolicy.outbound.external[index]β
β© ParentExternalRule
Describes a rule for allowing your Application to route traffic to external applications and hosts.
Name | Type | Description | Required |
---|---|---|---|
host | string | true | |
ip | string | Non-HTTP requests (i.e. using the TCP protocol) need to use IP in addition to hostname Only required for TCP requests. Note: Hostname must always be defined even if IP is set statically | false |
ports | []object | The ports to allow for the above hostname. When not specified HTTP and
HTTPS on port 80 and 443 respectively are put into the allowlist | false |
Application.spec.accessPolicy.outbound.external[index].ports[index]β
β© ParentExternalPort
A custom port describing an external host
Name | Type | Description | Required |
---|---|---|---|
name | string | Name is required and is an arbitrary name. Must be unique within all ExternalRule ports. | true |
port | integer | The port number of the external host | true |
protocol | enum | The protocol to use for communication with the host. Only HTTP, HTTPS and TCP are supported. Enum: HTTP, HTTPS, TCP | true |
Application.spec.accessPolicy.outbound.rules[index]β
β© ParentInternalRule
The rules list specifies a list of applications. When no namespace is specified it refers to an app in the current namespace. For apps in other namespaces, namespace is required.
Name | Type | Description | Required |
---|---|---|---|
application | string | The name of the Application you are allowing traffic to/from. If you wish to allow traffic from a SKIPJob, this field should
be suffixed with -skipjob | true |
namespace | string | The namespace in which the Application you are allowing traffic to/from resides. If unset, uses namespace of Application. | false |
namespacesByLabel | map[string]string | Namespace label value-pair in which the Application you are allowing traffic to/from resides. If both namespace and namespacesByLabel are set, namespace takes precedence and namespacesByLabel is omitted. | false |
ports | []object | The ports to allow for the above application. | false |
Application.spec.accessPolicy.outbound.rules[index].ports[index]β
β© ParentNetworkPolicyPort describes a port to allow traffic on
Name | Type | Description | Required |
---|---|---|---|
endPort | integer | endPort indicates that the range of ports from port to endPort if set, inclusive,
should be allowed by the policy. This field cannot be defined if the port field
is not defined or if the port field is defined as a named (string) port.
The endPort must be equal or greater than port. Format: int32 | false |
port | int or string | port represents the port on the given protocol. This can either be a numerical or named
port on a pod. If this field is not provided, this matches all port names and
numbers.
If present, only traffic on the specified protocol AND port will be matched. | false |
protocol | string | protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
If not specified, this field defaults to TCP. | false |
Application.spec.additionalPorts[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
name | string | true | |
port | integer | Format: int32 | true |
protocol | enum | Protocol defines network protocols supported for things like container ports. Enum: TCP, UDP, SCTP | true |
Application.spec.authorizationSettingsβ
β© ParentUsed for allow listing certain default blocked endpoints, such as /actuator/ end points
Name | Type | Description | Required |
---|---|---|---|
allowAll | boolean | Allows all endpoints by not creating an AuthorizationPolicy, and ignores the content of AllowList.
If field is false, the contents of AllowList will be used instead if AllowList is set. Default: false | false |
allowList | []string | Allows specific endpoints. Common endpoints one might want to allow include /actuator/health, /actuator/startup, /actuator/info. Note that endpoints are matched specifically on the input, so if you allow /actuator/health, you will not allow /actuator/health/ | false |
Application.spec.env[index]β
β© ParentEnvVar represents an environment variable present in a Container.
Name | Type | Description | Required |
---|---|---|---|
name | string | Name of the environment variable. Must be a C_IDENTIFIER. | true |
value | string | Variable references $(VAR_NAME) are expanded
using the previously defined environment variables in the container and
any service environment variables. If a variable cannot be resolved,
the reference in the input string will be unchanged. Double $$ are reduced
to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
"$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
Escaped references will never be expanded, regardless of whether the variable
exists or not.
Defaults to "". | false |
valueFrom | object | Source for the environment variable's value. Cannot be used if value is not empty. | false |
Application.spec.env[index].valueFromβ
β© ParentSource for the environment variable's value. Cannot be used if value is not empty.
Name | Type | Description | Required |
---|---|---|---|
configMapKeyRef | object | Selects a key of a ConfigMap. | false |
fieldRef | object | Selects a field of the pod: supports metadata.name, metadata.namespace, | false |
resourceFieldRef | object | Selects a resource of the container: only resources limits and requests
(limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. | false |
secretKeyRef | object | Selects a key of a secret in the pod's namespace | false |
Application.spec.env[index].valueFrom.configMapKeyRefβ
β© ParentSelects a key of a ConfigMap.
Name | Type | Description | Required |
---|---|---|---|
key | string | The key to select. | true |
name | string | Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names Default: | false |
optional | boolean | Specify whether the ConfigMap or its key must be defined | false |
Application.spec.env[index].valueFrom.fieldRefβ
β© ParentSelects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels['<KEY>']
, metadata.annotations['<KEY>']
,
spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
Name | Type | Description | Required |
---|---|---|---|
fieldPath | string | Path of the field to select in the specified API version. | true |
apiVersion | string | Version of the schema the FieldPath is written in terms of, defaults to "v1". | false |
Application.spec.env[index].valueFrom.resourceFieldRefβ
β© ParentSelects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
Name | Type | Description | Required |
---|---|---|---|
resource | string | Required: resource to select | true |
containerName | string | Container name: required for volumes, optional for env vars | false |
divisor | int or string | Specifies the output format of the exposed resources, defaults to "1" | false |
Application.spec.env[index].valueFrom.secretKeyRefβ
β© ParentSelects a key of a secret in the pod's namespace
Name | Type | Description | Required |
---|---|---|---|
key | string | The key of the secret to select from. Must be a valid secret key. | true |
name | string | Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names Default: | false |
optional | boolean | Specify whether the Secret or its key must be defined | false |
Application.spec.envFrom[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
configMap | string | Name of Kubernetes ConfigMap in which the deployment should mount environment variables from. Must be in the same namespace as the Application | false |
secret | string | Name of Kubernetes Secret in which the deployment should mount environment variables from. Must be in the same namespace as the Application | false |
Application.spec.filesFrom[index]β
β© ParentFilesFrom
Struct representing information needed to mount a Kubernetes resource as a file to a Pod's directory. One of ConfigMap, Secret, EmptyDir or PersistentVolumeClaim must be present, and just represent the name of the resource in question NB. Out-of-the-box, skiperator provides a writable 'emptyDir'-volume at '/tmp'
Name | Type | Description | Required |
---|---|---|---|
mountPath | string | The path to mount the file in the Pods directory. Required. | true |
configMap | string | false | |
emptyDir | string | false | |
persistentVolumeClaim | string | false | |
secret | string | false |
Application.spec.gcpβ
β© ParentGCP is used to configure Google Cloud Platform specific settings for the application.
Name | Type | Description | Required |
---|---|---|---|
auth | object | Configuration for authenticating a Pod with Google Cloud Platform
For authentication with GCP, to use services like Secret Manager and/or Pub/Sub we need
to set the GCP Service Account Pods should identify as. To allow this, we need the IAM role iam.workloadIdentityUser set on a GCP
service account and bind this to the Pod's Kubernetes SA.
Documentation on how this is done can be found here (Closed Wiki):
https://kartverket.atlassian.net/wiki/spaces/SKIPDOK/pages/422346824/Autentisering+mot+GCP+som+Kubernetes+SA | false |
cloudSqlProxy | object | CloudSQL is used to deploy a CloudSQL proxy sidecar in the pod.
This is useful for connecting to CloudSQL databases that require Cloud SQL Auth Proxy. | false |
Application.spec.gcp.authβ
β© ParentConfiguration for authenticating a Pod with Google Cloud Platform For authentication with GCP, to use services like Secret Manager and/or Pub/Sub we need to set the GCP Service Account Pods should identify as. To allow this, we need the IAM role iam.workloadIdentityUser set on a GCP service account and bind this to the Pod's Kubernetes SA. Documentation on how this is done can be found here (Closed Wiki): https://kartverket.atlassian.net/wiki/spaces/SKIPDOK/pages/422346824/Autentisering+mot+GCP+som+Kubernetes+SA
Name | Type | Description | Required |
---|---|---|---|
serviceAccount | string | Name of the service account in which you are trying to authenticate your pod with
Generally takes the form of some-name@some-project-id.iam.gserviceaccount.com | true |
Application.spec.gcp.cloudSqlProxyβ
β© ParentCloudSQL is used to deploy a CloudSQL proxy sidecar in the pod. This is useful for connecting to CloudSQL databases that require Cloud SQL Auth Proxy.
Name | Type | Description | Required |
---|---|---|---|
connectionName | string | Connection name for the CloudSQL instance. Found in the Google Cloud Console under your CloudSQL resource.
The format is "projectName:region:instanceName" E.g. "skip-prod-bda1:europe-north1:my-db". | true |
ip | string | The IP address of the CloudSQL instance. This is used to create a serviceentry for the CloudSQL proxy. | true |
serviceAccount | string | Service account used by cloudsql auth proxy. This service account must have the roles/cloudsql.client role. | true |
version | string | Image version for the CloudSQL proxy sidecar. Default: 2.8.0 | false |
Application.spec.idportenβ
β© ParentSettings for IDPorten integration with Digitaliseringsdirektoratet
Name | Type | Description | Required |
---|---|---|---|
enabled | boolean | Whether to enable provisioning of an ID-porten client.
If enabled, an ID-porten client be provisioned. | true |
accessTokenLifetime | integer | AccessTokenLifetime is the lifetime in seconds for any issued access token from ID-porten. If unspecified, defaults to Minimum: 1 | false |
clientName | string | The name of the Client as shown in Digitaliseringsdirektoratet's Samarbeidsportal
Meant to be a human-readable name for separating clients in the portal | false |
clientURI | string | ClientURI is the URL shown to the user at ID-porten when displaying a 'back' button or on errors. | false |
frontchannelLogoutPath | string | FrontchannelLogoutPath is a valid path for your application where ID-porten sends a request to whenever the user has
initiated a logout elsewhere as part of a single logout (front channel logout) process. | false |
integrationType | enum | IntegrationType is used to make sensible choices for your client. Which type of integration you choose will provide guidance on which scopes you can use with the client. A client can only have one integration type. NB! It is not possible to change the integration type after creation. Enum: krr, idporten, api_klient | false |
postLogoutRedirectPath | string | PostLogoutRedirectPath is a simpler verison of PostLogoutRedirectURIs
that will be appended to the ingress | false |
postLogoutRedirectURIs | []string | PostLogoutRedirectURIs are valid URIs that ID-porten will allow redirecting the end-user to after a single logout
has been initiated and performed by the application. | false |
redirectPath | string | RedirectPath is a valid path that ID-porten redirects back to after a successful authorization request. | false |
scopes | []string | Register different oauth2 Scopes on your client.
You will not be able to add a scope to your client that conflicts with the client's IntegrationType.
For example, you can not add a scope that is limited to the IntegrationType Default for IntegrationType | false |
sessionLifetime | integer | SessionLifetime is the maximum lifetime in seconds for any given user's session in your application.
The timeout starts whenever the user is redirected from the If unspecified, defaults to Minimum: 3600 | false |
Application.spec.istioSettingsβ
β© ParentIstioSettings are used to configure istio specific resources such as telemetry. Currently, adjusting sampling interval for tracing is the only supported option. By default, tracing is enabled with a random sampling percentage of 10%.
Name | Type | Description | Required |
---|---|---|---|
telemetry | object | Telemetry is a placeholder for all relevant telemetry types, and may be extended in the future to configure additional telemetry settings. Default: map[tracing:[map[randomSamplingPercentage:10]]] | false |
Application.spec.istioSettings.telemetryβ
β© ParentTelemetry is a placeholder for all relevant telemetry types, and may be extended in the future to configure additional telemetry settings.
Name | Type | Description | Required |
---|---|---|---|
tracing | []object | Tracing is a list of tracing configurations for the telemetry resource. Normally only one tracing configuration is needed. Default: [map[randomSamplingPercentage:10]] | false |
Application.spec.istioSettings.telemetry.tracing[index]β
β© ParentTracing contains relevant settings for tracing in the telemetry configuration
Name | Type | Description | Required |
---|---|---|---|
randomSamplingPercentage | integer | RandomSamplingPercentage is the percentage of requests that should be sampled for tracing, specified by a whole number between 0-100.
Setting RandomSamplingPercentage to 0 will disable tracing. Default: 10 | false |
Application.spec.livenessβ
β© ParentLiveness probes define a resource that returns 200 OK when the app is running as intended. Returning a non-200 code will make kubernetes restart the app. Liveness is optional, but when provided, path and port are required
See Probe for structure definition.
Name | Type | Description | Required |
---|---|---|---|
path | string | The path to access on the HTTP server | true |
port | int or string | Number of the port to access on the container | true |
failureThreshold | integer | Minimum consecutive failures for the probe to be considered failed after
having succeeded. Defaults to 3. Minimum value is 1 Format: int32 | false |
initialDelay | integer | Delay sending the first probe by X seconds. Can be useful for applications that
are slow to start. Format: int32 | false |
period | integer | Number of seconds Kubernetes waits between each probe. Defaults to 10 seconds. Format: int32 | false |
successThreshold | integer | Minimum consecutive successes for the probe to be considered successful after having failed.
Defaults to 1. Must be 1 for liveness and startup Probes. Minimum value is 1. Format: int32 | false |
timeout | integer | Number of seconds after which the probe times out. Defaults to 1 second.
Minimum value is 1 Format: int32 | false |
Application.spec.maskinportenβ
β© ParentSettings for Maskinporten integration with Digitaliseringsdirektoratet
Name | Type | Description | Required |
---|---|---|---|
enabled | boolean | If enabled, provisions and configures a Maskinporten client with consumed scopes and/or Exposed scopes with DigDir. | true |
clientName | string | The name of the Client as shown in Digitaliseringsdirektoratet's Samarbeidsportal
Meant to be a human-readable name for separating clients in the portal | false |
scopes | object | Schema to configure Maskinporten clients with consumed scopes and/or exposed scopes. | false |
Application.spec.maskinporten.scopesβ
β© ParentSchema to configure Maskinporten clients with consumed scopes and/or exposed scopes.
Name | Type | Description | Required |
---|---|---|---|
consumes | []object | This is the Schema for the consumes and exposes API.
| false |
exposes | []object |
| false |
Application.spec.maskinporten.scopes.consumes[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
name | string | The scope consumed by the application to gain access to an external organization API.
Ensure that the NAV organization has been granted access to the scope prior to requesting access. | true |
Application.spec.maskinporten.scopes.exposes[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
enabled | boolean | If Enabled the configured scope is available to be used and consumed by organizations granted access. | true |
name | string | The actual subscope combined with | true |
product | string | The product-area your application belongs to e.g. arbeid, helse ...
This will be included in the final scope | true |
accessibleForAll | boolean | Allow any organization to access the scope. | false |
allowedIntegrations | []string | Whitelisting of integration's allowed.
Default is | false |
atMaxAge | integer | Max time in seconds for a issued access_token.
Default is Minimum: 30 | false |
consumers | []object | External consumers granted access to this scope and able to request access_token. | false |
delegationSource | enum | Delegation source for the scope. Default is empty, which means no delegation is allowed. Enum: altinn | false |
separator | string | Separator is the character that separates | false |
Application.spec.maskinporten.scopes.exposes[index].consumers[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
orgno | string | The external business/organization number. | true |
name | string | This is a describing field intended for clarity not used for any other purpose. | false |
Application.spec.podSettingsβ
β© ParentPodSettings are used to apply specific settings to the Pod Template used by Skiperator to create Deployments. This allows you to set things like annotations on the Pod to change the behaviour of sidecars, and set relevant Pod options such as TerminationGracePeriodSeconds.
Name | Type | Description | Required |
---|---|---|---|
annotations | map[string]string | Annotations that are set on Pods created by Skiperator. These annotations can for example be used to change the behaviour of sidecars and similar. | false |
disablePodSpreadTopologyConstraints | boolean | DisablePodSpreadTopologyConstraints specifies whether to disable the addition of Pod Topology Spread Constraints to
a given pod. Default: false | false |
terminationGracePeriodSeconds | integer | TerminationGracePeriodSeconds determines how long Kubernetes waits after a SIGTERM signal sent to a Pod before terminating the pod. If your application uses longer than
30 seconds to terminate, you should increase TerminationGracePeriodSeconds. Format: int64 | false |
Application.spec.prometheusβ
β© ParentOptional settings for how Prometheus compatible metrics should be scraped.
Name | Type | Description | Required |
---|---|---|---|
port | int or string | The port number or name where metrics are exposed (at the Pod level). | true |
allowAllMetrics | boolean | Setting AllowAllMetrics to true will ensure all exposed metrics are scraped. Otherwise, a list of predefined
metrics will be dropped by default. See util/constants.go for the default list. Default: false | false |
path | string | The HTTP path where Prometheus compatible metrics exists Default: /metrics | false |
Application.spec.readinessβ
β© ParentReadiness probes define a resource that returns 200 OK when the app is running as intended. Kubernetes will wait until the resource returns 200 OK before marking the pod as Running and progressing with the deployment strategy. Readiness is optional, but when provided, path and port are required
Name | Type | Description | Required |
---|---|---|---|
path | string | The path to access on the HTTP server | true |
port | int or string | Number of the port to access on the container | true |
failureThreshold | integer | Minimum consecutive failures for the probe to be considered failed after
having succeeded. Defaults to 3. Minimum value is 1 Format: int32 | false |
initialDelay | integer | Delay sending the first probe by X seconds. Can be useful for applications that
are slow to start. Format: int32 | false |
period | integer | Number of seconds Kubernetes waits between each probe. Defaults to 10 seconds. Format: int32 | false |
successThreshold | integer | Minimum consecutive successes for the probe to be considered successful after having failed.
Defaults to 1. Must be 1 for liveness and startup Probes. Minimum value is 1. Format: int32 | false |
timeout | integer | Number of seconds after which the probe times out. Defaults to 1 second.
Minimum value is 1 Format: int32 | false |
Application.spec.resourcesβ
β© ParentResourceRequirements to apply to the deployment. It's common to set some of these to prevent the app from swelling in resource usage and consuming all the resources of other apps on the cluster.
Name | Type | Description | Required |
---|---|---|---|
limits | map[string]int or string | Limits set the maximum the app is allowed to use. Exceeding this limit will make kubernetes kill the app and restart it. Limits can be set on the CPU and memory, but it is not recommended to put a limit on CPU, see: https://home.robusta.dev/blog/stop-using-cpu-limits | false |
requests | map[string]int or string | Requests set the initial allocation that is done for the app and will thus be available to the app on startup. More is allocated on demand until the limit is reached. Requests can be set on the CPU and memory. | false |
Application.spec.startupβ
β© ParentKubernetes uses startup probes to know when a container application has started. If such a probe is configured, it disables liveness and readiness checks until it succeeds, making sure those probes don't interfere with the application startup. This can be used to adopt liveness checks on slow starting containers, avoiding them getting killed by Kubernetes before they are up and running. Startup is optional, but when provided, path and port are required
Name | Type | Description | Required |
---|---|---|---|
path | string | The path to access on the HTTP server | true |
port | int or string | Number of the port to access on the container | true |
failureThreshold | integer | Minimum consecutive failures for the probe to be considered failed after
having succeeded. Defaults to 3. Minimum value is 1 Format: int32 | false |
initialDelay | integer | Delay sending the first probe by X seconds. Can be useful for applications that
are slow to start. Format: int32 | false |
period | integer | Number of seconds Kubernetes waits between each probe. Defaults to 10 seconds. Format: int32 | false |
successThreshold | integer | Minimum consecutive successes for the probe to be considered successful after having failed.
Defaults to 1. Must be 1 for liveness and startup Probes. Minimum value is 1. Format: int32 | false |
timeout | integer | Number of seconds after which the probe times out. Defaults to 1 second.
Minimum value is 1 Format: int32 | false |
Application.spec.strategyβ
β© ParentDefines an alternative strategy for the Kubernetes deployment. This is useful when the default strategy, RollingUpdate, is not usable. Setting type to Recreate will take down all the pods before starting new pods, whereas the default of RollingUpdate will try to start the new pods before taking down the old ones.
Valid values are: RollingUpdate, Recreate. Default is RollingUpdate
Name | Type | Description | Required |
---|---|---|---|
type | enum | Valid values are: RollingUpdate, Recreate. Default is RollingUpdate Enum: RollingUpdate, Recreate | false |
Application.statusβ
β© ParentSkiperatorStatus
A status field shown on a Skiperator resource which contains information regarding deployment of the resource.
Name | Type | Description | Required |
---|---|---|---|
accessPolicies | string | Indicates if access policies are valid | true |
conditions | []object | true | |
subresources | map[string]object | true | |
summary | object | Status | true |
Application.status.conditions[index]β
β© ParentCondition contains details for one aspect of the current state of this API Resource.
Name | Type | Description | Required |
---|---|---|---|
lastTransitionTime | string | lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. Format: date-time | true |
message | string | message is a human readable message indicating details about the transition.
This may be an empty string. | true |
reason | string | reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty. | true |
status | enum | status of the condition, one of True, False, Unknown. Enum: True, False, Unknown | true |
type | string | type of condition in CamelCase or in foo.example.com/CamelCase. | true |
observedGeneration | integer | observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance. Format: int64 | false |
Application.status.subresources[key]β
β© ParentStatus
Name | Type | Description | Required |
---|---|---|---|
message | string | Default: hello | true |
status | string | Default: Synced | true |
timestamp | string | Default: hello | true |
Application.status.summaryβ
β© ParentStatus
Name | Type | Description | Required |
---|---|---|---|
message | string | Default: hello | true |
status | string | Default: Synced | true |
timestamp | string | Default: hello | true |
Routingβ
β© ParentName | Type | Description | Required |
---|---|---|---|
apiVersion | string | skiperator.kartverket.no/v1alpha1 | true |
kind | string | Routing | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | true | |
status | object | SkiperatorStatus A status field shown on a Skiperator resource which contains information regarding deployment of the resource. | false |
Routing.specβ
β© ParentName | Type | Description | Required |
---|---|---|---|
hostname | string | true | |
routes | []object | true | |
redirectToHTTPS | boolean | Default: true | false |
Routing.spec.routes[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
pathPrefix | string | true | |
targetApp | string | true | |
port | integer | Format: int32 | false |
rewriteUri | boolean | Default: false | false |
Routing.statusβ
β© ParentSkiperatorStatus
A status field shown on a Skiperator resource which contains information regarding deployment of the resource.
Name | Type | Description | Required |
---|---|---|---|
accessPolicies | string | Indicates if access policies are valid | true |
conditions | []object | true | |
subresources | map[string]object | true | |
summary | object | Status | true |
Routing.status.conditions[index]β
β© ParentCondition contains details for one aspect of the current state of this API Resource.
Name | Type | Description | Required |
---|---|---|---|
lastTransitionTime | string | lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. Format: date-time | true |
message | string | message is a human readable message indicating details about the transition.
This may be an empty string. | true |
reason | string | reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty. | true |
status | enum | status of the condition, one of True, False, Unknown. Enum: True, False, Unknown | true |
type | string | type of condition in CamelCase or in foo.example.com/CamelCase. | true |
observedGeneration | integer | observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance. Format: int64 | false |
Routing.status.subresources[key]β
β© ParentStatus
Name | Type | Description | Required |
---|---|---|---|
message | string | Default: hello | true |
status | string | Default: Synced | true |
timestamp | string | Default: hello | true |
Routing.status.summaryβ
β© ParentStatus
Name | Type | Description | Required |
---|---|---|---|
message | string | Default: hello | true |
status | string | Default: Synced | true |
timestamp | string | Default: hello | true |
SKIPJobβ
β© ParentSKIPJob is the Schema for the skipjobs API
Name | Type | Description | Required |
---|---|---|---|
apiVersion | string | skiperator.kartverket.no/v1alpha1 | true |
kind | string | SKIPJob | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | SKIPJobSpec defines the desired state of SKIPJob A SKIPJob is either defined as a one-off or a scheduled job. If the Cron field is set for SKIPJob, it may not be removed. If the Cron field is unset, it may not be added.
The Container field of a SKIPJob is only mutable if the Cron field is set. If unset, you must delete your SKIPJob to change container settings. | true |
status | object | SkiperatorStatus A status field shown on a Skiperator resource which contains information regarding deployment of the resource. | false |
SKIPJob.specβ
β© ParentSKIPJobSpec defines the desired state of SKIPJob
A SKIPJob is either defined as a one-off or a scheduled job. If the Cron field is set for SKIPJob, it may not be removed. If the Cron field is unset, it may not be added. The Container field of a SKIPJob is only mutable if the Cron field is set. If unset, you must delete your SKIPJob to change container settings.
Name | Type | Description | Required |
---|---|---|---|
container | object | Settings for the Pods running in the job. Fields are mostly the same as an Application, and are (probably) better documented there. Some fields are omitted, but none added.
Once set, you may not change Container without deleting your current SKIPJob | true |
cron | object | Settings for the Job if you are running a scheduled job. Optional as Jobs may be one-off. | false |
istioSettings | object | IstioSettings are used to configure istio specific resources such as telemetry. Currently, adjusting sampling
interval for tracing is the only supported option.
By default, tracing is enabled with a random sampling percentage of 10%. Default: map[telemetry tracing:[map[randomSamplingPercentage:10]] ] | false |
job | object | Settings for the actual Job. If you use a scheduled job, the settings in here will also specify the template of the job. | false |
prometheus | object | Prometheus settings for pod running in job. Fields are identical to Application and if set,
a podmonitoring object is created. | false |
SKIPJob.spec.containerβ
β© ParentSettings for the Pods running in the job. Fields are mostly the same as an Application, and are (probably) better documented there. Some fields are omitted, but none added. Once set, you may not change Container without deleting your current SKIPJob
Name | Type | Description | Required |
---|---|---|---|
image | string | true | |
accessPolicy | object | AccessPolicy Zero trust dictates that only applications with a reason for being able
to access another resource should be able to reach it. This is set up by
default by denying all ingress and egress traffic from the Pods in the
Deployment. The AccessPolicy field is an allowlist of other applications and hostnames
that are allowed to talk with this Application and which resources this app can talk to | false |
additionalPorts | []object | false | |
command | []string | false | |
env | []object | false | |
envFrom | []object | false | |
filesFrom | []object | false | |
gcp | object | GCP Configuration for interacting with Google Cloud Platform | false |
liveness | object | Probe Type configuration for all types of Kubernetes probes. | false |
podSettings | object | PodSettings | false |
priority | enum | Enum: low, medium, high | false |
readiness | object | Probe Type configuration for all types of Kubernetes probes. | false |
resources | object | ResourceRequirements A simplified version of the Kubernetes native ResourceRequirement field, in which only Limits and Requests are present.
For the units used for resources, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes | false |
restartPolicy | enum | RestartPolicy describes how the container should be restarted.
Only one of the following restart policies may be specified.
If none of the following policies is specified, the default one
is RestartPolicyAlways. Enum: OnFailure, Never | false |
startup | object | Probe Type configuration for all types of Kubernetes probes. | false |
SKIPJob.spec.container.accessPolicyβ
β© ParentAccessPolicy
Zero trust dictates that only applications with a reason for being able to access another resource should be able to reach it. This is set up by default by denying all ingress and egress traffic from the Pods in the Deployment. The AccessPolicy field is an allowlist of other applications and hostnames that are allowed to talk with this Application and which resources this app can talk to
Name | Type | Description | Required |
---|---|---|---|
inbound | object | Inbound specifies the ingress rules. Which apps on the cluster can talk to this app? | false |
outbound | object | Outbound specifies egress rules. Which apps on the cluster and the
internet is the Application allowed to send requests to? | false |
SKIPJob.spec.container.accessPolicy.inboundβ
β© ParentInbound specifies the ingress rules. Which apps on the cluster can talk to this app?
Name | Type | Description | Required |
---|---|---|---|
rules | []object | The rules list specifies a list of applications. When no namespace is
specified it refers to an app in the current namespace. For apps in
other namespaces namespace is required | true |
SKIPJob.spec.container.accessPolicy.inbound.rules[index]β
β© ParentInternalRule
The rules list specifies a list of applications. When no namespace is specified it refers to an app in the current namespace. For apps in other namespaces, namespace is required.
Name | Type | Description | Required |
---|---|---|---|
application | string | The name of the Application you are allowing traffic to/from. If you wish to allow traffic from a SKIPJob, this field should
be suffixed with -skipjob | true |
namespace | string | The namespace in which the Application you are allowing traffic to/from resides. If unset, uses namespace of Application. | false |
namespacesByLabel | map[string]string | Namespace label value-pair in which the Application you are allowing traffic to/from resides. If both namespace and namespacesByLabel are set, namespace takes precedence and namespacesByLabel is omitted. | false |
ports | []object | The ports to allow for the above application. | false |
SKIPJob.spec.container.accessPolicy.inbound.rules[index].ports[index]β
β© ParentNetworkPolicyPort describes a port to allow traffic on
Name | Type | Description | Required |
---|---|---|---|
endPort | integer | endPort indicates that the range of ports from port to endPort if set, inclusive,
should be allowed by the policy. This field cannot be defined if the port field
is not defined or if the port field is defined as a named (string) port.
The endPort must be equal or greater than port. Format: int32 | false |
port | int or string | port represents the port on the given protocol. This can either be a numerical or named
port on a pod. If this field is not provided, this matches all port names and
numbers.
If present, only traffic on the specified protocol AND port will be matched. | false |
protocol | string | protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
If not specified, this field defaults to TCP. | false |
SKIPJob.spec.container.accessPolicy.outboundβ
β© ParentOutbound specifies egress rules. Which apps on the cluster and the internet is the Application allowed to send requests to?
Name | Type | Description | Required |
---|---|---|---|
external | []object | External specifies which applications on the internet the application
can reach. Only host is required unless it is on another port than HTTPS port 443.
If other ports or protocols are required then | false |
rules | []object | Rules apply the same in-cluster rules as InboundPolicy | false |
SKIPJob.spec.container.accessPolicy.outbound.external[index]β
β© ParentExternalRule
Describes a rule for allowing your Application to route traffic to external applications and hosts.
Name | Type | Description | Required |
---|---|---|---|
host | string | true | |
ip | string | Non-HTTP requests (i.e. using the TCP protocol) need to use IP in addition to hostname Only required for TCP requests. Note: Hostname must always be defined even if IP is set statically | false |
ports | []object | The ports to allow for the above hostname. When not specified HTTP and
HTTPS on port 80 and 443 respectively are put into the allowlist | false |
SKIPJob.spec.container.accessPolicy.outbound.external[index].ports[index]β
β© ParentExternalPort
A custom port describing an external host
Name | Type | Description | Required |
---|---|---|---|
name | string | Name is required and is an arbitrary name. Must be unique within all ExternalRule ports. | true |
port | integer | The port number of the external host | true |
protocol | enum | The protocol to use for communication with the host. Only HTTP, HTTPS and TCP are supported. Enum: HTTP, HTTPS, TCP | true |
SKIPJob.spec.container.accessPolicy.outbound.rules[index]β
β© ParentInternalRule
The rules list specifies a list of applications. When no namespace is specified it refers to an app in the current namespace. For apps in other namespaces, namespace is required.
Name | Type | Description | Required |
---|---|---|---|
application | string | The name of the Application you are allowing traffic to/from. If you wish to allow traffic from a SKIPJob, this field should
be suffixed with -skipjob | true |
namespace | string | The namespace in which the Application you are allowing traffic to/from resides. If unset, uses namespace of Application. | false |
namespacesByLabel | map[string]string | Namespace label value-pair in which the Application you are allowing traffic to/from resides. If both namespace and namespacesByLabel are set, namespace takes precedence and namespacesByLabel is omitted. | false |
ports | []object | The ports to allow for the above application. | false |
SKIPJob.spec.container.accessPolicy.outbound.rules[index].ports[index]β
β© ParentNetworkPolicyPort describes a port to allow traffic on
Name | Type | Description | Required |
---|---|---|---|
endPort | integer | endPort indicates that the range of ports from port to endPort if set, inclusive,
should be allowed by the policy. This field cannot be defined if the port field
is not defined or if the port field is defined as a named (string) port.
The endPort must be equal or greater than port. Format: int32 | false |
port | int or string | port represents the port on the given protocol. This can either be a numerical or named
port on a pod. If this field is not provided, this matches all port names and
numbers.
If present, only traffic on the specified protocol AND port will be matched. | false |
protocol | string | protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
If not specified, this field defaults to TCP. | false |
SKIPJob.spec.container.additionalPorts[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
name | string | true | |
port | integer | Format: int32 | true |
protocol | enum | Protocol defines network protocols supported for things like container ports. Enum: TCP, UDP, SCTP | true |
SKIPJob.spec.container.env[index]β
β© ParentEnvVar represents an environment variable present in a Container.
Name | Type | Description | Required |
---|---|---|---|
name | string | Name of the environment variable. Must be a C_IDENTIFIER. | true |
value | string | Variable references $(VAR_NAME) are expanded
using the previously defined environment variables in the container and
any service environment variables. If a variable cannot be resolved,
the reference in the input string will be unchanged. Double $$ are reduced
to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
"$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
Escaped references will never be expanded, regardless of whether the variable
exists or not.
Defaults to "". | false |
valueFrom | object | Source for the environment variable's value. Cannot be used if value is not empty. | false |
SKIPJob.spec.container.env[index].valueFromβ
β© ParentSource for the environment variable's value. Cannot be used if value is not empty.
Name | Type | Description | Required |
---|---|---|---|
configMapKeyRef | object | Selects a key of a ConfigMap. | false |
fieldRef | object | Selects a field of the pod: supports metadata.name, metadata.namespace, | false |
resourceFieldRef | object | Selects a resource of the container: only resources limits and requests
(limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. | false |
secretKeyRef | object | Selects a key of a secret in the pod's namespace | false |
SKIPJob.spec.container.env[index].valueFrom.configMapKeyRefβ
β© ParentSelects a key of a ConfigMap.
Name | Type | Description | Required |
---|---|---|---|
key | string | The key to select. | true |
name | string | Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names Default: | false |
optional | boolean | Specify whether the ConfigMap or its key must be defined | false |
SKIPJob.spec.container.env[index].valueFrom.fieldRefβ
β© ParentSelects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels['<KEY>']
, metadata.annotations['<KEY>']
,
spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
Name | Type | Description | Required |
---|---|---|---|
fieldPath | string | Path of the field to select in the specified API version. | true |
apiVersion | string | Version of the schema the FieldPath is written in terms of, defaults to "v1". | false |
SKIPJob.spec.container.env[index].valueFrom.resourceFieldRefβ
β© ParentSelects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
Name | Type | Description | Required |
---|---|---|---|
resource | string | Required: resource to select | true |
containerName | string | Container name: required for volumes, optional for env vars | false |
divisor | int or string | Specifies the output format of the exposed resources, defaults to "1" | false |
SKIPJob.spec.container.env[index].valueFrom.secretKeyRefβ
β© ParentSelects a key of a secret in the pod's namespace
Name | Type | Description | Required |
---|---|---|---|
key | string | The key of the secret to select from. Must be a valid secret key. | true |
name | string | Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names Default: | false |
optional | boolean | Specify whether the Secret or its key must be defined | false |
SKIPJob.spec.container.envFrom[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
configMap | string | Name of Kubernetes ConfigMap in which the deployment should mount environment variables from. Must be in the same namespace as the Application | false |
secret | string | Name of Kubernetes Secret in which the deployment should mount environment variables from. Must be in the same namespace as the Application | false |
SKIPJob.spec.container.filesFrom[index]β
β© ParentFilesFrom
Struct representing information needed to mount a Kubernetes resource as a file to a Pod's directory. One of ConfigMap, Secret, EmptyDir or PersistentVolumeClaim must be present, and just represent the name of the resource in question NB. Out-of-the-box, skiperator provides a writable 'emptyDir'-volume at '/tmp'
Name | Type | Description | Required |
---|---|---|---|
mountPath | string | The path to mount the file in the Pods directory. Required. | true |
configMap | string | false | |
emptyDir | string | false | |
persistentVolumeClaim | string | false | |
secret | string | false |
SKIPJob.spec.container.gcpβ
β© ParentGCP
Configuration for interacting with Google Cloud Platform
Name | Type | Description | Required |
---|---|---|---|
auth | object | Configuration for authenticating a Pod with Google Cloud Platform
For authentication with GCP, to use services like Secret Manager and/or Pub/Sub we need
to set the GCP Service Account Pods should identify as. To allow this, we need the IAM role iam.workloadIdentityUser set on a GCP
service account and bind this to the Pod's Kubernetes SA.
Documentation on how this is done can be found here (Closed Wiki):
https://kartverket.atlassian.net/wiki/spaces/SKIPDOK/pages/422346824/Autentisering+mot+GCP+som+Kubernetes+SA | false |
cloudSqlProxy | object | CloudSQL is used to deploy a CloudSQL proxy sidecar in the pod.
This is useful for connecting to CloudSQL databases that require Cloud SQL Auth Proxy. | false |
SKIPJob.spec.container.gcp.authβ
β© ParentConfiguration for authenticating a Pod with Google Cloud Platform For authentication with GCP, to use services like Secret Manager and/or Pub/Sub we need to set the GCP Service Account Pods should identify as. To allow this, we need the IAM role iam.workloadIdentityUser set on a GCP service account and bind this to the Pod's Kubernetes SA. Documentation on how this is done can be found here (Closed Wiki): https://kartverket.atlassian.net/wiki/spaces/SKIPDOK/pages/422346824/Autentisering+mot+GCP+som+Kubernetes+SA
Name | Type | Description | Required |
---|---|---|---|
serviceAccount | string | Name of the service account in which you are trying to authenticate your pod with
Generally takes the form of some-name@some-project-id.iam.gserviceaccount.com | true |
SKIPJob.spec.container.gcp.cloudSqlProxyβ
β© ParentCloudSQL is used to deploy a CloudSQL proxy sidecar in the pod. This is useful for connecting to CloudSQL databases that require Cloud SQL Auth Proxy.
Name | Type | Description | Required |
---|---|---|---|
connectionName | string | Connection name for the CloudSQL instance. Found in the Google Cloud Console under your CloudSQL resource.
The format is "projectName:region:instanceName" E.g. "skip-prod-bda1:europe-north1:my-db". | true |
ip | string | The IP address of the CloudSQL instance. This is used to create a serviceentry for the CloudSQL proxy. | true |
serviceAccount | string | Service account used by cloudsql auth proxy. This service account must have the roles/cloudsql.client role. | true |
version | string | Image version for the CloudSQL proxy sidecar. Default: 2.8.0 | false |
SKIPJob.spec.container.livenessβ
β© ParentProbe
Type configuration for all types of Kubernetes probes.
Name | Type | Description | Required |
---|---|---|---|
path | string | The path to access on the HTTP server | true |
port | int or string | Number of the port to access on the container | true |
failureThreshold | integer | Minimum consecutive failures for the probe to be considered failed after
having succeeded. Defaults to 3. Minimum value is 1 Format: int32 | false |
initialDelay | integer | Delay sending the first probe by X seconds. Can be useful for applications that
are slow to start. Format: int32 | false |
period | integer | Number of seconds Kubernetes waits between each probe. Defaults to 10 seconds. Format: int32 | false |
successThreshold | integer | Minimum consecutive successes for the probe to be considered successful after having failed.
Defaults to 1. Must be 1 for liveness and startup Probes. Minimum value is 1. Format: int32 | false |
timeout | integer | Number of seconds after which the probe times out. Defaults to 1 second.
Minimum value is 1 Format: int32 | false |
SKIPJob.spec.container.podSettingsβ
β© ParentPodSettings
Name | Type | Description | Required |
---|---|---|---|
annotations | map[string]string | Annotations that are set on Pods created by Skiperator. These annotations can for example be used to change the behaviour of sidecars and similar. | false |
disablePodSpreadTopologyConstraints | boolean | DisablePodSpreadTopologyConstraints specifies whether to disable the addition of Pod Topology Spread Constraints to
a given pod. Default: false | false |
terminationGracePeriodSeconds | integer | TerminationGracePeriodSeconds determines how long Kubernetes waits after a SIGTERM signal sent to a Pod before terminating the pod. If your application uses longer than
30 seconds to terminate, you should increase TerminationGracePeriodSeconds. Format: int64 | false |
SKIPJob.spec.container.readinessβ
β© ParentProbe
Type configuration for all types of Kubernetes probes.
Name | Type | Description | Required |
---|---|---|---|
path | string | The path to access on the HTTP server | true |
port | int or string | Number of the port to access on the container | true |
failureThreshold | integer | Minimum consecutive failures for the probe to be considered failed after
having succeeded. Defaults to 3. Minimum value is 1 Format: int32 | false |
initialDelay | integer | Delay sending the first probe by X seconds. Can be useful for applications that
are slow to start. Format: int32 | false |
period | integer | Number of seconds Kubernetes waits between each probe. Defaults to 10 seconds. Format: int32 | false |
successThreshold | integer | Minimum consecutive successes for the probe to be considered successful after having failed.
Defaults to 1. Must be 1 for liveness and startup Probes. Minimum value is 1. Format: int32 | false |
timeout | integer | Number of seconds after which the probe times out. Defaults to 1 second.
Minimum value is 1 Format: int32 | false |
SKIPJob.spec.container.resourcesβ
β© ParentResourceRequirements
A simplified version of the Kubernetes native ResourceRequirement field, in which only Limits and Requests are present. For the units used for resources, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes
Name | Type | Description | Required |
---|---|---|---|
limits | map[string]int or string | Limits set the maximum the app is allowed to use. Exceeding this limit will make kubernetes kill the app and restart it. Limits can be set on the CPU and memory, but it is not recommended to put a limit on CPU, see: https://home.robusta.dev/blog/stop-using-cpu-limits | false |
requests | map[string]int or string | Requests set the initial allocation that is done for the app and will thus be available to the app on startup. More is allocated on demand until the limit is reached. Requests can be set on the CPU and memory. | false |
SKIPJob.spec.container.startupβ
β© ParentProbe
Type configuration for all types of Kubernetes probes.
Name | Type | Description | Required |
---|---|---|---|
path | string | The path to access on the HTTP server | true |
port | int or string | Number of the port to access on the container | true |
failureThreshold | integer | Minimum consecutive failures for the probe to be considered failed after
having succeeded. Defaults to 3. Minimum value is 1 Format: int32 | false |
initialDelay | integer | Delay sending the first probe by X seconds. Can be useful for applications that
are slow to start. Format: int32 | false |
period | integer | Number of seconds Kubernetes waits between each probe. Defaults to 10 seconds. Format: int32 | false |
successThreshold | integer | Minimum consecutive successes for the probe to be considered successful after having failed.
Defaults to 1. Must be 1 for liveness and startup Probes. Minimum value is 1. Format: int32 | false |
timeout | integer | Number of seconds after which the probe times out. Defaults to 1 second.
Minimum value is 1 Format: int32 | false |
SKIPJob.spec.cronβ
β© ParentSettings for the Job if you are running a scheduled job. Optional as Jobs may be one-off.
Name | Type | Description | Required |
---|---|---|---|
schedule | string | A CronJob string for denoting the schedule of this job. See https://crontab.guru/ for help creating CronJob strings.
Kubernetes CronJobs also include the extended "Vixie cron" step values: https://man.freebsd.org/cgi/man.cgi?crontab%285%29. | true |
allowConcurrency | enum | Denotes how Kubernetes should react to multiple instances of the Job being started at the same time.
Allow will allow concurrent jobs. Forbid will not allow this, and instead skip the newer schedule Job.
Replace will replace the current active Job with the newer scheduled Job. Enum: Allow, Forbid, Replace | false |
startingDeadlineSeconds | integer | Denotes the deadline in seconds for starting a job on its schedule, if for some reason the Job's controller was not ready upon the scheduled time.
If unset, Jobs missing their deadline will be considered failed jobs and will not start. Format: int64 | false |
suspend | boolean | If set to true, this tells Kubernetes to suspend this Job till the field is set to false. If the Job is active while this field is set to true,
all running Pods will be terminated. | false |
timeZone | string | The time zone name for the given schedule, see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones. If not specified, this will default to the time zone of the cluster. Example: "Europe/Oslo" | false |
SKIPJob.spec.istioSettingsβ
β© ParentIstioSettings are used to configure istio specific resources such as telemetry. Currently, adjusting sampling interval for tracing is the only supported option. By default, tracing is enabled with a random sampling percentage of 10%.
Name | Type | Description | Required |
---|---|---|---|
telemetry | object | Telemetry is a placeholder for all relevant telemetry types, and may be extended in the future to configure additional telemetry settings. Default: map[tracing:[map[randomSamplingPercentage:10]]] | false |
SKIPJob.spec.istioSettings.telemetryβ
β© ParentTelemetry is a placeholder for all relevant telemetry types, and may be extended in the future to configure additional telemetry settings.
Name | Type | Description | Required |
---|---|---|---|
tracing | []object | Tracing is a list of tracing configurations for the telemetry resource. Normally only one tracing configuration is needed. Default: [map[randomSamplingPercentage:10]] | false |
SKIPJob.spec.istioSettings.telemetry.tracing[index]β
β© ParentTracing contains relevant settings for tracing in the telemetry configuration
Name | Type | Description | Required |
---|---|---|---|
randomSamplingPercentage | integer | RandomSamplingPercentage is the percentage of requests that should be sampled for tracing, specified by a whole number between 0-100.
Setting RandomSamplingPercentage to 0 will disable tracing. Default: 10 | false |
SKIPJob.spec.jobβ
β© ParentSettings for the actual Job. If you use a scheduled job, the settings in here will also specify the template of the job.
Name | Type | Description | Required |
---|---|---|---|
activeDeadlineSeconds | integer | ActiveDeadlineSeconds denotes a duration in seconds started from when the job is first active. If the deadline is reached during the job's workload
the job and its Pods are terminated. If the job is suspended using the Suspend field, this timer is stopped and reset when unsuspended. Format: int64 | false |
backoffLimit | integer | Specifies the number of retry attempts before determining the job as failed. Defaults to 6. Format: int32 | false |
suspend | boolean | If set to true, this tells Kubernetes to suspend this Job till the field is set to false. If the Job is active while this field is set to false,
all running Pods will be terminated. | false |
ttlSecondsAfterFinished | integer | The number of seconds to wait before removing the Job after it has finished. If unset, Job will not be cleaned up.
It is recommended to set this to avoid clutter in your resource tree. Format: int32 | false |
SKIPJob.spec.prometheusβ
β© ParentPrometheus settings for pod running in job. Fields are identical to Application and if set, a podmonitoring object is created.
Name | Type | Description | Required |
---|---|---|---|
port | int or string | The port number or name where metrics are exposed (at the Pod level). | true |
allowAllMetrics | boolean | Setting AllowAllMetrics to true will ensure all exposed metrics are scraped. Otherwise, a list of predefined
metrics will be dropped by default. See util/constants.go for the default list. Default: false | false |
path | string | The HTTP path where Prometheus compatible metrics exists Default: /metrics | false |
SKIPJob.statusβ
β© ParentSkiperatorStatus
A status field shown on a Skiperator resource which contains information regarding deployment of the resource.
Name | Type | Description | Required |
---|---|---|---|
accessPolicies | string | Indicates if access policies are valid | true |
conditions | []object | true | |
subresources | map[string]object | true | |
summary | object | Status | true |
SKIPJob.status.conditions[index]β
β© ParentCondition contains details for one aspect of the current state of this API Resource.
Name | Type | Description | Required |
---|---|---|---|
lastTransitionTime | string | lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. Format: date-time | true |
message | string | message is a human readable message indicating details about the transition.
This may be an empty string. | true |
reason | string | reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty. | true |
status | enum | status of the condition, one of True, False, Unknown. Enum: True, False, Unknown | true |
type | string | type of condition in CamelCase or in foo.example.com/CamelCase. | true |
observedGeneration | integer | observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance. Format: int64 | false |
SKIPJob.status.subresources[key]β
β© ParentStatus
Name | Type | Description | Required |
---|---|---|---|
message | string | Default: hello | true |
status | string | Default: Synced | true |
timestamp | string | Default: hello | true |
SKIPJob.status.summaryβ
β© ParentStatus
Name | Type | Description | Required |
---|---|---|---|
message | string | Default: hello | true |
status | string | Default: Synced | true |
timestamp | string | Default: hello | true |