Skip to main content

API Reference

Packages:

skiperator.kartverket.no/v1alpha1

Resource Types:

Application​

↩ Parent

Application

Root object for Application resource. An application resource is a resource for easily managing a Dockerized container within the context of a Kartverket cluster. This allows product teams to avoid the need to set up networking on the cluster, as well as a lot of out of the box security features.

NameTypeDescriptionRequired
apiVersionstringskiperator.kartverket.no/v1alpha1true
kindstringApplicationtrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject
false
statusobject

SkiperatorStatus

A status field shown on a Skiperator resource which contains information regarding deployment of the resource.

false

Application.spec​

↩ Parent
NameTypeDescriptionRequired
imagestring

The image the application will run. This image will be added to a Deployment resource

true
portinteger

The port the deployment exposes

true
accessPolicyobject

The root AccessPolicy for managing zero trust access to your Application. See AccessPolicy for more information.

false
additionalPorts[]object

An optional list of extra port to expose on a pod level basis, for example so Instana or other APM tools can reach it

false
appProtocolenum

Protocol that the application speaks.


Enum: http, tcp, udp
Default: http

false
authorizationSettingsobject

Used for allow listing certain default blocked endpoints, such as /actuator/ end points

false
command[]string

Override the command set in the Dockerfile. Usually only used when debugging or running third-party containers where you don't have control over the Dockerfile

false
enablePDBboolean

Whether to enable automatic Pod Disruption Budget creation for this application.


Default: true

false
env[]object

Environment variables that will be set inside the Deployment's Pod. See https://pkg.go.dev/k8s.io/api/core/v1#EnvVar for examples.

false
envFrom[]object

Environment variables mounted from files. When specified all the keys of the resource will be assigned as environment variables. Supports both configmaps and secrets.

For mounting as files see FilesFrom.

false
filesFrom[]object

Mounting volumes into the Deployment are done using the FilesFrom argument

FilesFrom supports ConfigMaps, Secrets and PVCs. The Application resource assumes these have already been created by you, and will fail if this is not the case.

For mounting environment variables see EnvFrom.

false
gcpobject

GCP is used to configure Google Cloud Platform specific settings for the application.

false
idportenobject

Settings for IDPorten integration with Digitaliseringsdirektoratet

false
ingresses[]string

Any external hostnames that route to this application. Using a skip.statkart.no-address will make the application reachable for kartverket-clients (internal), other addresses make the app reachable on the internet. Note that other addresses than skip.statkart.no (also known as pretty hostnames) requires additional DNS setup. The below hostnames will also have TLS certificates issued and be reachable on both HTTP and HTTPS.

Ingresses must be lowercase, contain no spaces, be a non-empty string, and have a hostname/domain separated by a period They can optionally be suffixed with a plus and name of a custom TLS secret located in the istio-gateways namespace. E.g. "foo.atkv3-dev.kartverket-intern.cloud+env-wildcard-cert"

false
istioSettingsobject

IstioSettings are used to configure istio specific resources such as telemetry. Currently, adjusting sampling interval for tracing is the only supported option. By default, tracing is enabled with a random sampling percentage of 10%.


Default: map[telemetry

tracing:[map[randomSamplingPercentage:10]]
]

false
labelsmap[string]string

Labels can be used if you want every resource created by your application to have the same labels, including your application. This could for example be useful for metrics, where a certain label and the corresponding resources liveliness can be combined. Any amount of labels can be added as wanted, and they will all cascade down to all resources.

false
livenessobject

Liveness probes define a resource that returns 200 OK when the app is running as intended. Returning a non-200 code will make kubernetes restart the app. Liveness is optional, but when provided, path and port are required

See Probe for structure definition.

false
maskinportenobject

Settings for Maskinporten integration with Digitaliseringsdirektoratet

false
podSettingsobject

PodSettings are used to apply specific settings to the Pod Template used by Skiperator to create Deployments. This allows you to set things like annotations on the Pod to change the behaviour of sidecars, and set relevant Pod options such as TerminationGracePeriodSeconds.

false
priorityenum

An optional priority. Supported values are 'low', 'medium' and 'high'. The default value is 'medium'.

Most workloads should not have to specify this field. If you think you do, please consult with SKIP beforehand.


Enum: low, medium, high
Default: medium

false
prometheusobject

Optional settings for how Prometheus compatible metrics should be scraped.

false
readinessobject

Readiness probes define a resource that returns 200 OK when the app is running as intended. Kubernetes will wait until the resource returns 200 OK before marking the pod as Running and progressing with the deployment strategy. Readiness is optional, but when provided, path and port are required

false
redirectToHTTPSboolean

Controls whether the application will automatically redirect all HTTP calls to HTTPS via the istio VirtualService. This redirect does not happen on the route /.well-known/acme-challenge/, as the ACME challenge can only be done on port 80.


Default: true

false
replicasJSON

The number of replicas can either be specified as a static number as follows:

replicas: 2

Or by specifying a range between min and max to enable HorizontalPodAutoscaling. The default value for replicas is: replicas: min: 2 max: 5 targetCpuUtilization: 80 Using autoscaling is the recommended configuration for replicas.

false
resourceLabelsmap[string]map[string]string

ResourceLabels can be used if you want to add a label to a specific resources created by the application. One such label could for example be set on a Deployment, such that the deployment avoids certain rules from Gatekeeper, or similar. Any amount of labels may be added per ResourceLabels item.

false
resourcesobject

ResourceRequirements to apply to the deployment. It's common to set some of these to prevent the app from swelling in resource usage and consuming all the resources of other apps on the cluster.

false
startupobject

Kubernetes uses startup probes to know when a container application has started. If such a probe is configured, it disables liveness and readiness checks until it succeeds, making sure those probes don't interfere with the application startup. This can be used to adopt liveness checks on slow starting containers, avoiding them getting killed by Kubernetes before they are up and running. Startup is optional, but when provided, path and port are required

false
strategyobject

Defines an alternative strategy for the Kubernetes deployment. This is useful when the default strategy, RollingUpdate, is not usable. Setting type to Recreate will take down all the pods before starting new pods, whereas the default of RollingUpdate will try to start the new pods before taking down the old ones.

Valid values are: RollingUpdate, Recreate. Default is RollingUpdate

false
teamstring

Team specifies the team who owns this particular app. Usually sourced from the namespace label.

false

Application.spec.accessPolicy​

↩ Parent

The root AccessPolicy for managing zero trust access to your Application. See AccessPolicy for more information.

NameTypeDescriptionRequired
inboundobject

Inbound specifies the ingress rules. Which apps on the cluster can talk to this app?

false
outboundobject

Outbound specifies egress rules. Which apps on the cluster and the internet is the Application allowed to send requests to?

false

Application.spec.accessPolicy.inbound​

↩ Parent

Inbound specifies the ingress rules. Which apps on the cluster can talk to this app?

NameTypeDescriptionRequired
rules[]object

The rules list specifies a list of applications. When no namespace is specified it refers to an app in the current namespace. For apps in other namespaces namespace is required

true

Application.spec.accessPolicy.inbound.rules[index]​

↩ Parent

InternalRule

The rules list specifies a list of applications. When no namespace is specified it refers to an app in the current namespace. For apps in other namespaces, namespace is required.

NameTypeDescriptionRequired
applicationstring

The name of the Application you are allowing traffic to/from. If you wish to allow traffic from a SKIPJob, this field should be suffixed with -skipjob

true
namespacestring

The namespace in which the Application you are allowing traffic to/from resides. If unset, uses namespace of Application.

false
namespacesByLabelmap[string]string

Namespace label value-pair in which the Application you are allowing traffic to/from resides. If both namespace and namespacesByLabel are set, namespace takes precedence and namespacesByLabel is omitted.

false
ports[]object

The ports to allow for the above application.

false

Application.spec.accessPolicy.inbound.rules[index].ports[index]​

↩ Parent

NetworkPolicyPort describes a port to allow traffic on

NameTypeDescriptionRequired
endPortinteger

endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port.


Format: int32

false
portint or string

port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.

false
protocolstring

protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.

false

Application.spec.accessPolicy.outbound​

↩ Parent

Outbound specifies egress rules. Which apps on the cluster and the internet is the Application allowed to send requests to?

NameTypeDescriptionRequired
external[]object

External specifies which applications on the internet the application can reach. Only host is required unless it is on another port than HTTPS port 443. If other ports or protocols are required then ports must be specified as well

false
rules[]object

Rules apply the same in-cluster rules as InboundPolicy

false

Application.spec.accessPolicy.outbound.external[index]​

↩ Parent

ExternalRule

Describes a rule for allowing your Application to route traffic to external applications and hosts.

NameTypeDescriptionRequired
hoststring
true
ipstring

Non-HTTP requests (i.e. using the TCP protocol) need to use IP in addition to hostname Only required for TCP requests.

Note: Hostname must always be defined even if IP is set statically

false
ports[]object

The ports to allow for the above hostname. When not specified HTTP and HTTPS on port 80 and 443 respectively are put into the allowlist

false

Application.spec.accessPolicy.outbound.external[index].ports[index]​

↩ Parent

ExternalPort

A custom port describing an external host

NameTypeDescriptionRequired
namestring

Name is required and is an arbitrary name. Must be unique within all ExternalRule ports.

true
portinteger

The port number of the external host

true
protocolenum

The protocol to use for communication with the host. Only HTTP, HTTPS and TCP are supported.


Enum: HTTP, HTTPS, TCP

true

Application.spec.accessPolicy.outbound.rules[index]​

↩ Parent

InternalRule

The rules list specifies a list of applications. When no namespace is specified it refers to an app in the current namespace. For apps in other namespaces, namespace is required.

NameTypeDescriptionRequired
applicationstring

The name of the Application you are allowing traffic to/from. If you wish to allow traffic from a SKIPJob, this field should be suffixed with -skipjob

true
namespacestring

The namespace in which the Application you are allowing traffic to/from resides. If unset, uses namespace of Application.

false
namespacesByLabelmap[string]string

Namespace label value-pair in which the Application you are allowing traffic to/from resides. If both namespace and namespacesByLabel are set, namespace takes precedence and namespacesByLabel is omitted.

false
ports[]object

The ports to allow for the above application.

false

Application.spec.accessPolicy.outbound.rules[index].ports[index]​

↩ Parent

NetworkPolicyPort describes a port to allow traffic on

NameTypeDescriptionRequired
endPortinteger

endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port.


Format: int32

false
portint or string

port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.

false
protocolstring

protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.

false

Application.spec.additionalPorts[index]​

↩ Parent
NameTypeDescriptionRequired
namestring
true
portinteger

Format: int32

true
protocolenum

Protocol defines network protocols supported for things like container ports.


Enum: TCP, UDP, SCTP

true

Application.spec.authorizationSettings​

↩ Parent

Used for allow listing certain default blocked endpoints, such as /actuator/ end points

NameTypeDescriptionRequired
allowAllboolean

Allows all endpoints by not creating an AuthorizationPolicy, and ignores the content of AllowList. If field is false, the contents of AllowList will be used instead if AllowList is set.


Default: false

false
allowList[]string

Allows specific endpoints. Common endpoints one might want to allow include /actuator/health, /actuator/startup, /actuator/info.

Note that endpoints are matched specifically on the input, so if you allow /actuator/health, you will not allow /actuator/health/

false

Application.spec.env[index]​

↩ Parent

EnvVar represents an environment variable present in a Container.

NameTypeDescriptionRequired
namestring

Name of the environment variable. Must be a C_IDENTIFIER.

true
valuestring

Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".

false
valueFromobject

Source for the environment variable's value. Cannot be used if value is not empty.

false

Application.spec.env[index].valueFrom​

↩ Parent

Source for the environment variable's value. Cannot be used if value is not empty.

NameTypeDescriptionRequired
configMapKeyRefobject

Selects a key of a ConfigMap.

false
fieldRefobject

Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels['<KEY>'], metadata.annotations['<KEY>'], spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.

false
resourceFieldRefobject

Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.

false
secretKeyRefobject

Selects a key of a secret in the pod's namespace

false

Application.spec.env[index].valueFrom.configMapKeyRef​

↩ Parent

Selects a key of a ConfigMap.

NameTypeDescriptionRequired
keystring

The key to select.

true
namestring

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names


Default:

false
optionalboolean

Specify whether the ConfigMap or its key must be defined

false

Application.spec.env[index].valueFrom.fieldRef​

↩ Parent

Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels['<KEY>'], metadata.annotations['<KEY>'], spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.

NameTypeDescriptionRequired
fieldPathstring

Path of the field to select in the specified API version.

true
apiVersionstring

Version of the schema the FieldPath is written in terms of, defaults to "v1".

false

Application.spec.env[index].valueFrom.resourceFieldRef​

↩ Parent

Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.

NameTypeDescriptionRequired
resourcestring

Required: resource to select

true
containerNamestring

Container name: required for volumes, optional for env vars

false
divisorint or string

Specifies the output format of the exposed resources, defaults to "1"

false

Application.spec.env[index].valueFrom.secretKeyRef​

↩ Parent

Selects a key of a secret in the pod's namespace

NameTypeDescriptionRequired
keystring

The key of the secret to select from. Must be a valid secret key.

true
namestring

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names


Default:

false
optionalboolean

Specify whether the Secret or its key must be defined

false

Application.spec.envFrom[index]​

↩ Parent
NameTypeDescriptionRequired
configMapstring

Name of Kubernetes ConfigMap in which the deployment should mount environment variables from. Must be in the same namespace as the Application

false
secretstring

Name of Kubernetes Secret in which the deployment should mount environment variables from. Must be in the same namespace as the Application

false

Application.spec.filesFrom[index]​

↩ Parent

FilesFrom

Struct representing information needed to mount a Kubernetes resource as a file to a Pod's directory. One of ConfigMap, Secret, EmptyDir or PersistentVolumeClaim must be present, and just represent the name of the resource in question NB. Out-of-the-box, skiperator provides a writable 'emptyDir'-volume at '/tmp'

NameTypeDescriptionRequired
mountPathstring

The path to mount the file in the Pods directory. Required.

true
configMapstring
false
emptyDirstring
false
persistentVolumeClaimstring
false
secretstring
false

Application.spec.gcp​

↩ Parent

GCP is used to configure Google Cloud Platform specific settings for the application.

NameTypeDescriptionRequired
authobject

Configuration for authenticating a Pod with Google Cloud Platform For authentication with GCP, to use services like Secret Manager and/or Pub/Sub we need to set the GCP Service Account Pods should identify as. To allow this, we need the IAM role iam.workloadIdentityUser set on a GCP service account and bind this to the Pod's Kubernetes SA. Documentation on how this is done can be found here (Closed Wiki): https://kartverket.atlassian.net/wiki/spaces/SKIPDOK/pages/422346824/Autentisering+mot+GCP+som+Kubernetes+SA

false
cloudSqlProxyobject

CloudSQL is used to deploy a CloudSQL proxy sidecar in the pod. This is useful for connecting to CloudSQL databases that require Cloud SQL Auth Proxy.

false

Application.spec.gcp.auth​

↩ Parent

Configuration for authenticating a Pod with Google Cloud Platform For authentication with GCP, to use services like Secret Manager and/or Pub/Sub we need to set the GCP Service Account Pods should identify as. To allow this, we need the IAM role iam.workloadIdentityUser set on a GCP service account and bind this to the Pod's Kubernetes SA. Documentation on how this is done can be found here (Closed Wiki): https://kartverket.atlassian.net/wiki/spaces/SKIPDOK/pages/422346824/Autentisering+mot+GCP+som+Kubernetes+SA

NameTypeDescriptionRequired
serviceAccountstring

Name of the service account in which you are trying to authenticate your pod with Generally takes the form of some-name@some-project-id.iam.gserviceaccount.com

true

Application.spec.gcp.cloudSqlProxy​

↩ Parent

CloudSQL is used to deploy a CloudSQL proxy sidecar in the pod. This is useful for connecting to CloudSQL databases that require Cloud SQL Auth Proxy.

NameTypeDescriptionRequired
connectionNamestring

Connection name for the CloudSQL instance. Found in the Google Cloud Console under your CloudSQL resource. The format is "projectName:region:instanceName" E.g. "skip-prod-bda1:europe-north1:my-db".

true
ipstring

The IP address of the CloudSQL instance. This is used to create a serviceentry for the CloudSQL proxy.

true
serviceAccountstring

Service account used by cloudsql auth proxy. This service account must have the roles/cloudsql.client role.

true
versionstring

Image version for the CloudSQL proxy sidecar.


Default: 2.8.0

false

Application.spec.idporten​

↩ Parent

Settings for IDPorten integration with Digitaliseringsdirektoratet

NameTypeDescriptionRequired
enabledboolean

Whether to enable provisioning of an ID-porten client. If enabled, an ID-porten client be provisioned.

true
accessTokenLifetimeinteger

AccessTokenLifetime is the lifetime in seconds for any issued access token from ID-porten.

If unspecified, defaults to 3600 seconds (1 hour).


Minimum: 1
Maximum: 3600

false
clientNamestring

The name of the Client as shown in Digitaliseringsdirektoratet's Samarbeidsportal Meant to be a human-readable name for separating clients in the portal

false
clientURIstring

ClientURI is the URL shown to the user at ID-porten when displaying a 'back' button or on errors.

false
frontchannelLogoutPathstring

FrontchannelLogoutPath is a valid path for your application where ID-porten sends a request to whenever the user has initiated a logout elsewhere as part of a single logout (front channel logout) process.

false
integrationTypeenum

IntegrationType is used to make sensible choices for your client. Which type of integration you choose will provide guidance on which scopes you can use with the client. A client can only have one integration type.

NB! It is not possible to change the integration type after creation.


Enum: krr, idporten, api_klient

false
postLogoutRedirectPathstring

PostLogoutRedirectPath is a simpler verison of PostLogoutRedirectURIs that will be appended to the ingress

false
postLogoutRedirectURIs[]string

PostLogoutRedirectURIs are valid URIs that ID-porten will allow redirecting the end-user to after a single logout has been initiated and performed by the application.

false
redirectPathstring

RedirectPath is a valid path that ID-porten redirects back to after a successful authorization request.

false
scopes[]string

Register different oauth2 Scopes on your client. You will not be able to add a scope to your client that conflicts with the client's IntegrationType. For example, you can not add a scope that is limited to the IntegrationType krr of IntegrationType idporten, and vice versa.

Default for IntegrationType krr = ("krr:global/kontaktinformasjon.read", "krr:global/digitalpost.read") Default for IntegrationType idporten = ("openid", "profile") IntegrationType api_klient have no Default, checkout Digdir documentation.

false
sessionLifetimeinteger

SessionLifetime is the maximum lifetime in seconds for any given user's session in your application. The timeout starts whenever the user is redirected from the authorization_endpoint at ID-porten.

If unspecified, defaults to 7200 seconds (2 hours). Note: Attempting to refresh the user's access_token beyond this timeout will yield an error.


Minimum: 3600
Maximum: 7200

false

Application.spec.istioSettings​

↩ Parent

IstioSettings are used to configure istio specific resources such as telemetry. Currently, adjusting sampling interval for tracing is the only supported option. By default, tracing is enabled with a random sampling percentage of 10%.

NameTypeDescriptionRequired
telemetryobject

Telemetry is a placeholder for all relevant telemetry types, and may be extended in the future to configure additional telemetry settings.


Default: map[tracing:[map[randomSamplingPercentage:10]]]

false

Application.spec.istioSettings.telemetry​

↩ Parent

Telemetry is a placeholder for all relevant telemetry types, and may be extended in the future to configure additional telemetry settings.

NameTypeDescriptionRequired
tracing[]object

Tracing is a list of tracing configurations for the telemetry resource. Normally only one tracing configuration is needed.


Default: [map[randomSamplingPercentage:10]]

false

Application.spec.istioSettings.telemetry.tracing[index]​

↩ Parent

Tracing contains relevant settings for tracing in the telemetry configuration

NameTypeDescriptionRequired
randomSamplingPercentageinteger

RandomSamplingPercentage is the percentage of requests that should be sampled for tracing, specified by a whole number between 0-100. Setting RandomSamplingPercentage to 0 will disable tracing.


Default: 10
Minimum: 0
Maximum: 100

false

Application.spec.liveness​

↩ Parent

Liveness probes define a resource that returns 200 OK when the app is running as intended. Returning a non-200 code will make kubernetes restart the app. Liveness is optional, but when provided, path and port are required

See Probe for structure definition.

NameTypeDescriptionRequired
pathstring

The path to access on the HTTP server

true
portint or string

Number of the port to access on the container

true
failureThresholdinteger

Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1


Format: int32
Default: 3

false
initialDelayinteger

Delay sending the first probe by X seconds. Can be useful for applications that are slow to start.


Format: int32
Default: 0

false
periodinteger

Number of seconds Kubernetes waits between each probe. Defaults to 10 seconds.


Format: int32
Default: 10

false
successThresholdinteger

Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup Probes. Minimum value is 1.


Format: int32
Default: 1

false
timeoutinteger

Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1


Format: int32
Default: 1

false

Application.spec.maskinporten​

↩ Parent

Settings for Maskinporten integration with Digitaliseringsdirektoratet

NameTypeDescriptionRequired
enabledboolean

If enabled, provisions and configures a Maskinporten client with consumed scopes and/or Exposed scopes with DigDir.

true
clientNamestring

The name of the Client as shown in Digitaliseringsdirektoratet's Samarbeidsportal Meant to be a human-readable name for separating clients in the portal

false
scopesobject

Schema to configure Maskinporten clients with consumed scopes and/or exposed scopes.

false

Application.spec.maskinporten.scopes​

↩ Parent

Schema to configure Maskinporten clients with consumed scopes and/or exposed scopes.

NameTypeDescriptionRequired
consumes[]object

This is the Schema for the consumes and exposes API. consumes is a list of scopes that your client can request access to.

false
exposes[]object

exposes is a list of scopes your application want to expose to other organization where access to the scope is based on organization number.

false

Application.spec.maskinporten.scopes.consumes[index]​

↩ Parent
NameTypeDescriptionRequired
namestring

The scope consumed by the application to gain access to an external organization API. Ensure that the NAV organization has been granted access to the scope prior to requesting access.

true

Application.spec.maskinporten.scopes.exposes[index]​

↩ Parent
NameTypeDescriptionRequired
enabledboolean

If Enabled the configured scope is available to be used and consumed by organizations granted access.

true
namestring

The actual subscope combined with Product. Ensure that <Product><Name> matches Pattern.

true
productstring

The product-area your application belongs to e.g. arbeid, helse ... This will be included in the final scope nav:<Product><Name>.

true
accessibleForAllboolean

Allow any organization to access the scope.

false
allowedIntegrations[]string

Whitelisting of integration's allowed. Default is maskinporten

false
atMaxAgeinteger

Max time in seconds for a issued access_token. Default is 30 sec.


Minimum: 30
Maximum: 680

false
consumers[]object

External consumers granted access to this scope and able to request access_token.

false
delegationSourceenum

Delegation source for the scope. Default is empty, which means no delegation is allowed.


Enum: altinn

false
separatorstring

Separator is the character that separates product and name in the final scope: scope := <prefix>:<product><separator><name> This overrides the default separator. The default separator is :. If name contains /, the default separator is instead /.

false

Application.spec.maskinporten.scopes.exposes[index].consumers[index]​

↩ Parent
NameTypeDescriptionRequired
orgnostring

The external business/organization number.

true
namestring

This is a describing field intended for clarity not used for any other purpose.

false

Application.spec.podSettings​

↩ Parent

PodSettings are used to apply specific settings to the Pod Template used by Skiperator to create Deployments. This allows you to set things like annotations on the Pod to change the behaviour of sidecars, and set relevant Pod options such as TerminationGracePeriodSeconds.

NameTypeDescriptionRequired
annotationsmap[string]string

Annotations that are set on Pods created by Skiperator. These annotations can for example be used to change the behaviour of sidecars and similar.

false
disablePodSpreadTopologyConstraintsboolean

DisablePodSpreadTopologyConstraints specifies whether to disable the addition of Pod Topology Spread Constraints to a given pod.


Default: false

false
terminationGracePeriodSecondsinteger

TerminationGracePeriodSeconds determines how long Kubernetes waits after a SIGTERM signal sent to a Pod before terminating the pod. If your application uses longer than 30 seconds to terminate, you should increase TerminationGracePeriodSeconds.


Format: int64
Default: 30

false

Application.spec.prometheus​

↩ Parent

Optional settings for how Prometheus compatible metrics should be scraped.

NameTypeDescriptionRequired
portint or string

The port number or name where metrics are exposed (at the Pod level).

true
allowAllMetricsboolean

Setting AllowAllMetrics to true will ensure all exposed metrics are scraped. Otherwise, a list of predefined metrics will be dropped by default. See util/constants.go for the default list.


Default: false

false
pathstring

The HTTP path where Prometheus compatible metrics exists


Default: /metrics

false

Application.spec.readiness​

↩ Parent

Readiness probes define a resource that returns 200 OK when the app is running as intended. Kubernetes will wait until the resource returns 200 OK before marking the pod as Running and progressing with the deployment strategy. Readiness is optional, but when provided, path and port are required

NameTypeDescriptionRequired
pathstring

The path to access on the HTTP server

true
portint or string

Number of the port to access on the container

true
failureThresholdinteger

Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1


Format: int32
Default: 3

false
initialDelayinteger

Delay sending the first probe by X seconds. Can be useful for applications that are slow to start.


Format: int32
Default: 0

false
periodinteger

Number of seconds Kubernetes waits between each probe. Defaults to 10 seconds.


Format: int32
Default: 10

false
successThresholdinteger

Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup Probes. Minimum value is 1.


Format: int32
Default: 1

false
timeoutinteger

Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1


Format: int32
Default: 1

false

Application.spec.resources​

↩ Parent

ResourceRequirements to apply to the deployment. It's common to set some of these to prevent the app from swelling in resource usage and consuming all the resources of other apps on the cluster.

NameTypeDescriptionRequired
limitsmap[string]int or string

Limits set the maximum the app is allowed to use. Exceeding this limit will make kubernetes kill the app and restart it.

Limits can be set on the CPU and memory, but it is not recommended to put a limit on CPU, see: https://home.robusta.dev/blog/stop-using-cpu-limits

false
requestsmap[string]int or string

Requests set the initial allocation that is done for the app and will thus be available to the app on startup. More is allocated on demand until the limit is reached.

Requests can be set on the CPU and memory.

false

Application.spec.startup​

↩ Parent

Kubernetes uses startup probes to know when a container application has started. If such a probe is configured, it disables liveness and readiness checks until it succeeds, making sure those probes don't interfere with the application startup. This can be used to adopt liveness checks on slow starting containers, avoiding them getting killed by Kubernetes before they are up and running. Startup is optional, but when provided, path and port are required

NameTypeDescriptionRequired
pathstring

The path to access on the HTTP server

true
portint or string

Number of the port to access on the container

true
failureThresholdinteger

Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1


Format: int32
Default: 3

false
initialDelayinteger

Delay sending the first probe by X seconds. Can be useful for applications that are slow to start.


Format: int32
Default: 0

false
periodinteger

Number of seconds Kubernetes waits between each probe. Defaults to 10 seconds.


Format: int32
Default: 10

false
successThresholdinteger

Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup Probes. Minimum value is 1.


Format: int32
Default: 1

false
timeoutinteger

Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1


Format: int32
Default: 1

false

Application.spec.strategy​

↩ Parent

Defines an alternative strategy for the Kubernetes deployment. This is useful when the default strategy, RollingUpdate, is not usable. Setting type to Recreate will take down all the pods before starting new pods, whereas the default of RollingUpdate will try to start the new pods before taking down the old ones.

Valid values are: RollingUpdate, Recreate. Default is RollingUpdate

NameTypeDescriptionRequired
typeenum

Valid values are: RollingUpdate, Recreate. Default is RollingUpdate


Enum: RollingUpdate, Recreate
Default: RollingUpdate

false

Application.status​

↩ Parent

SkiperatorStatus

A status field shown on a Skiperator resource which contains information regarding deployment of the resource.

NameTypeDescriptionRequired
accessPoliciesstring

Indicates if access policies are valid

true
conditions[]object
true
subresourcesmap[string]object
true
summaryobject

Status

true

Application.status.conditions[index]​

↩ Parent

Condition contains details for one aspect of the current state of this API Resource.

NameTypeDescriptionRequired
lastTransitionTimestring

lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.


Format: date-time

true
messagestring

message is a human readable message indicating details about the transition. This may be an empty string.

true
reasonstring

reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.

true
statusenum

status of the condition, one of True, False, Unknown.


Enum: True, False, Unknown

true
typestring

type of condition in CamelCase or in foo.example.com/CamelCase.

true
observedGenerationinteger

observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.


Format: int64
Minimum: 0

false

Application.status.subresources[key]​

↩ Parent

Status

NameTypeDescriptionRequired
messagestring

Default: hello

true
statusstring

Default: Synced

true
timestampstring

Default: hello

true

Application.status.summary​

↩ Parent

Status

NameTypeDescriptionRequired
messagestring

Default: hello

true
statusstring

Default: Synced

true
timestampstring

Default: hello

true

Routing​

↩ Parent
NameTypeDescriptionRequired
apiVersionstringskiperator.kartverket.no/v1alpha1true
kindstringRoutingtrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject
true
statusobject

SkiperatorStatus

A status field shown on a Skiperator resource which contains information regarding deployment of the resource.

false

Routing.spec​

↩ Parent
NameTypeDescriptionRequired
hostnamestring
true
routes[]object
true
redirectToHTTPSboolean

Default: true

false

Routing.spec.routes[index]​

↩ Parent
NameTypeDescriptionRequired
pathPrefixstring
true
targetAppstring
true
portinteger

Format: int32

false
rewriteUriboolean

Default: false

false

Routing.status​

↩ Parent

SkiperatorStatus

A status field shown on a Skiperator resource which contains information regarding deployment of the resource.

NameTypeDescriptionRequired
accessPoliciesstring

Indicates if access policies are valid

true
conditions[]object
true
subresourcesmap[string]object
true
summaryobject

Status

true

Routing.status.conditions[index]​

↩ Parent

Condition contains details for one aspect of the current state of this API Resource.

NameTypeDescriptionRequired
lastTransitionTimestring

lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.


Format: date-time

true
messagestring

message is a human readable message indicating details about the transition. This may be an empty string.

true
reasonstring

reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.

true
statusenum

status of the condition, one of True, False, Unknown.


Enum: True, False, Unknown

true
typestring

type of condition in CamelCase or in foo.example.com/CamelCase.

true
observedGenerationinteger

observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.


Format: int64
Minimum: 0

false

Routing.status.subresources[key]​

↩ Parent

Status

NameTypeDescriptionRequired
messagestring

Default: hello

true
statusstring

Default: Synced

true
timestampstring

Default: hello

true

Routing.status.summary​

↩ Parent

Status

NameTypeDescriptionRequired
messagestring

Default: hello

true
statusstring

Default: Synced

true
timestampstring

Default: hello

true

SKIPJob​

↩ Parent

SKIPJob is the Schema for the skipjobs API

NameTypeDescriptionRequired
apiVersionstringskiperator.kartverket.no/v1alpha1true
kindstringSKIPJobtrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

SKIPJobSpec defines the desired state of SKIPJob

A SKIPJob is either defined as a one-off or a scheduled job. If the Cron field is set for SKIPJob, it may not be removed. If the Cron field is unset, it may not be added. The Container field of a SKIPJob is only mutable if the Cron field is set. If unset, you must delete your SKIPJob to change container settings.

true
statusobject

SkiperatorStatus

A status field shown on a Skiperator resource which contains information regarding deployment of the resource.

false

SKIPJob.spec​

↩ Parent

SKIPJobSpec defines the desired state of SKIPJob

A SKIPJob is either defined as a one-off or a scheduled job. If the Cron field is set for SKIPJob, it may not be removed. If the Cron field is unset, it may not be added. The Container field of a SKIPJob is only mutable if the Cron field is set. If unset, you must delete your SKIPJob to change container settings.

NameTypeDescriptionRequired
containerobject

Settings for the Pods running in the job. Fields are mostly the same as an Application, and are (probably) better documented there. Some fields are omitted, but none added. Once set, you may not change Container without deleting your current SKIPJob

true
cronobject

Settings for the Job if you are running a scheduled job. Optional as Jobs may be one-off.

false
istioSettingsobject

IstioSettings are used to configure istio specific resources such as telemetry. Currently, adjusting sampling interval for tracing is the only supported option. By default, tracing is enabled with a random sampling percentage of 10%.


Default: map[telemetry

tracing:[map[randomSamplingPercentage:10]]
]

false
jobobject

Settings for the actual Job. If you use a scheduled job, the settings in here will also specify the template of the job.

false
prometheusobject

Prometheus settings for pod running in job. Fields are identical to Application and if set, a podmonitoring object is created.

false

SKIPJob.spec.container​

↩ Parent

Settings for the Pods running in the job. Fields are mostly the same as an Application, and are (probably) better documented there. Some fields are omitted, but none added. Once set, you may not change Container without deleting your current SKIPJob

NameTypeDescriptionRequired
imagestring
true
accessPolicyobject

AccessPolicy

Zero trust dictates that only applications with a reason for being able to access another resource should be able to reach it. This is set up by default by denying all ingress and egress traffic from the Pods in the Deployment. The AccessPolicy field is an allowlist of other applications and hostnames that are allowed to talk with this Application and which resources this app can talk to

false
additionalPorts[]object
false
command[]string
false
env[]object
false
envFrom[]object
false
filesFrom[]object
false
gcpobject

GCP

Configuration for interacting with Google Cloud Platform

false
livenessobject

Probe

Type configuration for all types of Kubernetes probes.

false
podSettingsobject

PodSettings

false
priorityenum

Enum: low, medium, high
Default: medium

false
readinessobject

Probe

Type configuration for all types of Kubernetes probes.

false
resourcesobject

ResourceRequirements

A simplified version of the Kubernetes native ResourceRequirement field, in which only Limits and Requests are present. For the units used for resources, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes

false
restartPolicyenum

RestartPolicy describes how the container should be restarted. Only one of the following restart policies may be specified. If none of the following policies is specified, the default one is RestartPolicyAlways.


Enum: OnFailure, Never
Default: Never

false
startupobject

Probe

Type configuration for all types of Kubernetes probes.

false

SKIPJob.spec.container.accessPolicy​

↩ Parent

AccessPolicy

Zero trust dictates that only applications with a reason for being able to access another resource should be able to reach it. This is set up by default by denying all ingress and egress traffic from the Pods in the Deployment. The AccessPolicy field is an allowlist of other applications and hostnames that are allowed to talk with this Application and which resources this app can talk to

NameTypeDescriptionRequired
inboundobject

Inbound specifies the ingress rules. Which apps on the cluster can talk to this app?

false
outboundobject

Outbound specifies egress rules. Which apps on the cluster and the internet is the Application allowed to send requests to?

false

SKIPJob.spec.container.accessPolicy.inbound​

↩ Parent

Inbound specifies the ingress rules. Which apps on the cluster can talk to this app?

NameTypeDescriptionRequired
rules[]object

The rules list specifies a list of applications. When no namespace is specified it refers to an app in the current namespace. For apps in other namespaces namespace is required

true

SKIPJob.spec.container.accessPolicy.inbound.rules[index]​

↩ Parent

InternalRule

The rules list specifies a list of applications. When no namespace is specified it refers to an app in the current namespace. For apps in other namespaces, namespace is required.

NameTypeDescriptionRequired
applicationstring

The name of the Application you are allowing traffic to/from. If you wish to allow traffic from a SKIPJob, this field should be suffixed with -skipjob

true
namespacestring

The namespace in which the Application you are allowing traffic to/from resides. If unset, uses namespace of Application.

false
namespacesByLabelmap[string]string

Namespace label value-pair in which the Application you are allowing traffic to/from resides. If both namespace and namespacesByLabel are set, namespace takes precedence and namespacesByLabel is omitted.

false
ports[]object

The ports to allow for the above application.

false

SKIPJob.spec.container.accessPolicy.inbound.rules[index].ports[index]​

↩ Parent

NetworkPolicyPort describes a port to allow traffic on

NameTypeDescriptionRequired
endPortinteger

endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port.


Format: int32

false
portint or string

port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.

false
protocolstring

protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.

false

SKIPJob.spec.container.accessPolicy.outbound​

↩ Parent

Outbound specifies egress rules. Which apps on the cluster and the internet is the Application allowed to send requests to?

NameTypeDescriptionRequired
external[]object

External specifies which applications on the internet the application can reach. Only host is required unless it is on another port than HTTPS port 443. If other ports or protocols are required then ports must be specified as well

false
rules[]object

Rules apply the same in-cluster rules as InboundPolicy

false

SKIPJob.spec.container.accessPolicy.outbound.external[index]​

↩ Parent

ExternalRule

Describes a rule for allowing your Application to route traffic to external applications and hosts.

NameTypeDescriptionRequired
hoststring
true
ipstring

Non-HTTP requests (i.e. using the TCP protocol) need to use IP in addition to hostname Only required for TCP requests.

Note: Hostname must always be defined even if IP is set statically

false
ports[]object

The ports to allow for the above hostname. When not specified HTTP and HTTPS on port 80 and 443 respectively are put into the allowlist

false

SKIPJob.spec.container.accessPolicy.outbound.external[index].ports[index]​

↩ Parent

ExternalPort

A custom port describing an external host

NameTypeDescriptionRequired
namestring

Name is required and is an arbitrary name. Must be unique within all ExternalRule ports.

true
portinteger

The port number of the external host

true
protocolenum

The protocol to use for communication with the host. Only HTTP, HTTPS and TCP are supported.


Enum: HTTP, HTTPS, TCP

true

SKIPJob.spec.container.accessPolicy.outbound.rules[index]​

↩ Parent

InternalRule

The rules list specifies a list of applications. When no namespace is specified it refers to an app in the current namespace. For apps in other namespaces, namespace is required.

NameTypeDescriptionRequired
applicationstring

The name of the Application you are allowing traffic to/from. If you wish to allow traffic from a SKIPJob, this field should be suffixed with -skipjob

true
namespacestring

The namespace in which the Application you are allowing traffic to/from resides. If unset, uses namespace of Application.

false
namespacesByLabelmap[string]string

Namespace label value-pair in which the Application you are allowing traffic to/from resides. If both namespace and namespacesByLabel are set, namespace takes precedence and namespacesByLabel is omitted.

false
ports[]object

The ports to allow for the above application.

false

SKIPJob.spec.container.accessPolicy.outbound.rules[index].ports[index]​

↩ Parent

NetworkPolicyPort describes a port to allow traffic on

NameTypeDescriptionRequired
endPortinteger

endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port.


Format: int32

false
portint or string

port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.

false
protocolstring

protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.

false

SKIPJob.spec.container.additionalPorts[index]​

↩ Parent
NameTypeDescriptionRequired
namestring
true
portinteger

Format: int32

true
protocolenum

Protocol defines network protocols supported for things like container ports.


Enum: TCP, UDP, SCTP

true

SKIPJob.spec.container.env[index]​

↩ Parent

EnvVar represents an environment variable present in a Container.

NameTypeDescriptionRequired
namestring

Name of the environment variable. Must be a C_IDENTIFIER.

true
valuestring

Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".

false
valueFromobject

Source for the environment variable's value. Cannot be used if value is not empty.

false

SKIPJob.spec.container.env[index].valueFrom​

↩ Parent

Source for the environment variable's value. Cannot be used if value is not empty.

NameTypeDescriptionRequired
configMapKeyRefobject

Selects a key of a ConfigMap.

false
fieldRefobject

Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels['<KEY>'], metadata.annotations['<KEY>'], spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.

false
resourceFieldRefobject

Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.

false
secretKeyRefobject

Selects a key of a secret in the pod's namespace

false

SKIPJob.spec.container.env[index].valueFrom.configMapKeyRef​

↩ Parent

Selects a key of a ConfigMap.

NameTypeDescriptionRequired
keystring

The key to select.

true
namestring

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names


Default:

false
optionalboolean

Specify whether the ConfigMap or its key must be defined

false

SKIPJob.spec.container.env[index].valueFrom.fieldRef​

↩ Parent

Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels['<KEY>'], metadata.annotations['<KEY>'], spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.

NameTypeDescriptionRequired
fieldPathstring

Path of the field to select in the specified API version.

true
apiVersionstring

Version of the schema the FieldPath is written in terms of, defaults to "v1".

false

SKIPJob.spec.container.env[index].valueFrom.resourceFieldRef​

↩ Parent

Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.

NameTypeDescriptionRequired
resourcestring

Required: resource to select

true
containerNamestring

Container name: required for volumes, optional for env vars

false
divisorint or string

Specifies the output format of the exposed resources, defaults to "1"

false

SKIPJob.spec.container.env[index].valueFrom.secretKeyRef​

↩ Parent

Selects a key of a secret in the pod's namespace

NameTypeDescriptionRequired
keystring

The key of the secret to select from. Must be a valid secret key.

true
namestring

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names


Default:

false
optionalboolean

Specify whether the Secret or its key must be defined

false

SKIPJob.spec.container.envFrom[index]​

↩ Parent
NameTypeDescriptionRequired
configMapstring

Name of Kubernetes ConfigMap in which the deployment should mount environment variables from. Must be in the same namespace as the Application

false
secretstring

Name of Kubernetes Secret in which the deployment should mount environment variables from. Must be in the same namespace as the Application

false

SKIPJob.spec.container.filesFrom[index]​

↩ Parent

FilesFrom

Struct representing information needed to mount a Kubernetes resource as a file to a Pod's directory. One of ConfigMap, Secret, EmptyDir or PersistentVolumeClaim must be present, and just represent the name of the resource in question NB. Out-of-the-box, skiperator provides a writable 'emptyDir'-volume at '/tmp'

NameTypeDescriptionRequired
mountPathstring

The path to mount the file in the Pods directory. Required.

true
configMapstring
false
emptyDirstring
false
persistentVolumeClaimstring
false
secretstring
false

SKIPJob.spec.container.gcp​

↩ Parent

GCP

Configuration for interacting with Google Cloud Platform

NameTypeDescriptionRequired
authobject

Configuration for authenticating a Pod with Google Cloud Platform For authentication with GCP, to use services like Secret Manager and/or Pub/Sub we need to set the GCP Service Account Pods should identify as. To allow this, we need the IAM role iam.workloadIdentityUser set on a GCP service account and bind this to the Pod's Kubernetes SA. Documentation on how this is done can be found here (Closed Wiki): https://kartverket.atlassian.net/wiki/spaces/SKIPDOK/pages/422346824/Autentisering+mot+GCP+som+Kubernetes+SA

false
cloudSqlProxyobject

CloudSQL is used to deploy a CloudSQL proxy sidecar in the pod. This is useful for connecting to CloudSQL databases that require Cloud SQL Auth Proxy.

false

SKIPJob.spec.container.gcp.auth​

↩ Parent

Configuration for authenticating a Pod with Google Cloud Platform For authentication with GCP, to use services like Secret Manager and/or Pub/Sub we need to set the GCP Service Account Pods should identify as. To allow this, we need the IAM role iam.workloadIdentityUser set on a GCP service account and bind this to the Pod's Kubernetes SA. Documentation on how this is done can be found here (Closed Wiki): https://kartverket.atlassian.net/wiki/spaces/SKIPDOK/pages/422346824/Autentisering+mot+GCP+som+Kubernetes+SA

NameTypeDescriptionRequired
serviceAccountstring

Name of the service account in which you are trying to authenticate your pod with Generally takes the form of some-name@some-project-id.iam.gserviceaccount.com

true

SKIPJob.spec.container.gcp.cloudSqlProxy​

↩ Parent

CloudSQL is used to deploy a CloudSQL proxy sidecar in the pod. This is useful for connecting to CloudSQL databases that require Cloud SQL Auth Proxy.

NameTypeDescriptionRequired
connectionNamestring

Connection name for the CloudSQL instance. Found in the Google Cloud Console under your CloudSQL resource. The format is "projectName:region:instanceName" E.g. "skip-prod-bda1:europe-north1:my-db".

true
ipstring

The IP address of the CloudSQL instance. This is used to create a serviceentry for the CloudSQL proxy.

true
serviceAccountstring

Service account used by cloudsql auth proxy. This service account must have the roles/cloudsql.client role.

true
versionstring

Image version for the CloudSQL proxy sidecar.


Default: 2.8.0

false

SKIPJob.spec.container.liveness​

↩ Parent

Probe

Type configuration for all types of Kubernetes probes.

NameTypeDescriptionRequired
pathstring

The path to access on the HTTP server

true
portint or string

Number of the port to access on the container

true
failureThresholdinteger

Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1


Format: int32
Default: 3

false
initialDelayinteger

Delay sending the first probe by X seconds. Can be useful for applications that are slow to start.


Format: int32
Default: 0

false
periodinteger

Number of seconds Kubernetes waits between each probe. Defaults to 10 seconds.


Format: int32
Default: 10

false
successThresholdinteger

Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup Probes. Minimum value is 1.


Format: int32
Default: 1

false
timeoutinteger

Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1


Format: int32
Default: 1

false

SKIPJob.spec.container.podSettings​

↩ Parent

PodSettings

NameTypeDescriptionRequired
annotationsmap[string]string

Annotations that are set on Pods created by Skiperator. These annotations can for example be used to change the behaviour of sidecars and similar.

false
disablePodSpreadTopologyConstraintsboolean

DisablePodSpreadTopologyConstraints specifies whether to disable the addition of Pod Topology Spread Constraints to a given pod.


Default: false

false
terminationGracePeriodSecondsinteger

TerminationGracePeriodSeconds determines how long Kubernetes waits after a SIGTERM signal sent to a Pod before terminating the pod. If your application uses longer than 30 seconds to terminate, you should increase TerminationGracePeriodSeconds.


Format: int64
Default: 30

false

SKIPJob.spec.container.readiness​

↩ Parent

Probe

Type configuration for all types of Kubernetes probes.

NameTypeDescriptionRequired
pathstring

The path to access on the HTTP server

true
portint or string

Number of the port to access on the container

true
failureThresholdinteger

Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1


Format: int32
Default: 3

false
initialDelayinteger

Delay sending the first probe by X seconds. Can be useful for applications that are slow to start.


Format: int32
Default: 0

false
periodinteger

Number of seconds Kubernetes waits between each probe. Defaults to 10 seconds.


Format: int32
Default: 10

false
successThresholdinteger

Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup Probes. Minimum value is 1.


Format: int32
Default: 1

false
timeoutinteger

Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1


Format: int32
Default: 1

false

SKIPJob.spec.container.resources​

↩ Parent

ResourceRequirements

A simplified version of the Kubernetes native ResourceRequirement field, in which only Limits and Requests are present. For the units used for resources, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes

NameTypeDescriptionRequired
limitsmap[string]int or string

Limits set the maximum the app is allowed to use. Exceeding this limit will make kubernetes kill the app and restart it.

Limits can be set on the CPU and memory, but it is not recommended to put a limit on CPU, see: https://home.robusta.dev/blog/stop-using-cpu-limits

false
requestsmap[string]int or string

Requests set the initial allocation that is done for the app and will thus be available to the app on startup. More is allocated on demand until the limit is reached.

Requests can be set on the CPU and memory.

false

SKIPJob.spec.container.startup​

↩ Parent

Probe

Type configuration for all types of Kubernetes probes.

NameTypeDescriptionRequired
pathstring

The path to access on the HTTP server

true
portint or string

Number of the port to access on the container

true
failureThresholdinteger

Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1


Format: int32
Default: 3

false
initialDelayinteger

Delay sending the first probe by X seconds. Can be useful for applications that are slow to start.


Format: int32
Default: 0

false
periodinteger

Number of seconds Kubernetes waits between each probe. Defaults to 10 seconds.


Format: int32
Default: 10

false
successThresholdinteger

Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup Probes. Minimum value is 1.


Format: int32
Default: 1

false
timeoutinteger

Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1


Format: int32
Default: 1

false

SKIPJob.spec.cron​

↩ Parent

Settings for the Job if you are running a scheduled job. Optional as Jobs may be one-off.

NameTypeDescriptionRequired
schedulestring

A CronJob string for denoting the schedule of this job. See https://crontab.guru/ for help creating CronJob strings. Kubernetes CronJobs also include the extended "Vixie cron" step values: https://man.freebsd.org/cgi/man.cgi?crontab%285%29.

true
allowConcurrencyenum

Denotes how Kubernetes should react to multiple instances of the Job being started at the same time. Allow will allow concurrent jobs. Forbid will not allow this, and instead skip the newer schedule Job. Replace will replace the current active Job with the newer scheduled Job.


Enum: Allow, Forbid, Replace
Default: Allow

false
startingDeadlineSecondsinteger

Denotes the deadline in seconds for starting a job on its schedule, if for some reason the Job's controller was not ready upon the scheduled time. If unset, Jobs missing their deadline will be considered failed jobs and will not start.


Format: int64

false
suspendboolean

If set to true, this tells Kubernetes to suspend this Job till the field is set to false. If the Job is active while this field is set to true, all running Pods will be terminated.

false
timeZonestring

The time zone name for the given schedule, see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones. If not specified, this will default to the time zone of the cluster.

Example: "Europe/Oslo"

false

SKIPJob.spec.istioSettings​

↩ Parent

IstioSettings are used to configure istio specific resources such as telemetry. Currently, adjusting sampling interval for tracing is the only supported option. By default, tracing is enabled with a random sampling percentage of 10%.

NameTypeDescriptionRequired
telemetryobject

Telemetry is a placeholder for all relevant telemetry types, and may be extended in the future to configure additional telemetry settings.


Default: map[tracing:[map[randomSamplingPercentage:10]]]

false

SKIPJob.spec.istioSettings.telemetry​

↩ Parent

Telemetry is a placeholder for all relevant telemetry types, and may be extended in the future to configure additional telemetry settings.

NameTypeDescriptionRequired
tracing[]object

Tracing is a list of tracing configurations for the telemetry resource. Normally only one tracing configuration is needed.


Default: [map[randomSamplingPercentage:10]]

false

SKIPJob.spec.istioSettings.telemetry.tracing[index]​

↩ Parent

Tracing contains relevant settings for tracing in the telemetry configuration

NameTypeDescriptionRequired
randomSamplingPercentageinteger

RandomSamplingPercentage is the percentage of requests that should be sampled for tracing, specified by a whole number between 0-100. Setting RandomSamplingPercentage to 0 will disable tracing.


Default: 10
Minimum: 0
Maximum: 100

false

SKIPJob.spec.job​

↩ Parent

Settings for the actual Job. If you use a scheduled job, the settings in here will also specify the template of the job.

NameTypeDescriptionRequired
activeDeadlineSecondsinteger

ActiveDeadlineSeconds denotes a duration in seconds started from when the job is first active. If the deadline is reached during the job's workload the job and its Pods are terminated. If the job is suspended using the Suspend field, this timer is stopped and reset when unsuspended.


Format: int64

false
backoffLimitinteger

Specifies the number of retry attempts before determining the job as failed. Defaults to 6.


Format: int32

false
suspendboolean

If set to true, this tells Kubernetes to suspend this Job till the field is set to false. If the Job is active while this field is set to false, all running Pods will be terminated.

false
ttlSecondsAfterFinishedinteger

The number of seconds to wait before removing the Job after it has finished. If unset, Job will not be cleaned up. It is recommended to set this to avoid clutter in your resource tree.


Format: int32

false

SKIPJob.spec.prometheus​

↩ Parent

Prometheus settings for pod running in job. Fields are identical to Application and if set, a podmonitoring object is created.

NameTypeDescriptionRequired
portint or string

The port number or name where metrics are exposed (at the Pod level).

true
allowAllMetricsboolean

Setting AllowAllMetrics to true will ensure all exposed metrics are scraped. Otherwise, a list of predefined metrics will be dropped by default. See util/constants.go for the default list.


Default: false

false
pathstring

The HTTP path where Prometheus compatible metrics exists


Default: /metrics

false

SKIPJob.status​

↩ Parent

SkiperatorStatus

A status field shown on a Skiperator resource which contains information regarding deployment of the resource.

NameTypeDescriptionRequired
accessPoliciesstring

Indicates if access policies are valid

true
conditions[]object
true
subresourcesmap[string]object
true
summaryobject

Status

true

SKIPJob.status.conditions[index]​

↩ Parent

Condition contains details for one aspect of the current state of this API Resource.

NameTypeDescriptionRequired
lastTransitionTimestring

lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.


Format: date-time

true
messagestring

message is a human readable message indicating details about the transition. This may be an empty string.

true
reasonstring

reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.

true
statusenum

status of the condition, one of True, False, Unknown.


Enum: True, False, Unknown

true
typestring

type of condition in CamelCase or in foo.example.com/CamelCase.

true
observedGenerationinteger

observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.


Format: int64
Minimum: 0

false

SKIPJob.status.subresources[key]​

↩ Parent

Status

NameTypeDescriptionRequired
messagestring

Default: hello

true
statusstring

Default: Synced

true
timestampstring

Default: hello

true

SKIPJob.status.summary​

↩ Parent

Status

NameTypeDescriptionRequired
messagestring

Default: hello

true
statusstring

Default: Synced

true
timestampstring

Default: hello

true