From d786ad7f6216047780cef89b1072469c95a2de75 Mon Sep 17 00:00:00 2001 From: Simon Guyennet Date: Wed, 2 Oct 2024 16:43:45 +0200 Subject: [PATCH 01/16] feat: Kubeflow on PCI --- use-cases/kubeflow/README.md | 105 + use-cases/kubeflow/helm_external_dns.tf | 117 + use-cases/kubeflow/helm_kyverno.tf | 302 + use-cases/kubeflow/helm_nvidia_operator.tf | 132 + .../kubeflow/img/kubeflow-public-cloud.png | Bin 0 -> 271316 bytes .../kubectl_kubeflow_admission_webhook.tf | 2393 + .../kubeflow/kubectl_kubeflow_authservice.tf | 229 + .../kubeflow/kubectl_kubeflow_cert_manager.tf | 9981 ++++ .../kubeflow/kubectl_kubeflow_dashboard.tf | 432 + use-cases/kubeflow/kubectl_kubeflow_dex.tf | 255 + use-cases/kubeflow/kubectl_kubeflow_istio.tf | 11125 ++++ use-cases/kubeflow/kubectl_kubeflow_katib.tf | 1077 + .../kubeflow/kubectl_kubeflow_knative.tf | 9546 ++++ use-cases/kubeflow/kubectl_kubeflow_kserve.tf | 21084 +++++++ .../kubeflow/kubectl_kubeflow_kubeflow.tf | 6273 +++ .../kubeflow/kubectl_kubeflow_notebooks.tf | 10635 ++++ .../kubectl_kubeflow_profiles_kfam.tf | 656 + .../kubectl_kubeflow_pvc_viewer_controller.tf | 3829 ++ ...kubectl_kubeflow_tensorboard_controller.tf | 493 + .../kubectl_kubeflow_tensorboards_web_app.tf | 365 + .../kubectl_kubeflow_training_operator.tf | 46716 ++++++++++++++++ .../kubectl_kubeflow_user_namespace.tf | 28 + .../kubectl_kubeflow_volumes_web_app.tf | 349 + .../kubeflow/kubectl_kyverno_policies.tf | 94 + use-cases/kubeflow/output.tf | 21 + use-cases/kubeflow/ovh_kube_cluster.tf | 82 + use-cases/kubeflow/ovh_mysql_db.tf | 60 + use-cases/kubeflow/ovh_private_network.tf | 17 + use-cases/kubeflow/ovh_s3_bucket.tf | 16 + use-cases/kubeflow/provider.tf | 63 + use-cases/kubeflow/variables.tf | 151 + 31 files changed, 126626 insertions(+) create mode 100644 use-cases/kubeflow/README.md create mode 100644 use-cases/kubeflow/helm_external_dns.tf create mode 100644 use-cases/kubeflow/helm_kyverno.tf create mode 100644 use-cases/kubeflow/helm_nvidia_operator.tf create mode 100644 use-cases/kubeflow/img/kubeflow-public-cloud.png create mode 100644 use-cases/kubeflow/kubectl_kubeflow_admission_webhook.tf create mode 100644 use-cases/kubeflow/kubectl_kubeflow_authservice.tf create mode 100644 use-cases/kubeflow/kubectl_kubeflow_cert_manager.tf create mode 100644 use-cases/kubeflow/kubectl_kubeflow_dashboard.tf create mode 100644 use-cases/kubeflow/kubectl_kubeflow_dex.tf create mode 100644 use-cases/kubeflow/kubectl_kubeflow_istio.tf create mode 100644 use-cases/kubeflow/kubectl_kubeflow_katib.tf create mode 100644 use-cases/kubeflow/kubectl_kubeflow_knative.tf create mode 100644 use-cases/kubeflow/kubectl_kubeflow_kserve.tf create mode 100644 use-cases/kubeflow/kubectl_kubeflow_kubeflow.tf create mode 100644 use-cases/kubeflow/kubectl_kubeflow_notebooks.tf create mode 100644 use-cases/kubeflow/kubectl_kubeflow_profiles_kfam.tf create mode 100644 use-cases/kubeflow/kubectl_kubeflow_pvc_viewer_controller.tf create mode 100644 use-cases/kubeflow/kubectl_kubeflow_tensorboard_controller.tf create mode 100644 use-cases/kubeflow/kubectl_kubeflow_tensorboards_web_app.tf create mode 100644 use-cases/kubeflow/kubectl_kubeflow_training_operator.tf create mode 100644 use-cases/kubeflow/kubectl_kubeflow_user_namespace.tf create mode 100644 use-cases/kubeflow/kubectl_kubeflow_volumes_web_app.tf create mode 100644 use-cases/kubeflow/kubectl_kyverno_policies.tf create mode 100644 use-cases/kubeflow/output.tf create mode 100644 use-cases/kubeflow/ovh_kube_cluster.tf create mode 100644 use-cases/kubeflow/ovh_mysql_db.tf create mode 100644 use-cases/kubeflow/ovh_private_network.tf create mode 100644 use-cases/kubeflow/ovh_s3_bucket.tf create mode 100644 use-cases/kubeflow/provider.tf create mode 100644 use-cases/kubeflow/variables.tf diff --git a/use-cases/kubeflow/README.md b/use-cases/kubeflow/README.md new file mode 100644 index 00000000..69744e90 --- /dev/null +++ b/use-cases/kubeflow/README.md @@ -0,0 +1,105 @@ +# Kubeflow on OVHcloud Public Cloud + +This Terraform will create and configure: + +* A private network +* A managed Kubernetes cluster +* A load balancer for Kubernetes with a public IP +* A MySQL managed database +* An object storage bucket +* A Kubeflow deployment +* A Nvidia GPU Operator to install automatically Nvidia drivers on GPU nodes +* A Kyverno deployment to secure the workload created by the Kubeflow users +* A FQDN for Kubeflow +* Let's Encrypt TLS certificates for Kubeflow + +![Kubeflow on OVHcloud Public Cloud](./img/kubeflow-public-cloud.png) + +**Requirements:** + +You need the following: +* [Terraform](https://www.terraform.io/) installed +* An [OVHcloud Public Cloud project](https://www.ovhcloud.com/en/public-cloud/) +* An [OVHcloud vRack private network](https://www.ovhcloud.com/en/network/vrack/) +* An [OVHcloud domain name](https://www.ovhcloud.com/en/domains/) + +As we are going to configure the infrastructure using a private network, your public cloud project needs to be in a vRack. + +## Configure the deployment + +### Configure the OVHcloud Terraform provider + +Create an OVHcloud API token: + +https://api.ovh.com/createToken?GET=/\*&POST=/\*&PUT=/\*&DELETE=/\* + +Configure Terraform with this token: + +```bash +vim ovhrc.sh +``` + +```bash +export OVH_ENDPOINT="ovh-eu" +export OVH_BASEURL="https://eu.api.ovh.com/1.0/" +export OVH_APPLICATION_KEY="" +export OVH_APPLICATION_SECRET="" +export OVH_CONSUMER_KEY="" +export OVH_CLOUD_PROJECT_SERVICE="$OS_TENANT_ID" + +export TF_VAR_ovh_api_dns_application_key="" +export TF_VAR_ovh_api_dns_application_secret="" +export TF_VAR_ovh_api_dns_consumer_key="" +``` + +You can create a second token for the DNS configuration with limited permissions: +https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/ovh.md#creating-ovh-credentials + +## Customize the deployment + +Configure Terraform with the public cloud project ID: + +```bash +vim terraform.tfvars +``` + +```bash +ovh_os_project_id = +``` + +Configure Terraform with your OVH domain name: + +```bash +vim terraform.tfvars +``` + +```bash +ovh_dns_domain = "" +``` + +You can find the list of configuration variables in `variables.tf` and you can override the default values in `terraform.tfvars`. + +## Deploy the stack + +```bash +source ovhrc.sh +terraform init +terraform plan +terraform apply +``` + +## Get the Kubeflow default user password + +```bash +terraform output kubeflow_password +``` + +## Troubleshoot + +### Access the Kubernetes cluster + +```bash +terraform output --raw ovh_kube_cluster_kubeconfig > ./kubeconfig +export KUBECONFIG=./kubeconfig +kubectl get nodes +``` \ No newline at end of file diff --git a/use-cases/kubeflow/helm_external_dns.tf b/use-cases/kubeflow/helm_external_dns.tf new file mode 100644 index 00000000..80743c61 --- /dev/null +++ b/use-cases/kubeflow/helm_external_dns.tf @@ -0,0 +1,117 @@ +resource "helm_release" "external-dns" { + name = "external-dns" + namespace = "external-dns" + + repository = "https://kubernetes-sigs.github.io/external-dns" + chart = "external-dns" + version = "1.12.2" + + create_namespace = true + + set { + name = "provider" + value = "ovh" + } + + set { + name = "domainFilters[0]" + value = "${var.ovh_dns_domain}" + } + + set { + name = "sources[0]" + value = "istio-gateway" + } + + set { + name = "policy" + value = "sync" + } + + set { + name = "rbac.additionalPermissions[0].apiGroups[0]" + value = "networking.istio.io" + } + + set { + name = "rbac.additionalPermissions[0].resources[0]" + value = "gateways" + } + + set { + name = "rbac.additionalPermissions[0].resources[1]" + value = "virtualservices" + } + + set { + name = "rbac.additionalPermissions[0].verbs[0]" + value = "get" + } + + set { + name = "rbac.additionalPermissions[0].verbs[1]" + value = "watch" + } + + set { + name = "rbac.additionalPermissions[0].verbs[2]" + value = "list" + } + + set { + name = "env[0].name" + value = "OVH_APPLICATION_KEY" + } + + set { + name = "env[0].value" + value = "${var.ovh_api_dns_application_key}" + } + + set { + name = "env[1].name" + value = "OVH_APPLICATION_SECRET" + } + + set { + name = "env[1].value" + value = "${var.ovh_api_dns_application_secret}" + } + + set { + name = "env[2].name" + value = "OVH_CONSUMER_KEY" + } + + set { + name = "env[2].value" + value = "${var.ovh_api_dns_consumer_key}" + } + + set { + name = "nodeSelector.kubeflow" + value = "control-plane" + } + + set { + name = "tolerations[0].effect" + value = "NoSchedule" + } + + set { + name = "tolerations[0].key" + value = "kubeflow" + } + + set { + name = "tolerations[0].operator" + value = "Equal" + } + + set { + name = "tolerations[0].value" + value = "control-plane" + } + + depends_on = [ovh_cloud_project_kube.ovh_kube_cluster, ovh_cloud_project_kube_nodepool.control_plane_pool] +} \ No newline at end of file diff --git a/use-cases/kubeflow/helm_kyverno.tf b/use-cases/kubeflow/helm_kyverno.tf new file mode 100644 index 00000000..f7c56e4a --- /dev/null +++ b/use-cases/kubeflow/helm_kyverno.tf @@ -0,0 +1,302 @@ +resource "helm_release" "kyverno" { + name = "kyverno" + namespace = "kyverno" + + repository = "https://kyverno.github.io/kyverno/" + chart = "kyverno" + version = "3.1.4" + + create_namespace = true + + set { + name = "admissionController.nodeSelector.kubeflow" + value = "control-plane" + } + + set { + name = "admissionController.tolerations[0].effect" + value = "NoSchedule" + } + + set { + name = "admissionController.tolerations[0].key" + value = "kubeflow" + } + + set { + name = "admissionController.tolerations[0].operator" + value = "Equal" + } + + set { + name = "admissionController.tolerations[0].value" + value = "control-plane" + } + + set { + name = "webhooksCleanup.nodeSelector.kubeflow" + value = "control-plane" + } + + set { + name = "webhooksCleanup.tolerations[0].effect" + value = "NoSchedule" + } + + set { + name = "webhooksCleanup.tolerations[0].key" + value = "kubeflow" + } + + set { + name = "webhooksCleanup.tolerations[0].operator" + value = "Equal" + } + + set { + name = "webhooksCleanup.tolerations[0].value" + value = "control-plane" + } + + set { + name = "policyReportsCleanup.nodeSelector.kubeflow" + value = "control-plane" + } + + set { + name = "policyReportsCleanup.tolerations[0].effect" + value = "NoSchedule" + } + + set { + name = "policyReportsCleanup.tolerations[0].key" + value = "kubeflow" + } + + set { + name = "policyReportsCleanup.tolerations[0].operator" + value = "Equal" + } + + set { + name = "policyReportsCleanup.tolerations[0].value" + value = "control-plane" + } + + set { + name = "cleanupJobs.nodeSelector.kubeflow" + value = "control-plane" + } + + set { + name = "cleanupJobs.tolerations[0].effect" + value = "NoSchedule" + } + + set { + name = "cleanupJobs.tolerations[0].key" + value = "kubeflow" + } + + set { + name = "cleanupJobs.tolerations[0].operator" + value = "Equal" + } + + set { + name = "cleanupJobs.tolerations[0].value" + value = "control-plane" + } + + set { + name = "clusterAdmissionReports.nodeSelector.kubeflow" + value = "control-plane" + } + + set { + name = "clusterAdmissionReports.tolerations[0].effect" + value = "NoSchedule" + } + + set { + name = "clusterAdmissionReports.tolerations[0].key" + value = "kubeflow" + } + + set { + name = "clusterAdmissionReports.tolerations[0].operator" + value = "Equal" + } + + set { + name = "clusterAdmissionReports.tolerations[0].value" + value = "control-plane" + } + + set { + name = "backgroundController.nodeSelector.kubeflow" + value = "control-plane" + } + + set { + name = "backgroundController.tolerations[0].effect" + value = "NoSchedule" + } + + set { + name = "backgroundController.tolerations[0].key" + value = "kubeflow" + } + + set { + name = "backgroundController.tolerations[0].operator" + value = "Equal" + } + + set { + name = "backgroundController.tolerations[0].value" + value = "control-plane" + } + + set { + name = "cleanupController.nodeSelector.kubeflow" + value = "control-plane" + } + + set { + name = "cleanupController.tolerations[0].effect" + value = "NoSchedule" + } + + set { + name = "cleanupController.tolerations[0].key" + value = "kubeflow" + } + + set { + name = "cleanupController.tolerations[0].operator" + value = "Equal" + } + + set { + name = "cleanupController.tolerations[0].value" + value = "control-plane" + } + + set { + name = "reportsController.nodeSelector.kubeflow" + value = "control-plane" + } + + set { + name = "reportsController.tolerations[0].effect" + value = "NoSchedule" + } + + set { + name = "reportsController.tolerations[0].key" + value = "kubeflow" + } + + set { + name = "reportsController.tolerations[0].operator" + value = "Equal" + } + + set { + name = "reportsController.tolerations[0].value" + value = "control-plane" + } + + set { + name = "cleanupJobs.admissionReports.nodeSelector.kubeflow" + value = "control-plane" + } + + set { + name = "cleanupJobs.admissionReports.tolerations[0].effect" + value = "NoSchedule" + } + + set { + name = "cleanupJobs.admissionReports.tolerations[0].key" + value = "kubeflow" + } + + set { + name = "cleanupJobs.admissionReports.tolerations[0].operator" + value = "Equal" + } + + set { + name = "cleanupJobs.admissionReports.tolerations[0].value" + value = "control-plane" + } + + set { + name = "cleanupJobs.clusterAdmissionReports.nodeSelector.kubeflow" + value = "control-plane" + } + + set { + name = "cleanupJobs.clusterAdmissionReports.tolerations[0].effect" + value = "NoSchedule" + } + + set { + name = "cleanupJobs.clusterAdmissionReports.tolerations[0].key" + value = "kubeflow" + } + + set { + name = "cleanupJobs.clusterAdmissionReports.tolerations[0].operator" + value = "Equal" + } + + set { + name = "cleanupJobs.clusterAdmissionReports.tolerations[0].value" + value = "control-plane" + } + + set { + name = "config.excludeKyvernoNamespace" + value = "false" + } + + set { + name = "config.webhooks[0].namespaceSelector.matchExpressions[0].key" + value = "kubernetes.io/metadata.name" + } + + set { + name = "config.webhooks[0].namespaceSelector.matchExpressions[0].operator" + value = "NotIn" + } + + set { + name = "config.webhooks[0].namespaceSelector.matchExpressions[0].values[0]" + value = "kyverno" + } + + set { + name = "config.webhooks[0].namespaceSelector.matchExpressions[0].values[1]" + value = "kube-system" + } + + set { + name = "config.webhooks[0].namespaceSelector.matchExpressions[0].values[2]" + value = "kubeflow" + } + + set { + name = "config.webhooks[0].namespaceSelector.matchExpressions[0].values[3]" + value = "istio-system" + } + + set { + name = "config.webhooks[0].namespaceSelector.matchExpressions[0].values[4]" + value = "gpu-operator" + } + + depends_on = [ovh_cloud_project_kube.ovh_kube_cluster, ovh_cloud_project_kube_nodepool.control_plane_pool] +} \ No newline at end of file diff --git a/use-cases/kubeflow/helm_nvidia_operator.tf b/use-cases/kubeflow/helm_nvidia_operator.tf new file mode 100644 index 00000000..a541e958 --- /dev/null +++ b/use-cases/kubeflow/helm_nvidia_operator.tf @@ -0,0 +1,132 @@ +resource "helm_release" "gpu-operator" { + name = "gpu-operator" + namespace = "gpu-operator" + + repository = "https://helm.ngc.nvidia.com/nvidia" + chart = "gpu-operator" + version = "v23.9.2" + + create_namespace = true + + set { + name = "operator.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].key" + value = "kubeflow" + } + + set { + name = "operator.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].operator" + value = "In" + } + + set { + name = "operator.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].values[0]" + value = "control-plane" + } + + set { + name = "operator.tolerations[0].effect" + value = "NoSchedule" + } + + set { + name = "operator.tolerations[0].key" + value = "kubeflow" + } + + set { + name = "operator.tolerations[0].operator" + value = "Equal" + } + + set { + name = "operator.tolerations[0].value" + value = "control-plane" + } + + set { + name = "node-feature-discovery.gc.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].key" + value = "kubeflow" + } + + set { + name = "node-feature-discovery.gc.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].operator" + value = "In" + } + + set { + name = "node-feature-discovery.gc.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].values[0]" + value = "control-plane" + } + + set { + name = "node-feature-discovery.gc.tolerations[0].effect" + value = "NoSchedule" + } + + set { + name = "node-feature-discovery.gc.tolerations[0].key" + value = "kubeflow" + } + + set { + name = "node-feature-discovery.gc.tolerations[0].operator" + value = "Equal" + } + + set { + name = "node-feature-discovery.gc.tolerations[0].value" + value = "control-plane" + } + + set { + name = "node-feature-discovery.master.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].key" + value = "kubeflow" + } + + set { + name = "node-feature-discovery.master.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].operator" + value = "In" + } + + set { + name = "node-feature-discovery.master.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].values[0]" + value = "control-plane" + } + + set { + name = "node-feature-discovery.master.tolerations[0].effect" + value = "NoSchedule" + } + + set { + name = "node-feature-discovery.master.tolerations[0].key" + value = "kubeflow" + } + + set { + name = "node-feature-discovery.master.tolerations[0].operator" + value = "Equal" + } + + set { + name = "node-feature-discovery.master.tolerations[0].value" + value = "control-plane" + } + + set { + name = "node-feature-discovery.worker.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].key" + value = "node.k8s.ovh/type" + } + + set { + name = "node-feature-discovery.worker.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].operator" + value = "In" + } + + set { + name = "node-feature-discovery.worker.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].values[0]" + value = "gpu" + } + + depends_on = [ovh_cloud_project_kube.ovh_kube_cluster, ovh_cloud_project_kube_nodepool.control_plane_pool] +} \ No newline at end of file diff --git a/use-cases/kubeflow/img/kubeflow-public-cloud.png b/use-cases/kubeflow/img/kubeflow-public-cloud.png new file mode 100644 index 0000000000000000000000000000000000000000..647700cb63e29e3d50d242769dfb63c5045acaeb GIT binary patch literal 271316 zcmb5WcQoAH+CH9mNQelLAo_?FJ<+3&6212xJ$mnkAc)TB1ko8SdM^o4gQyd|_udW0 z{63y@-tReUy*Y2r?;mT{EVjMxeeb(m*R^-3l7b}81Cj@K?%ctVmJ(OFa|biv&K(R2 z%zMB$n0lD>ckY1hNQ;BjJPdYbF+9{Hr@IdCqkYv6Ym#+zw{~=YP_2{~*7TH#<>&Lf z>gxKZA=%&c!(czk4o%N0VwpQ|JHZRo)r`4}FpNznL?ztnAP`;Fx!nu`~DnJ0ptVeXzK- z#!qyEi`GP@bHkp~E4J_JS(lmRGoDNI?wJ>TbJ)=|me;&c?jm=ZYOg0)@Z7|w{XyGd zCFdL8bWIB#9@HOss>&{=U^h}3ow|mYXu*y5A3JwnenY(QK5^2Vy4Uu&L~LHCYHyGv zl^ov4t{J_*<3RzrnB{G#y26`4;f57@&Pc5eXLT$Q#d;G=Gzf%|e2tS_q0q5sDRJ(~ zMLx87I)^gEjILw)u{%IH=N-0CCtY8Fy-!hZO!*D+gp~{=K#}3$7BR66<7zm9?1$~L zH`-gQIV8k#I0sL_y$s9r;$jn+)}6ZA-{}uVtQL7Ym`9fFSWgV9vYNx!BSH)IzW*SZ zJ#6JVJ|F2ZUy6c6%lUP`^!AIjHT)savA1I~F)&9WVB&c;;Vhl>L-#?hB27`8hwK!M z<7%ntA&tqA2b94~z>^6dk|>4OnLfm7Lj7JOmp}`(udfZ+i6U#h)+)1H#GThHr{2}k ze)gxG5%=|finT1$dV-ZFGxv0)a!l9Dq4P;3=p+4D%9Fe3&-E6zT8KvMdp%$KB1309 zcbLj|(J@Rczjp9em`LlD|H5apvyuLcWHS}98IR^Luan(6%b%Ah6>s`eN=l$X@`?emMBxkN~ek2ScH`ny`W84=W$gjik zhWEkC`|J9rbp?0AKel#%_WQ=yMt_!Rx4hm_AF@5qv)IJHUVheTpmR1lSrhEX^G!J5 z_-c1XpASAgY$Z@pzIHxV!@oE+{A0fYG0Q$b`eP^Km+ty}RoOHFJksv)oL2ZgDTt8cpn(DrHB=IWs*nOB$n z*lqBoZIq4yqV2JtH>HpjoaP{kWm1JUrtAA?PZAe&<_8et%dYwq<$@3Evin#n6#f*5KANIg_+<1=QP-KFzK1v= z201)0M}&JGJn24%uF;P4^_Vxzv^oWV?C8zW(D4pFw3p2Cn2oGiXEXY1>27s8=IQv4 zsT3=bFr-kY&?kQX^rz5@_ZNBwqBU{#zR$`zOVa9LxMuAW>?N=7&{PbSzD_p;O_s*1 zPIAB*`PGO4XB43Od?Ql&>hiN*D=FTc-c&w+A1$u%F{acBlWk+;KQ68T4MLOwWue~- z+b@Rmi8Ak^rzyfrp;!BZa6~sXwYv<}D70WCw zSVOZW@yA$hgC>lGfN%IbWGMvw^88Bm22Cqhj_dRp#qm1xK0O4|O$Po(!$HZ9+3g&~ z%%9V;!CXT*lz)kd{c+^yX(CC)sJ=Pp^HZ}t*)ew6nxXf|nfj0UEf}rMrkO^yPCtRiUi{YnRFO_S_X#+j8CZ<@ zgFeRMmEXn~!gt)8$vdx6N`@u_0Yxhz+!)VKy|l^x6k$Mb33y#Lvs}`=MTHsZ+;+4o zFSnno&^SXK?mkAxBBCUszMXk+S@VlFyM}zW#T;15YE|l_Km*y@n?G9R8;z3nm_fr; zr=kj77!&Fd6KVdd5~BY%ZUK7jr$)AYd4y&)qqGXE=7W?IUn)hGAkW8tN^$-USb7)x zDb=YSQrCuU!%P7syE>ddmVuEu$cdic&iLqTnkCxsLiTdy(9|`0Bt!4Pe_`oG!sMFc z)QGFAY$1iF%1u+3{uv{ZIFMBGuX;?t`52TSC*aqv$0;7&p)A(k35h^#_HugtBl3^A zyI%bBRr8a|)lPj#iLfvOjrvi(gO^?aNFmPgE*hqX%EGT2dX=m0j!XP|JiXMBGR>>K zt1o%}xOWRG{_KJ7VVNjWhWJ+%CHn?HHY>0Kc;&k=FhL8_{%@W{_uYg?^Wt~KrM1ue z>9{X&`>Ti8_kO0eI5|WSE6Lot@0cDs_|sB0$KP{I*|+YUbx&&cq#h|YP_Wcz4Wv)% z_~Wqe-|M1VMNTmR^~0uQMKRF7%~SK~XllhJ!iQMoxc< z6e8{VXl?cl&*OOX3Cn*~tZXHRDaecAbuzH>{q3ujXVssA#w(2J5RGnbimX8mfApri zbr00Y8g(-em$JuDOEb~w=KS^Nn8vALQGc5ei?qD2kSmGC;M1>43n`5Ma!BllhQ11k z6!i?!OWwVkv8(b!l6ak*1murJ+T+j$=*Z&)*C}PbMo62USx5*rJpC_D(+sP_@mK63 z9`iP#p&&{|DWBb>wE@lmka_$@;2ksyq8Gdl9Tz!MH7iYTu{m2dSyippOi6d{nmwlaR8W#c+V1#j(Y>S9o6IWJM*J^p7?8 z$Cv)GOoP2k5FT1v75mrhxe-O4SOLk#*-!rV%p78Rv(pNGD6Kl0_FPRaebTo-yQRnn zEVB9wC7}#2Ipc2p2JTwuzYqEOQ51HX%F2CN$Fh zLbC`Kk;cx^<58T%mY4-;+BPg6{Sx{R;j34_=Dhwr1oxWS+s!6U?CPw?ug<;~>Fs{H z38j&zOQ|xA3y=uw<98*MnL`VDm}InK%q#MA=fDnOe6(;Q2w6=#Lo$WN(O`}0GwZ(8 ze1o%TaXF<`VJw|mHzJ+?Lz~uQjajADiL2hwv zsUDp*;F=c5=K~UO0S3G4Je5u!wf2b_Rxd(B zRFO?Gb3O$mb%4=Gc#YV9rFui#7a!L; z?@OOjWsX}T437DT9q?=V16ojc4-e#?bnFtX{H~?xwm2S5ef0Q#!y(wdTlU1_SUnl(B&dn&5J;6K_E{kg*D(fAyvl|JgCc=`tBi|Q|n zo#^0)p&LNilJWGwbA#!78&cBPGMtyU8A_joZ@SlRgm#*B40W9r)t{~^P+Z+w4XSGw3urN-R0H<3EYw>p%MV(oIA$?0%LTl*M}|GL_*ytIuk*t9D<0jkEoMejk4 zxs(c$g62w_Eem(!)Ty_WKf0;X_08l|P{_Q1PqZn;8XsNF&}K)OhRN7Yt%O!uPt!qq z_pJ#68P&@P5)y}W{*PqQ9*H*p<0jKa7@{~g_(|(#Pv?gNT>vOp+y#iTiVw)@PqauB zc%K_onDpLc5ePQKgPi%Fpkw(ghAvC4=F|?Xj5En{1;!Vt^l$B6(Yo23tMi3!fTVIK zbKhc5*1IK~?4LF478AhKlI~K!+4f#2EY&?tdbl~NZg6$AJ=>=aV_eSv@z4K@ctDcm@L*dA5B+h2`*{?ncR{6q_nDeS zNr}4dh23>IK7CY!iRYReQl2h~*m61mqnO8`eb;rbs^2~f*wRbPDifjX8;hX1OyHL#pu-WaOy5O@ZZb|N1zBMjZ8&G+gV zd+|GCt}juh-%#SN+&$}af#3l*K0!a!!&^Ds zhO6Xx2pvKYD)Vt(k!k&(_q!T*1qo*F``)1Zi!QM6WlFTR-m;SXzF-q4yer%Whtl?+ zykw(S`1H%^bnCuRYX&w@32>mzuBXQUO^=mu9Z`c&Ep+iYX23K2;k&oh=E2q3HoFG` zBb1V-c85amYn&_=ySr9&uySDG)>Bu;#4nNX(s?|~aiIk^{qXex=y1oqt@66PpW2OQ zU$?6SDd!Uj1vlh=Td&&;Fx|Qww_81XS1QfQm5%|NpWnxT!pK|r)>Hf zTbwq}C1m3txhmwecLdiknTgb~ootV5iM3J^ZE0=QCq(*{C(2Ku6f&6DbeL~Chlo#xy1ztpIhE56Qp|C`6>e z%NRA;49DOjpS78YUtZr2@ou&sQkcvoCvv%H7tY?(#Gqg|A7q?#UW2}2nUXqGF_Raj z-ts#2Rq^&hZV^CA9;UF%*66tAX{VjjXdgYjtjfut8h?YjZc-~dRERljL)Er1rwdD> zbo^|0acaCVOIth+^(L4NpYzw+#9&(tZTRJP0(nIxPrA6x-MU#&1MSGjOs~^Xv%ym#e+S37`q3l&r;h$?E)6*&0U?kH$kH#-I9)EHaD zkR#)K`Nik7773-XR4M58y57jTn5j2vVztO<22Yr-7`Ghs z(uWLPdn|J12*-|Bg5Ya3~; z5%Cm^N06;d05)j#$YRr0w^mly-Kjy@%|n6urN4ESpX_p-?W8v1!VyaNsCVhh{2LZI zb}K1E&+CoYSzj31K%H8koe+_&kqV z)yi8rOOpDh?F$lJw@Ff3TPOILR>pdp)bL)htj$H~3(Yg$Kbwa_u0&B1qUUApkQ_EW zCj~E;X$F2b&bSh7XuW;*3xP^5Od#!%tUZIr>Wu6&XLHm@F$YxA20jrwAiVg+dBV+x62* z=$pn9;*|sqs^<$d4ijMG_xPN-V*yByFywvG+v9z@+TU%b-!lIHLPxh-x zmy*7O06bBqMJIOU3NLomN`nbyi;7uMmW*qclowrH+722kUlBE9JPL5xJF2NYZ|f=6 z^!4Hy7mg;pR7!X=XjMD$KGI8mw~2kR=b8I8!?)z$C9Yxlw^y~KBd}8)WUbq-71e7e zUX*N@zx>f!I!iPKA~<jk?yNdmA z{k=U=3L9$HmoZ(KnWiHoXh7(b?8lR&C+MLkx}9i1W+L|AAVhy%s*bTS(^zqV&=zu# zPkvERGVd&odsi#%AMR8!m=(pnDd>^=)TgP?fOdIuw7_ZS;4V@s)moEvdct`B89`2a zpfaBLzN_wDP4RH5SmKsx_@Ti_uy8qo01Q+hsG1E7+9G=bc8I_Y1)l zjvHz^cXY#4MMmoR7`Dbg8rbUner$1isCFQtUZ&I?qgBjZhFe=_to*!bp^_6IKv&NCs5n*k zGh;sRGIea2kAtZEL4}a|=F)AI=GPsyQC?)llj$?7Pr_+S8ycrI@?9}gAhu1DH7>J; zTCapaSuNT4>y|veuiSR((Kjv;q^PC}PHY%0=*e#2ust`-c6pt`xjcmTHL@Ly zS7Shcu4+wrvph6)$lG8GFIJl9@ozDM*S^n*F=x@IhVfzI{Js$)!!E?#8^3=6qm|!c zDNwA#<(T}TU67}^pKjFJs$Sg8Zl@*b8K3XPA)R*1 z5wz$Pl=e7LIDaB0j6n1Tnnv>ZZI+z5;u?5V@a-D?K2B&wt7}o z?XI3|7HpwfO)Q*y6F5>-O^UbJ*bFaa)A=S(V#1ix`10vx*ETO>_-krbU7T#o^uqbO z7_~MOZ51VYibnqz%lUIK;Z5o|WKc33+I$699#|mAe$dGnE7; zwU^+U+I>G7!*hy-iS?DhL>viqD`l1e-OZKtB4=9NK|QL80#Uj7vrRhEi4x2s9r1f$ zwI0!+ps_zOCzMa$k@s8`c_$})W?%WeZUi)`b<%-|RyLr6A;?9Ifw zY#M8eTtqL52-1^dBXnb0Rifvpyidy8X|y(10;#mfWMDIBhUWGz z^=_)(r6RJ%Gd*6*hYGhjcbi)Dvg=Rhz*UM=-e}jq{2W%pvHhTw4UDJx;?3?W%mDFS zq{%5J2u}{ghz=eLxjYjk*wPq#^<=B#y1iRo%f7;N@`&B8uLLwMGG@K^FraXmY^_v_ z?X}Y?)~U9tI;GA;u@S$oDCAC=5M~`W5bSb5A0IsCEYx|kH{Vo@3$NJ+SDh8pUswPXUs-}*P?RkIver(=max)tJeTuDjv@$=!4dOG99tT0%hl`9E% zEY*CpGq2)8dj#y}i`zO?oqCkA5e5NzMJ?4lDz~)4vT$3~KPz~=e=-0cmQx%6GWrH* zRRM=&1O{&!;d!%sX-g4NS~$;oU{ErHuY@5%-Z4`6##2{m9X^RIfl(rA-EnmupCC&# zW#Gn*c{IPP+gNuhm3-6T7ZW@{mU$O(=smEy@fCUb2{tvT*oL8orEG{zfu6#NR8;n( z3z|^-B90-awtX_0bTsJ1vhhD!fL=|(Z;k4DA-^kKMI!K?aczB$ptLViBC8Lgtv?vo zoHiSNE?cwtrF!1Cm=%X~3Kb;hy}a5dsC$L5_(}cFe85xEYP@G>?8F;&7)uw)(za8i zgS_|J^k@Z!-_4{^xNI}&r7v`46Rr`7$eW|jAtZeLrQ9s$#=Y7K6jTEP!63)-j+?Vh z$*S9pKC2b+EGCGQ-FE-HJlUjgwc7w*F0olTsD}P3p9a&|MjRI%@1rQ1G8N_$vxN;C zo8{yl1aXo^;l_kn&w;73o6g5>bzL4TOEFO%Qle8UwXfNzCy~NyTeeH`kL~AcUCyaZ zd=Ccv(R6j9#SI6IO-UWs^YA+5Ca;##ho)CGms78;CXjD0TXgYL?XtpH1yRiw=SxTn z2RV7ewR^whmi66d*1GlP;idx_9g7Fi6hc2mIm~LrkDOcP#}NH_O0nLG4A8%9tJ{fU^Ae<*vfeyt8DFE9s(YxRYQ`SSxT^O9O`pe)-DN0EW28b8nTerGlo!00zm}~*oKk0|9*`jTN<~)c+)-HH9YiJ)Ek#V=->!>tbk{v z!+!yyi5L+V0Ivvp1hj>TWDUnM;kD#6nse7#djU+s3z~80LL~XR^IvbV)DC*k!Tq6L zXhF=WH=0WSBJgJm?;qe5Y5-XrVV0lw?LEKl?t|~P1X5nO6jbuMA^T(9-1bqW)js=>Y1c9zg|VqI5_RhlSo#Su`-lSs zHuV99jzB0x&ShUJMu-0O@k$laeE}quK(gP5D}4Wh z*A9-*c69G8Sc;?tAhGLPNbG+ljE{?GFd2{Fhl!b+lh%V|qfj;!nXYTZmoI!ANhHG6 zcf!2}Qmp7sw@Ty1LYTo(ko!6^YZ20)41A-=I93tP{X^bzD#H#Nd5AQu42@7V-I3;(;vdC$7Ad@L76aK)h(84#q>*M%ehutp72 zG>GckluCg#s5?5Pd}+94-7bY^-L!BNdDZ3yWi<2YSQQwFO6V;nXUj>gvc?p+sIgYe zRV%`{OgdUsq|)WSFE}zoGS%~mD`jVz^dLMuim=|b-_>$-;>h{D?Zyg}CtH9sk`DT~ zc-ENr7Z}e(BLLL(=0xO<{|g!syxc06UH+cMs8X#;kv9*&d>~b;!B#(g?to2(o>K8H zZw2W27oRw+w@s^*J2B|C*@h@eUteIIpdKmWnR=iyDxHc}XIgNDkSapR#*jswZ_`F1 z=WJ#jsRWlVY5U%(OPPNteGn?+&<3xs6@XldQxzgCz1Eu6TpFmTkOT} zgG;baPEQknqF_pt&}w&!0-$5;BN!v(PPXjhNjdH;I2SjIl7JZ!h#hllCKPus6t|L(? zZmlYB-aRQZm{kfRQZ%X07&dv-8*RcOjO*%#^Y#8vf_Ibv#JC8Ly!pBG_ptEQYeWdp zEp&~nzfyggD;|n)TJBP9S}tM(xT_h1Iu{V8@edi`aDJo!imxDa0EoH|PGq}OZ6zI( zoL2{msL3!8Y(zA~{Pg72a#ti1e{_14AQuo~BPh6))ZT+@%%?)uTdHw~XJ<7mzs4Eq z+>zkg_c$~iI73byGWUMUI2%DYkHCC!rd_}O^<=LQ6Q8#ezd1Fu3XCT?)N4Vm)0>6# zKK14xuBxPcVC4~H06Atw^{>(l zNY{a&f3g!BO;%6QHz(Y`RB!$4J-|{T;8eo|*8qi2e<$T-WAu z;WB?0$_^{29>`r+iJT<{3b(|{sLyy+TlMxy#i%Nb+IDQ1dm>*hK9V@8loT$#&&J{m z!|Utvi%LmF0o~kc=V6Z5y#3|Fcy4mxYW;N^yv|`~_RrHql}4qs>2~|Xm36c-X!Tw zYx}(0h86H(`|-l>WmaSlPIhWk*M11u7M^U|bLA>`*ic;}5SEme78O1llmI|CB+F{( zCES@eU2B*$QOew%{UI-ikQGZPkxNdwP>FH!%U7p|5UuIu?p7#$^lCCO0hvd+{v1e5 zdp&G>msXQCqK`XPe8K+%jj05o`+cyQNRCGZ!pRU@>BB@{f+Cx2 z(iqNBB?maBa+T2X3e`h}7+F2d)k|@qx-87Ju;_VPWJS@87T$8V$}BAlL;gC?52bSS zorsEQWPi?Cb*kEczI6&RZC#}DJ!w|wV}Txm)@gr_194JSXLj)Ueb}iH#4dZ;72q|O z%bXN3JKx?70Hs&w7%@}64VkzFpltvk+Hdj&rV4Vl@o2WbH&}7(eEuvc?|6L!IafL_ z6&zKIF0Y0S?unyH0Yp~AX09|LFMQcSP_WS@aar=wCM4KW(l?$}bJzj- zmEUK&Agu&p9eT5x+Y9Y)CfKHpcn@r+*Tg7qg&{yhdPXsRJ~H zih1cm)}{H6PZCT_?-;V`#fwFbI#8M*<;4dCl@4P8nsJWYn714)@yHb^B+O-#qh|z% z|KU7O$k}ef5MS*`xpG$Wz!j=M^Spu^C{Z%*T>dtd;BouA?N0Qs4QR^i+w5<|4++iF z^(Wm^+v4U@`m7)vSzLl4L(-zKvzm;T3-u*;7yQGA{L3`l;n$Dzy>qN47TkQu7S-u)if z!0POEHCMAQ@{OT!6j^VcdfE(>0rK4Qaz+um=u_gdP7vNWl;$*%qu{TJcXXK9XyS~? zM&!b>i8LdXW_G<9EJXsIYxHS6`f;w?%n8NnX&24}mUGOSc&rwIAdPbSRtClv?<7oi zje`Z{&5_MqgBBa84z?fJ=$`Z1kGLscEwty-ao>|9aSid%9S_Wt>#iCjw4K3Fx{uTa zZ_s_#o=(wLR1Z`OSl$u^Ap8fNC!mkYrvdz^*+jyc;=U@2#N(Za0MJ$kgdm_NgJZ?; zPU&>H(6yan> z(qzukJpQ=5N=tf1me45;3?n2=LTd3}A+ZSqOzSooqyf_1M3WI&l*7+tLYBpOY28QVY1;vN+*RTE7;;U_+ z9weZme3}#eyVF(=>>fpirl_M7^ZbJY$mDg^ZMUj*{g@el4&fyK{i+F@Mr%V1Sq7L4S9#$ zT7Yh3T8QWL${RW5M7SYRiY5&y#ShJy$TP8iT|cDaRq29|VRwYl{xY*g2a_EgKL1VW zdIxP0|J{U5q{iw(e$lH`?tY*{e8f9}DAQobR{GkIUseNWuuc8obfT4p#};|L_g?PP z+aeM235_h#d)m$QQ62sJ*4_P2dn^#1D^S|gJRi^Fws_*H_K7dxzA>y-zwW@f>Di`K zO{#GCm&MhUjzNr_N5^W|qAPutMJhtRK4yX-qjK%_%gus59reWbChvYE*NnkRFRUf& z)nM_;gsdgxOV9}7f=N*le)pP~Pp?HO%#IIY%bzm8)VvZ{uDL!CldznhQ@Q(H4v)sq z-xE;NIJcm-YH;#AhB@7m^wo-`ocg^?{@otXL$Yt7D%spfP&t zuHSM4#2iyc{p~R2$22GOfN(d(oeBcDV;^Q`C#a`ZemfUVlxQLjrB%$*WK%*toEt+C z<8C2pN(^mZqZGJ+vTRE=TkbV6hb4@VRqCm++$q>|zg#HsFK_ql@;s>&8DQ6$=H}*V zTi^KKckTShXC=->08-8hXt!NypF4stAuf~DTmu=76VVYrg&gMF69jhD7ai8X8T?51 zl!L&$tstwQa6&jdkwJDsDMYzzODooK9=D2|C63Gc5yE*j7>|HBLT_y-l~EYNqn0Tf zq|>FCQsgIMU!E@Lsv=}Lua_a@ncX(iDAq$AaLYA?5yPB^B^3McC*A%MAuyQh*gm3idEax6*pDDEXo)7vRIX0Q= zEObC4_U2H!mWa74aMv~h5du)x_mI|%TAT{gLmr3AAq#wvBfle~?Jk{3e#2?&!F%Ab zAi=f^sq!upeN=fBku)H~+Swa|6kUCHVwcfYs!~^qJe$C{1nQrz6Ek_1lXx7RIm4dtvbCL0dx-;A_c(j zry%HMf2Pir{gbYqHP^%(rT9#)g#{pk z#NwJ-eIya>t0Fe-?dlR{wM9{9Z%~dA{AOzIJ|ic)1!7)@xYZPVJ^l(zo;qGfKAV#f z>QCJ*RZG@zvaY^+K7q4s8n1z~f;hJDIwd|;9N$r=!SW$fMJ)L9DBLmx-w(44A){NJOO&S$+)j9FCc6#*4)=gu6Cn^0LG?G4vAoCK*$6WT);K9t- zEP#SEr@Yrd>H7=J>@wAfjv5(C|9R3aNF0~$BZyxK714HNF(i%MqGGm>9v%D**^Twr zZ`}$H)~+Z_J|1<7c|j}2p+?HXosi0vl)6b`Md^L_uif)`8nNJ_MH0A|W4S?It~I=l zJc{7rUGnL6s?1`Yn1+D6+p7tO;4^*?r{y>6cuB>5gs^WxR*@vDP(!~`{M;e`j=DVX zY{Dg6ZQ%`uy{Pp>1Gl{$BjT99?u=PG-#XL#moP~epIsU^Vx^mM7xiO4He4C6lh3!o zY13?Tq%pX22;ikYO#U@dnKqh{5?c-vmSX)5|8+&y;n8392z@!sy4kI@}L z5_p{luWp6C;M7Ex9$cm|2$(>O|-e?9gYm1$TDzCg7MUqZ$*z@L1^2t zglAomfSSYQdV>QYRjiT4NQ!O`I2H#Ok1L(M3@(3}t8!-miwkCQ4WWTS=LgYp9(|y01OhF|#Lr)h_Zo z-RxLG8n(1ETOEQZdNAh{ko)xy_mGhkg-&B(PuYqnvEnqb-@dkDe8}GHhpQWuwg4f0 zmmqlgkhqAF>$uHC@+7HX(2zAK41HD;Sd(k1*C3!9CVGDI*vEiijQ9wtNX6Kzbp;r( zzO?zbaw(B|^jez+I@{?oXRC*&%N_(%nAW7PDnGegeir%IUvfOdQz+xDjV~%t!_i%`W4GpK2*@1AD zpnJ9@w*L#zOqE{B-nd_Xyz#GueK^#(j8IYFHy0(B&JxAU;sO%mBoJTb&sSw{^|H$6 zo(jdu2O|8fV(Nm*-PS8T>5@7%D3LiCi|eGmF9IW5n91q7JiWqAZao#$_gCi9`Hv31 zLRcK|HOseR7_2oIbeiMUybH=!1}(0M)Txu&t=0TuRqh6`Y{PrnByszZP43@OHElOp z5C8$syTv!sy>L4F`}Hoq6AVc&oEGIcsZHMM_F8JI_t)w7SGjl zVIBzDdQNahr^P39XN+;X@F3i4zHr%A?I7=6FZ+?gY_JMY=Z0+4V;XyTZ~oS)-jAZe z%Y|d1v_!lReGk@p-f3?zT8i9^`4QK8C6VO*C&pQrF?*5fyqV@3p z2w$_uCfj7yz|W?$O;wfFo5qi`{TV{1qiBRxC-AjFh$c*PC>M1Vc%QANkHY!H4|UZ4 ze5Bk^I%KpF5H}aAWA(z+v6XF6{u)pQ6Jw4#iri=b=TG4vr;&!%=Xcf3Z6{YG_2br2ehy=E^h|6mb^ zyBTpk=W@U`9oWtlF-V*;}vo{dT``ArqJstG%l}Sk>CuGI|~d`|8PZv%EY~!H&uu ziqU#RZj)!o;quEj<+}eBa(*a%8x)HF`jK=!EoQd1>A0L4zsHvvH??TTWIA3QHJpG? zg41ApdhSR00K)B?ru6vVAZ78a0plXfPQ1J7z2;JxWnS!jZacrG9y2eWyqA2p3n+n( zwD0%xki(Yxe|#@C{`j;m^f&1EdyyXm4z8HgoV}*K%l$=hR2_ujgz0hRty60wI4?=j z0U|5uM+!tHb9#p>i{)f?ifQ%N@bqQBW|_}tBr~^L;rUn&K#1_K=iXe7TT@Dr0e5me zD1VfECkFs$itT#u>Kv8I6kbN!3;9%>fStKn(Mk(NE35fZ>r^2md67PUm2YG*({0F* z!T$P8Qv|?4o6P_OG;#yDFs>~19wha2ia9Y%SVD{WE=cff(!v{x>HF@F>X)KkIvS5ElD5b@SKX!}n#cFThNAZC=w0T5=*d& zJXvL8-Y*}D7Fi9vm{3NR z7q=MJ30E8vH65X=k}r#V0q(bk9$B@u&6G(YnQzSR2$_~?biq2YM!OH*A?JDO^LG2$ zypO7y*ZCt4p%TMP!7K72?NNMo$1&i-NbAq2{Y`rZpXgz&;nP#kCi|Xbu60_=0A44n z56jDo31DVhj(Ks-hkMun``da498=g9GIJMgSa~5@dU@qM({IFnx739gC~}=?Woya6 zcBhD{0zf({jPPD{LT*b#>Ea};Yo)@}y5?=fB{}x6es5zMhx0jX1~rE=UHgW2!B|Mtao~cMx7wvf# zS1~+>%4{`G@xfH%YA=T_h45JdA&YbWhrwPj7NLOOFW(!}_F0O*w?yukuJ zy8?LT!=!skCY3YlFT$@x)=$x2J8aZ)7S^e>?JQ(*L#bMpe=1~& zI#CZwC2jf40GZ;*9)Mq>R_>5xG=TPw~@;JVO1UwFuQ0%SM-I}tw%6r~ZsRo?t= zyPt3K$ao#5T~O`heivEU)%Kb2O>4;r0g$kwfK`)1&?~hU9m=Zy30?A<{a_Zd`Z zM6QusJ#W*yQyl!808}#O5y8XCjPb=6WB~7u1@P|CKhkt{Vd_KgmMhD4_uELNW1km^ zy}Z|IFS+b@v`MIa2**Hrc}p&=u)UO|nDHxW+k4TjS}|h$+HWswZYZO|Rq(rPZtQsR z4$4QsL4-jf%)@D^(_2B<;?*h|;7?`+4T|W-9|3=QRyjOF2l&%M&sRvL&!PZO6lLo* zIcXa-d$2O7u1Rme1kD- zBjepFWhbI7ZBuo2v*FUXyM7aHS9{J3hUT$_G8C}!!dUgSA4SB*y8D7Y3>e1)6_Lk_ zAsA*GKiL6^##&~qP>Wk==Dao1n$lNKDi}g~&{(tlCF^P>sW-7j)4SdcLTx(}U+d_L z-1TF(*$}RUy`~?kPFj&}7Apy1(*hXT0~*kKk!pMpCVpvcT-yI}pY08n%T~4WL|Mzu zi1%D`P3X!H>4AUa@WS`7A)?GQ#mL4omqF;R8Ac;-W&dX)3_84>km`=>!GN=kFls{ zQK~RCKJAKZgF@uJM^j9G*Ehl)j|Bu}qoy{UVrDaNokN%3 zHGQkuYQPLpc>D%oVJO=ReJx!G7xvtt&++Abp^CyJj@g*Z$@Mw1yekbb#h=VN&B+hy(&DO7)Hb3kd5~ zxx^8mNA|AS>jA_(f;QF#K8BSyJ%N*+6A=_J;y zO>5+}L3s3#^C0g7oAD^H5pt@-fH*Ka0GMXs7uk~E3kCmeduDDIp_+#er$79qZr@pg+MxFXlZOKvmvD;;Eokywzu=NXIq8^<8 zIU@YSC?GoQ|36{mAAi(d4Q%SDnv3`y|3VNjO~xI3Yw_Qwuzy*>9Sc}Q67w?f*o7nz ztvx=ZOaC8NSN|Rj1O*lzN<;dU9XJ78wU=HcwD#9Z~$U54wNQgz(gr< z{xyl;fBM)9jBWh?vG>+-Rc&3{up-DN-83Qyo9=Fq*rarKBcgOSNNl=GLP8orTIuda zKmqCQM!MdG=RWt*bMEK8zwh^be?I@QeyqLLoMVo0jcdf5>u}e84@Mh1qN*~(ZZ{$Jh$wn+dc;oQT@2ta};00|NkN!Y(W z^FIxf^zLXd$#M*OU>Z7PfZ#bI!hHXn?EhpIipsz=zD{$g0mq$W++p1CU#s_@|N37@ z02c3mApy|F|Ahnqf&Uj0?vhRa%M$*7fCMmbc7}S%Y&Vc5UKyNOJ6tYHKfAb)K**&o z6K5*Xh@n>0c^=cQt&|&PdU{VYw$2+WS_P%A_wRA%!PKYP!1YSq=SvJI9Db z>5d_NooZVINQkCS5XkrJvI!$yd+5bVK`5*F#q%1Mjp&NL?50>aAgojR=%TgpJu5Me zI$CY9>(tH;zV<(-i2m)oz-#~;Y7g^VWyA<#f!js*&6gtK@=WX5{+_o|HFpz_H*{?j zR+MM`wU4fHnJH1~;)Ibgp4Q|&Yfv5+?EL@EI7oBu+-3~}J@S3{R@(VplI~|a>j^bS zgWZwFkzhEaElU3-UYv(CO6=ib_T|}g5BD#z3btGyocv? zI8$aI&HewnX29V!0LgPhOe6+8HtqZ%39v`G#N;yK$>I5$_Dah&unmFBF9}aU@I}!a zNgeJ(n!M{~j)-%VjbD=5La0~@IB3Mr4&$+?cKeET1!z7<(^J_;Geo0W2!J&(5%I1j%r=Dh{l<1$;8iH1-U$r7IN2U` zOT6x|7Yrkn6e2QBYBHeRn5w&L(emjf!B`$-{~KEtzB3%rpN3;&3SR!QaGPzvCc9{V z^!gKPXb4x9*J$y}qK~Y{k!Fgv=O2F!V5^X)MIH1rxS2>|P+JDb7<{#k(nax$iv{+Tiw=sF)BesheO}Q4vB;zq16P1h z|6L$tf09Zf+5g>q_b+{jUYGdYmr&ck2hqdXs>Lfa7yT>FyqD#z!=Z`X3%UqeT(*a$qbG zkh~Sn{3UMHAuIR4U;7i7{vAD%XaQkcu-eqd{>w8Tv%d=y5Y3Sq#&GPOHYqfT=NE&y zqu0IwZZ0JKl~%}Wd$)jC@DIts3-@b_iOM%x2ZKyj|3=F}jCW`J0%?HEcmT*=eNIKU z4j|6&Oleq^`)lg`cQJ@H4#u*Rk*YT_U1Me5v zf13D~IN$AFD$QS$BW(aC-u+q3V-B}}5a7ssf4z(4gMXJU2(b9%^zKTC zV|AOuIpp6C#y}4UvRn&;)_YDFFf#fHe=)YZ$F2{RiLvu8M#j|9}p2GsY4rGNo_nv@IVYI~$&Jg8@%_t(o-f%haYE!=T%Vf%kCjMW|B%$YHrsB9qP{sChJ)yJq|IN6Yimt_CVb}FKaiWpvi;D|dD zOvw9-`FaDAr1b~_iW0o2s1Ur08y<}>aH@+!^vnAQ@EZ-MdT=l>+(tv-o5AI|>gSx_ zXI@}A#oBwg$ehgbt)$l3nC^1T8N$iTb6^-iy3OHk2?|yazK!2YEqnndlbihFyLmDN9;&~^b9idt7i8R-PsPh2v3}HODov?VzYQKW0k;X zr06XzNI?g+Jj$DLYat{}$ zJ4hg)U4k}!JTR*EH@NhmD3?Wb@Qfx>j z)2gEOF;gX6*tCEQhIb9l$d|g-G3`DJ`-0*O)>B|0)i>Lv{8dceYVgRhV3?9law2|< z%2kG|oY^K_J5~02hll8>@Pcb-ZuS}fANu{*IPa950vPIg3}r$Gd}6aXmBLql65Q3! z{H3KZ43UEO?o>=LP+8Z3GE?cXvp%5!u6Okrc6e9!NUKI}^v02zrURBqO`YcANW6he zl0DLzSTDY1??|;0gWNKLDucnnhucQXwQUVn@p8?0xSDWVz7>KIv#cwaA~Mw(+s6 zuO8RGbU zLFdt$|5V0_qt?^uLJ`19LxWRR))N#W2dyc0(qOJ=bb#X_6(t#6&B?JIc65pV6dgf! z?e4mCF`yum>~-ICu<5HK2SI!nN&$i4V(c%IYK9NNzb}H}8#PgH@mkyAwLWqiqPj5B zBRc+r(9YD$g=)KJ@PUy62@%BP_j(A~nMgC-j?E%o&1AwH7#$od!E2qyYr9kv^)q;< zuvkb`^D-11bB8N0N`Im@SP?jVQazp%YvYC#4jSZ8E_>%&3H5F!5%Je zOEJ~DOWKR8$RD2F=`SjnX85PNB`?&Qs#vyYG2%*&Nl#b>70z zbdgSMnWKH=_=&4&lis_8KwYsN1cOI_Q1T*w-sJH1%VJB>)tO)1e5mgH2%AX}?rB<% zfuW&dem=f07`Dpe=#j!=B#GmI7vTqiZrfgcMX|V^QQyLjBah2tXZ4(=rJF&SnW4Ac zkYdj5e~#7F)sa^}cEGTQ7Dix&KXg@sgRMUJt7-vgD-=yJzjq4%&FrjsK&1cMvys(J z@wg{(Wb$_qOy%Kmr^XlJ?@K|#-K5`#TTllGYK$k|OTGHm|KJ03RH$xYaWO{mqXx?t zbYATz$`jv{eF#OYrqSElY1R&ggl|2FaE+IY^3|sh`Wmgml+wmDY7ZacdOC}QC?m7> z%RX(Jd8sU{*5k3%kiMGCR zXsO|m=T-fRaGL0o<@Xb1y3bLGRWx~F(|8di_Kh_KpG!r@{f3Tkb+J|se^Wc)f*Kiq z{aIpJ8HF$52gkGB8@H7XR0>4S|| zH!-`r6V5_b*fu!{@4V~3RNL+7DYyL!1r&sHdxn$|l*L1_*)+8qXp7R^ zoUt?jF>lB%yki@mOR!*4X;VqR;bo4SVsEngcD4D&%d<#N!u{xn^VZfY8@2{Em{bLryE{^6+h!#LKL%TWa*M9Ui$_%dm>PbDG* z-&npj`q+Q1*y||aGY3t+d3If!Cdh7?er2B5ym75=C|s$ms$08Wml02Q`&@x#wbme7 z_j_&qPtql($_8Eemc z{aAPYrbhM2Sri0Yrk7T+ltXCeo{5=uq#}AG92Ca17?`jy0>Q^MM&ObbR#VXfqi7&CA@7E8(&Zzd5G0D zCVHzkTkXY$9h%n_KclOn?89N?ezc6b=fJ`9c+!w*~<(_zFD70sn zcpyep4+?4Xr5G$&+{#aB*_(vYyf{{z6TdT4-esr;uRP?+kHn#z4AIdUT_+hr>NwWXhWhTjxoK{>|@R3 zMO7$r3>ntG)OP(SFKjI-x&}#xus`S4%1#ANsbjZcJ5$R9@uS99QTjuzP+h0BgQ>wT zE%l@+6c=HRs^v4@UnIqRUlvJ+cb^aawp?bHR|#fH!(=gA^9YwzqD(+s7+Lrg`qH{V zz{~Jy77GQ6PiCt=DlCy8965hm+n$lJgptn^lZmZ^W2npcc1uq9lyW?gZ_qE+=mezl zG)pQ`-g?ex43@ktuJ;j}n~7SC^F;-uL~dCe`gbX1iqB7{>DxMNA;SdTB+oiZMAN>U z9f{A^EiqJVi_T~Q2*F6(P^u}Mf8-tC>qdL=#Tz-1uP99hk?m?Uc2l__$X^|+?7f+0 z4^pM$w88G{(Cm3`QC%;e32n%sscf6%_97dT31XqyVCjMFgQEG)X=LEbFC^`P;VLxr zw$2sp>kFzZSAM-34L6**{f*hL9bE+?@l=k&qEP;1KtDD6OH_00JG`>X%On>!D%pHX zD?=Y9Q_t`d-CA=EXiKV^0u&5jSCzZFaewz_X(eY%s{2B<7ai)FXl;VGw?-6x+wd@9 zyr@=>7DtNEQ6PZN!LDr`aQ8E}ja-h!sUL=e`8xlF%PzA@@2hKAe_JcyB81upF+qMl z{qxcOb_?2bZ%#_o3ma^458jL*%=;Q3r5Ax|e1q`FRQE-2eN{>pgH)xHGgY3OzmBcH z$#XYD?9m7kN|{XX>558bcElO$8xCeJXO7Mc$7`B~&gVYi;dP^?rG9A!zh%ZqeV}ML z!NusaY_mX33M1)!OBvL72zS%R1X;a!Q#lc`^~za)%_(QUuU74B&0FxI-Z{V7Y2v`Q zU~=}P#B#GSTBVp9XaYq&xX)}{sx11m=z^@&QBhBkf}N~ z>v7}1J+1WHi={sHJ*|gy+c=s)pqi{r7#;aq_T z$a^&m*(lwyHF+4WwD*=Vjpo{wz0&sSkx#n_MHi0}>37T&#&M>&K6i#D*sk-fgP-C> zePdA?(_tU~W7 z0o|MGaGtsBoPI^T4$%U9;{{Zs7q3Iqk!Y0a<*Wj<0>L9slHN79w-CA@kV{Z3ufsHo z${(oFo52lXjwP~R^LtI5Yi!ZlyWbzuwv&!1G5$v`WjVY#jlR|e`8;P&Q+Vek3?RyzofstSVEeZ4q6>>NP|FWY&fk9xCSJ(Jw{dPvPv z`4sAm($a;xFd@95^HFC0>+lnkm+T__0|xv+f4_+qo)|)$UO zySuP-4fmzZh+_K;O5X@$@A36gFK#IoO07MfZc7W7<*WMxIaoJ(Z>Rww$3gzu>Jc)?UtY#OxRgo zG_60yuGL%oXZ5rJZxkLEj?Z<*eNSL7VjNmKsHYeL)!h4aVSf%#s2FLw$p-sL9=foU z9VV?>aY*{j#JjC>)Ey|UFaBhZtvlc%yQ94`kcB_e%YLbIfBaE%47Kj$BBMkSEsOEh z{jV9H@p_S4B)0vSA!pp-?alaQ`DPDJeN_D=vwbIU5@4kdA`f1)@Q?>~n$pDR2wIrc zwV8W(mPKv)!rxM#G1UdFqmVi$PZXJsH$TwBdO|wLMfj+TNPMyH|MrBaQ+OHav<$qh=N~Z z@~ZJ~mgTZ@_@SU8bcAQlVomc4G((MCSkgoOK;{qFEwK-be+Oj{4Na?5_C4P<284S_ zg}=eg&x>WD`5(pM6UQ?uuHt!58<;I;7fD+}{Yk`(5^G{*-min1MIk{NOaWP?>`y21 z2;cTwllx=qUhIy)G91YaYp^-Ye>CORf#J>uQdHM#Elm%_Qt%QMDa&#pG02mkgXW7SGzo8|6N|87rUit&hNGgPjy!Eq!np7 z9QWz^V?wepVDdBVJ(&AY0Vxda4+xFYhPy}c=5>F2iq+qM#y zIYVKEfzML--o|ejUah7Jw;!0AU7D^MhGUYMJ(p-poPq>#UtoVQ+WigW8B;J-v){d@ zoosM-=bNs^2^jP|AtPn|1LfBkYTtL8{4=3X zVIL7fM^5ahbj+aTHv2(Bi5l1(7^LWt5RPo)?j;&3@F_EYgUn?7+H?*fzhD8y(4(sj zN(-~<)*2DbFD#hh}o}Vjm&0i`prX_NwN?2I@}m6b3X4d*mUYXGhLJZl$T% znqj2%EMuGx@!Lr({AxriTK4vjToB)KAQhW@PmTYtJ|t4ok!S0Z)O`sz1gL_M@+i)% zy>@p^@4tKqI~6H}-xF{lv?2x4E1ewqTOm8|w3hsB7`E@+hagbwa?(v{1|n~TW!As@ zKLa>ds#1rEcPLLegyd`p@zC`0C57S65-mIhO;FRgMer|^wJmhm_GOi}{RcvXSZ#Big7 zTVdNZm#?f9GqKEw3-rlG#fLD<;hvJKBqkhi!pyp!`Ksilc)9HI83j5_~$ z;{coO_YRC|ls22|;jE_c_=x z{3#CDwx{KT&&5TYe)5Rlm-k>3HbG3Fy2|t$?-k_0HklB8Jr0;~0am$a{it!`~ zvok~XF)XNK!jyDJT1qCSd)yL9+8Qy@eexbOF$N6w<2Ia1IfI7J*yoB5%e9CfPcyqq z>8fDyw4ZLj2|?0N6?s45nO8Uuq(q~a?S4}w2LNxHJ3)_-z2#HgG>-bLYiZRA?GBYe zMihh~cV{L)j=p5WaXrBwI3EnZ`bQ_8a(_C3YC_IP@>;1X`zj1pI5yHpe;8T%-9g%3x6gmcyPf8Y+HWxAzYTO-bpBoYf|t= z+Ev{A0pq@wM9%e6GA%$u2>6y7j>)T$Mn~vri)4_@^o5F?JjT(FE&I}fMbsh1&nvE8 zi_Viirh2`&PyNiB#j-;&#JoqwvO!c)^Mbnz{*q5(pRh>AKHM#j%;7IO*eQ6YQGOUO z=rn!cYj)!qS^eTyE%KSh;67f9JTqT$IH1=>4P>15{bpX8G{6J_4Ll+w>SrmH=b=xU zlSHPe{V`Lbh%9MGOHYx4Z0WCTxII83s_Tl>XBWYmBQ0fNM_|E%grwn&Cj8D?x-04j z*q#c7Nt@<{vxT}^h>%PwLxSI(S;V@CH{`tAR7X6@URfHOr#^Kfnx_oXK z5jKoJFc)3y9%xo=Fmm3w5jRF=v2TV}IzJrJ{zTEa_8as1=>rZEn!gsuN5_E!cN;F3 zLN!qitIEeUcu|D)$UKUZfw*`E>rVK74UZq9<&%hFqS-9B+lLXnkt%dxj!Dq~e=b;t zFX;&vQtKvPmBbFsq%2k|#jRV85n0-QG5GqxHAn_Si`Ov-^a)>bsetHMsCuw|S8)xEn@#RyE6H{44N_PXqGov*MTsp&xh86&YLw1`PivUzI|H+tW~LMuAvA)dW}TKuvLJcc$U( zU|Ro&rvlOqXX@T`ztv*@AU%=>m#qiYKlacyG_)4hbEf>?;sUYH&KJ9`M4@4F0}vFf zC0eA~_P8*C)Bjx|Lheuv0@jXKmEj%6_W%kmMV_PuxZAi;gnATgM~{kxI! zs|mi0>eJySN%TIm(T~LoCiND~mP$lrN5$AUB)snt1XT0-$A;oVWvVfZlbVhfQt>$ER<9{u z=J5o(KG&WYV?yscjF9xe^)GFckDkY)@!$HV<62|k{5+GBKO+kI`k=ANcV3XVJALO} zJnVC1Avi9ZKJwNkBXv_Yhf*fi0^fPH1J*F-t1jI@ zPKvVEveG&jRwR3#F7RGAER(pgD;|L8*`SQSmDEYnK{6Xk7(KyA_~#pI`0O4k0^c%g zHFQyg>0v_kmW7xa>{Sp8(aE0ls%KHVj|~lZ_^e-8rA8+rMn4G>({xX))$HLB|7gP` z0}8^mfBPb7Hs?niB{gNrqw54+(RIN{m`%HQF3k3o@7PI@fL1#;Iu=d#^KWnfmnv*4G5_DWWPW%mm$=~x^{Cj zUU^gnBkNw#X(8!C@2bpEbb86QadGfs_jR^-9z#g&aUuPUN_1;@;+C)x6%j-2WY3Jl zr$RY$1_?VCeo`138$&a}R8pVEOi7G#$8OzG5I+&gP)5p(NiK)*)siH@EL3*K`eaoK zx4m&flbZ|U&~gWBVChw>o~GnX`KvF<&j^0=2EHVvi%Z4(P0nbJn_R60vf3z_y+3#z zXy92eGs8BaBxMFKJ=pw+&mnO&$6|q{I>3RCTtdW7M+QTVq~*kV~sqMEonob=_4U}-U%?0_gHWNB=8^9zAJ{1hSX^rP2-ua6jw|KII5buFug*+ zLbQi%ABbJGG1s&W=C~t7Q}I0o(sHCS*{)^#*zPPrCR-XlN1m? zN{G&*i01e|djTH)b16>Y8@DykKhX3f*1e#ZbXfm*iL7TIOb_om@Syn{;J)8$-z`N( zs>2jlrFazB43*Fg-gz%C$FN6M!41EQQ;+&a7_CM~3MD5FJzzV&?a_G;;pFneMS7>c zVYynE>99-VE&+WXZ}!foIy~e#riea&jY&&&JBw#ElIHYION!(Yp0K)1#&@%3EjOpZUKJ)w-5&I$l) zkNL?W{!GS)QVAk1PD6qxbo>K;QQIYJxw6Ql$7-r=|#9HSz@7K-{SEL<2c< zOwNH|*>*4MO*A2H3C9tu9%mxw2lQGedjHQ)_7)2@Nzr6OoP04=;}7e_wld~XexnXQ zFA$*fTc^no`hA*7$K43cIeNM%UX*f7pv&ct3W1LY72t-WR>MP$=hBI67L>q~O~;QG zVd1uVP{y}v4%kMKhs=0JQQ2QyV8L-rilz_trRa5(c=1aPj)A5TI(VyEpJp_!WjVf* zq0P3*F4=0&X|d+yLKlijL$wiHIiu(?rRtC`gAIvWEuhQOGM)SZY5dUonH??n#gd|( z(%Ua=4x0^3OdUPuuEHFD&sg21B31JaC7;W+emV~w{@`BX@sY-OxE9k_LkmC4w2F12 zv;YB}$UWl5?~!>bW`LIXqGQ7DilUv2F8p3S)3o4V_rqAB_7ADxpnhwbj_nU2uF;8n zU&@RYZ?Q|1l%fe@Q^tC3iOH&>0JvUD}8F4lrAVSvotpW`#BTLuyx*XZEhMaYX6{CTsa8$>X-I(F}C^dz~HlRl6i9(s9qN zTR-ipM&l=3XEv4v)1>g%&nt~QQGNGGWX8$!MVgRq=Oohgg8MN$f%6;U8S#Oywd>Xo zKZ{B>8-Mb2rk||8e0_1Oy&BQ^jjT?zZfa>}!~7GY`VB9Z9k69Ui-Nz4MwL7=i3(%vsb!Vif!lQcdkna zLiYabwAQgMBJp%*6K*TD7)C-Ntzisw6|IktJ^>Qf6okTzYXy&%Cl)3u*?R{qD0KzX z`k#e=T_=aARKc{HdKcw!Xr_Z|o|4a?GDuB5XW<*rZ1+QmXEgKeH z;!{HMLWjr>9lZIw8iT2NWz2ogx}sgUH>iO;h5ffNvv{Hx1o9CyCvGWR9VY%Guk=`nwUjYbvSKJv&vXlY=U zWFg!xAItZ}u1AlQfQ#v-*+kvj?qg?;BY%HI5Y%(~nHOZUag{{^v!=q#4L8;JG_()VE3ht*%87_q)nI2l z9-OUZB0&>Ey=xV0tDn*Vurm7@#I1tCeZ4Qpl<2FV?@OU)frh1EMi}D^9m(_T{vY~Y ziv5OZ&8>Z$y4`8}-64+b3MQTpWMbsj8@cN73n_f+jLo2>Z5WZQQ#pUBf7C3)D^j2UK|C)6+_k&M9+S zEo)KwaUs_FxIV&H6LiR%Z=ZUXl6i7p1nm2@WXZSai53|-yYM8P;E#bBD~@O@9r`rh z_i>V!Msr`WkmSjt@u}@BLp!9|9zEGujK+LNj;qZ8K3j53!lbmPR%-teQCBUoP|ly- z2(7o~*2_^kClw1jLuCF}mRO)qH^Rc5kF9>ZiT|a15uMYwXYKh1uKJ+yKm=8PFifxf zgs@I%>9W@4d#{a6UtK=QRR{7!>W(C5B>rVqUYYBi5HbH)O0jNM@Jb6qRsa`OL z?6+$1HQCw;Z#e-dyzyA2OoY;+O})Rx>vJ5N-9}b&g3qw;CJKNdj-ANyjHT*Bqlo4_ z0zxmVvh1=rUEZu-crd?THAr@Z4i-xkqU#*(IvoV! ztCXxnGEgD*)<@@%`AfPHwDuZl9+!v$2LJ7$4#IY&etG_YuR_}m3TIxnguyq8Kq4kA z#&`>9Au!f~J^Ou){MQ`3@|0@#*F)AdNOaOzKX&yVn!n{}D{k;wzr4u+N{$Nzo{3fY zo9z{s;|DYOj65ep{jE~f%klo^J$A1qj)^wzB}^qwH9gIQ`n?bD)3n+eS=&OcAj=Z4 zQSVn}u-s-oKHa+bLT>foSH|U?hL!le57Aa};mqagMLnMbEUikdZnX?7%BSbS3Eb%> z*9?Y{#M4a}_gsln?^y;uA01k%N{zG^i&tu$;5v%K?F$~tI`}aq9mMmD~cx-<3MG4+2X?9rEP;h^>QPBAdG|@G%N;a zk0_qyXl__P6kPk3P`LXsd7c3zXf@8B4nBjxD~SV>D`KxDfA0p`6T-n!5;yd(L`5pN z+WiK^>2cm@qs?~5Kjc|5UuQW`z`vfY=03Upejkq!A>&&6mV{A2Y?LyeKXUb{8V-^F zL{`0w;dA>)=IBHJRpt^Uy&eZF>MF-kfaR?9Mlrt6_-rC#j+68vmt9Dw+55UTY>6N2|9z4pwamlN7-%h8hz-uOoiFWPN$oO#fZj_(By%2GH=l04CZ}l6^4Q76 zFE_BSB+K4|MujU2G^bVsGJ71L$9>Qflon(Mx>5a4nTWbBp6_+DPS&$Mw48gA(8b5K zbJ$7^|6#U13rw^fe|>2)TuJC0Rt^?DnxbZcMos12cI3VmQLM9+|8eaRyc&O)^hY=j zM0!lHwuuo#>)tpMQ>$kq&y$j|GwC3beYqXB`z3PRwyOw}4l}WZJfU{(&%3Qwttbdl ziwww9_?0p-qsd`Uf?I5r@Rb%th`B47=-`Ru=ehR6u*>OC#(O?|v0mU2B|J)yBLQMp zVL7r6nGneHxac!}@tiYVte3rOckMiFb$kom!D}vAM^7!8hU^*z`n6RYp_-tP>@E_O z{3+Ja*CpV`K-Y(J33AtGqW9Py*hGPH;-QU`dokK)UiPAaf!$kA96h;)bdHp~q5T#w zUxz>DLm4azoYc`EdVIwCw6^}OKS^zNkIAok@d~WLFUoBw;2DIjJJ%XkQZdJE7R0Ur zG78G-w0sHV9eze#ENpDhKa(*H7$L%B5sSmI>X@zm}&t1oc!k?LWeA#zz8f7xdt*^&pp7EGO83z=6F@;F( zS4e2^pP_NrCbXMAi44VKA`Mi^{UQ#E!N>F4cvcX6ie92nVS-nGy@LGtG?$VJTO7cT z#g9*?P=*a#Y>sFn<<)K<7{{{Lo%FXrqf+)_@=Hl3cx!uO4@rR_v-oJXIPxr!TIOoS z!7V9yI?Dt75BywC6*BUm&vh&$Md5Y7d_IfvwG>_#NjRC)u4{K^$7V?lpZD~8WKg## zns(GNJDI()hPt!=ls9duwbC8ok_?s;o$%=b@twiHOsm`{RFuwz9bB#wW)30d;*t7q zdD4b{V*Q3;&xU_Txy%=Q*9A&x>7~9uA9hPg%!@LXT%VPY#FZnf3D4XFjhIi5=Z|OT zS5Ck^oyHz=eU|fT`s*}YtQQZNG8}=~dMr4bnVWTU)Dvhy_as2GLixo7p!zlU%GWM! zq|&{buE%*>Jgn>H;<^3|*tTMbU5y5q#Cn)F1SFha5%Pms;9KhcAGLsom{`i67Zqf< zEu%c`zVi$izAy|+nA#Hb3I4lNOVG2sQ4_F820T9k5Nq2v^+wfE-L^!FT*9`tM@2?8Wx-bd*n zz>Z~Kr;KSh=$LHSeWgEAGC&Vs<1z1?GF9=I>FJ!9of0NtXhPia=cmjBpOjhbJ=pSd z<}dIq=ZHc%_q>w5T)Mc@gNfcvDSm$LUeD(#`*y4Q;bnhuy3NXdI_S`ydQ%GK_YRSE z?9GD#cQpS7bEKli^xhAKx!cvg?syTw?#Eb~;&sAU`<>pAs&Dgx!OO$P6+l7e;T^l0 z2vV5ft!ZhH5o2HH2gg6Dd|OwDb8s0G%-!T1+FMI$EfCuMB|+oBR^7FJF56nTabk$st9cUCNaw(T(0SWiNK8o%_}C#Zg{~dLe`}l~S{N8AI2wZ!R&| zYOa^;;)OR^^UDkIIhJM7hKb+m-d?3lBx!0a%!P;AoX_tC1%ujB8Xm2brNBs#p!uJ? zMub|{S^JADm|bRv_6wBwM0DTKr;_g$>DxEBs~0};l?PA<$nE;j!&6q#kqNl_H$|rT z6~1%#0gnJQ-irv&V&)40Bm+sQ|N09TtMd+Ctxjk;IyJ>e;{?~SXzQpX`NK|RQ?PWR z>x3j;WZVRKBDV&~e%BT&h0Ll#c2LH-{B)L$=2Ino$SfD(;(_=TW142ikydl9IcU;D z+atGOiS*lRYtw+!i-fN24~_>%V}bY_H!8aqA06WVz~t{3qN!k5@!ahalpQYx-trNlslgKk`A&Wfg;8HS0fN z)4W`7THY6h-7JN!nU}nN5h?SwkCSwdGbgF+!!9X(Vt6!WEU4T%q7fIiwpF~As7F~B zz{i(l++Bxr&|&)7<^&q0BbjrvN&3T3SQTiJCucreII1$y!W~zdJ$vy@keP)|UIH5n z!?#0Z(p!%p*2I21@+FB>{a3vkMJmIg6k0v}yqv8JBG*nz%6-?YK(K>H4vUcqM6ybe z?cl7__2c6?31ngd2LkUZfz*T?dPgXDlBL>Y_SNgWT-tR6_om>vOsxv^!&1h}3J(=i z_~|B}Q_~_mBOgxMt#NVC;eIa-j{tU32SqK|mwof%Ddu9PFchpReA@2Kq@G#rJZWVl zwk!^Up7xHp8o#K0qACo9-RRRNz+uahRe)i;A|0o`yT+I@`Iy4X6g=|oR$68_)OO-p}YCv&jgZU z#XK_U;m?h>5VkeA_2jsz!@^|00xi4=JhDpbe9}f4E%sa)4ximL19nH6nhY;nZ8h5^ zlOtHtyZ-1AbS2w2LA1`!&7BX_e2X~HIGeI^j?peSJ5eEbTG9Kl7v~Mhbpi%uehMC-+Ixnb<+A@%Q;o`uq&yr=X z2APabx%#+>o(RLZ7;&LxqHTnRg-fv<#z7fT6g)fAXRy)xPNVdPmQ_fPP52+0uMGj^ z=w)MvVb4emjZrs*miK9<32&C(^91{1<4TAVp-UHsX4aU8fg?s=J_Pnm5RmD2|JC*A zLn`gfxiIo_dSrH`%<{Aa+5vQV_?vOpumJ{-9|DGn_tu3my!22+1S+}!mHIB@e zV#LQElQ=Bj$LApNRx$aD**_s=WJEZ^)$a(<-+k>?GkNq=?V;dJY95dWU;VT74#pb9 zPsCTQZnstaMB#-JPAwf3A0*hpp{k$i1rXjI%;COa z#QW0SVSE-dr%-FwnSjfKBuwg?Zaj==9h7ijJ0hDc)`YQNprc(s!P!~iKEBd-o&SYI z^8|6R!_mK%!C{QptxTZKnuzAIY^k4^#ZI@0cJ)FTl3W_x&IRY(b!q4s4*A5vLt9r|IIc z2Mp#MsOm4kA7<6VoTSEFEAW6+p0LJy!D8a6aC3>Q z;vt2d%91Xr7PK6+i>tiY#}PE+&k?&#{HN8hg+u!){M{uiRJaM8TqThCsMpgjUn-z% zpo%Pp=RQNsN|DE+Q8;LF2iEru)1GsPa0OTQ4fP%O&EKlyzC0aL@(_cgG0O_Ixyevi z0YT?V(DXe?5MKOnZbh``%CtcH#wgr!)2Kl{LJ`euI=MH_1{zQar+L%)hwjx<+$D%d zXv}tFa9)jOgj%5t<+20TH0^KPb=PffWMlGi#syD*pf(5_!avR#W;rlFndOV^3FL<( zsq6>4NyCa{UKI4PvL!=Kyb>jm>;)taYGg1*OOW{`Lf*vg!RA}4MI`s-rOVFs3;JH1 z$>Dxr?69@;n?^Mscj!Fy4_`2_4v?oz>-1^6|FeSmGo*)ALZj-|&_mZEh0Cci)3~-c zWNtow=u0x19X45JXZJKO^{^GJdgBSPl7HJYy7s-J^Mjx5TEFl_4L08E*K(#d0a>PP zKsWc&$|xe}Pvo}MAidc5%nP+mWGRbwLN8UHYx$@b9WGi%#H7uVpzGO?i4X%jwV ztg^HcC&C>^QJeep+t!4>Nr=4v6lpk}rICx>5!^{}DoSmF_9H^F8PGQ*;a64-mN$7y z@7IpRoue@wk;1~lIEVxUB7d!wzXxMZFzCFO2XVau_O@Mll3O-vY4`$gU_xF)48VaT zTmU(I#?>g$NnEA@qM%i^X+9D3G}(;n@*3943(jbajcOC6FOMm*Gpl!^(TTH8H_FuQ zG*TyOhvpZ|xNKT+9C#5sWfECxy=`7g9}|7d^u*%o*hdBl3-_&~b9(JzIbZQ3lmcW( z5T~cY>_&+PQO=_be+FIwvvbBcYJJ(%xWzZmTnRGG0cLhAs}!XL}e4){pTDqWWYo)x4~$%0ugJ6$m@b^K>F434W8j5qMOy@lg9aBk7vr%b*MwsdmuPrf^lDFZ-tOL zK;SdV`Rfaf_OH@c&^cE~Fzz#0D1CA@MV)NqV!SS`go35;L`ab^W$W22!zGDE8AWu3 zq4fJeqDT_^gLrpN_T{=J!OU0zjKpD~CA}%W_$hW00{ah5Cn$LFW+w>!&|k>ugUPFw zB-}I_w{ZO+x1Gz}Dh?`0_qVpXY-KbAB;h!HC=rYJ{9muJ@HbZO?uv?)*7BBqErH|N0U*KM$SyYd=UwQ^RMOQa zAIMYrp<-se60K;Wx>rgW2t!u_6CVWrnMVqrL9AB zS8aH*|KijDt3tTzaIV8e|fuWTq+{IT{)0Y+2 z3RSwqt|@6pk8VC;2UdOT9=k44x>j4i{+{`xOcDDdJ^Y8s>Qsk($N`VP(QXv5UA*&F zePLO`GJm!{HYKkVBs$8MF!W3NywC#0{uE{zi__l!Vec)Ys@$TsVa1JZKy(9wN^ZJA zL8PQpN;(CkrIGHEMnbx~5s;Qf1wpz?O1eY3zqRq4Bj-HNH{PG$_{MnuFdT4uuY0XE z>|E#I*VGlm#NfgpJvC>@?TT`pNHd)>zep+PIU+Dh9HDC{$C$1UeDOWGKbGUnVlM>_wt!}pH(iZh%29o@Ta%O3=SiFYFy zyv)p%yx&(nM!GC9Qpi@3^U+rvSA~i=PY2R-A34YWDT-IZELjDi#bjC@ z(HJ-?Ol&?+$u(CeL9+L}A;BZDv}WUmlhfa|0Cb9S(aZ|`FmL79HsZ&KT#!nf~R`9t1cVj$D!d!RsK zwbM6g{D{nMf%tyGH@h8EIXj$G8ifJY7d1AP$<|*ps1$N>xK-mS9pJ^Q+XDFm%#Uc+wlYgL3l(4SI-|%)k6A)U7PhA!iNXD z#nJr%^?KW|>{9`7bUEaR>gE-gKPB#<)z=Qj)f8bC%0sT8Z{0r#{j48%Z$Ep4gYn+q zul?;;U)9$R&pZ+&Tdy~D4)W98<4jQsDOu_rMFY|Bq3N&=oyMCR*RPLd*UAjj{ie`g ze=c4eL0*ZY3+d;Nv2=va2l6NJe6A#_h(`MmLF1({UW4W|9^y^vJL6sU>j_tY!Wj$$Q{8tx-qA>_p;r5LGByC6WSP@Xh{eh4;3#1U?e{?XINrh7Ri? zUlKiVZr+koiCnjTO#&${v4IUWVQ1_J^d|{0vw2XV4tc}KIP>*{2-@}svD`Q!xo-l= zh`7J_9X&&}f1hSF6bp6z1KB)txp;W16qJ8hb_}!HmkQU;>FxygdAA-JCoz=07sBNd z(|n!WN^Sq*lXO;Ts*}lrrd|KtMSvB;myo{!6DK3CEERsn+FXYw(quMp@KYlTQy99K z7+dEux6$-7urhm-@C*cSB@2o-J266nkjMv_YFBC7P;f96LK*#C(1v zmYAM%gQ-#zT)vWDal0W_z^S4+SdynAm$n6sO`pZC&f6gL zYv!Qwg&}*?bNp~QL7)0iG@r7ialIya2O|w{I2k|jW3jJYH+pp>RK>6rQb7jTY$vJ} zrA|Kn=XZ-j29V)GO&cH_6>5Bor+hAB;1H9**n0gfKOV8)RDrni-m==S>c>-?;mfYp z*uX#K1h0Q7JOQ-B_r!D}lwMEm=xiEdsLGT6Lc{7QI@7hxRbkur4~R(Z>}5ljM1MX_ zlY*vw5;45BI;YwFef6N=0$0R~#U{OQGa!PkwD>RXhV_<<&(ICw_Qc?_+4o-f) z;;D3fvHK@B$|ECsKPIt>?7T1Pj2~(wP&GVRJ~_f1F#91lzlW+gAmXUPKgH;{%$G_N zU6;pyk5eDpWnl2oiv9QYrX;ziqVeVUPU@LFo(<$c97XaQys@>M!MugFgJt?v@Dnn} zKg<9oHA#?oQ?3E@e70Vg1SaG{cC)x}?e?&1WM+PA{(utGB{$#)2=pQXtGnv(b1pflE_!CG0#KtFD zmi@I4yq_;G46(fS0bIM(%uglrob8&~MZZ#(l*8Kn0-Lx8Bro{yVEv?u!HoABc*aJA zgSF07fyrp?&CA73l7CHgf(k92d)Z_pOAp2Q+)y%NyX5mXO`_I_N7WL>xtB2t$b^p6 z*h3e~0$#(LhVl~TpV+Xs0}qAKvPC*w|!P+gF)%47HC->_iAa_ z(28$<(Ll^i)DT7u^5WbZ0rz}Ynzkt2G<_SCx+7+#Hr(d&o&zHl8mcq2;k0bX92rXs zE($o(nT@#Xb>sOMM;qX5axLm*ShbxKt{8BMl#k$=r&c%84*t+Du9a37G438%h^sk} z8iLBHaR+R$H{i`OsR;yP(IpNFv@G{2|o6<)alf zg9ZmtSk)&twbLp(*S28Vk0n+SJaUBwn87{4wc8|al@;%mh+C7VTs=x_+`fnI3n<{B z%0l_khRfU~r3mMiQlUa)iEZd=vu7$i`hhe(2T$t>die+`?P6pjjoXvUF+88uI%D!k z;KPgLaF||ma_4m^Q9@FUTg6Tf$PJ%Pp^Bgb7%Y~`lxZcj3~pd??9EC9qAlN&P;Y~Q zg%LoQ+`%`o@A5cZgoU~`uJ-6dZOdi?7ZuLCTjKGCmU!$t!xTMcqS-T&qHkP7p{Nmk1 z74$n_3UpfvMGlRIgc1XIbLNj9nac=Ct3dg`=webWQv4Rqum?o6-rW%lWLCJGLXMot ztkr>wU-f9>?_=Y58GLb|2ULR>@-gX?p1a*dlfr`1yvIjzsC?ExrL%)miP@R@URvlE z#mS2H?(`q!Of8$TOZ7X+M>EiCn$=PDllNIsXPRUf7+@Mw;q*~YEJXicd``^ft$n9| zw*cgxELAIVHWIkVkn!&Y7+4>x0H_i11nViGl0zLolz$!WD``~pMW(wm{~5PRT}c0z zoSNrHY*$jJ;HD~IQCX+KRT$c=Ja*A24{$xckU(S>q&T-kA84B!+_b#yP>?zY4U35h zNSU@5Y#~EIo1a56j{=BcMHR{))jEgIYxpFOb=7aR#kSqM46r2LYRjl94;B^J_>l9k zJbT#xu537_rWbxwEdC-A=G9js?TF*(!R@lxxr@vrX&zj=@7vcWy%G}e<=4SmcD&Mp z3OF#P&8uqwl?XDUW(~wrH>e}iXUV=Mh4@2V83@>@sL;{Z8|ARe>|IZGJ<8s=uHLA! z$YXc{F5Zg8uQGd9<#1g;Y6wxgsp#?xCr3S~rXj>ET|Y}HeZ*tbb!(Bo?2(xIo=R{& z_(WtxBGypdsBDRD?ZYkqian2C+Lrt#PxSXcQ1=(TySHo-Y^F}W)^?z0m|s!@WlxOw zpe(27l*wY7JSKbCYt{p)eLSt>kOWvzDI!BkxuZ4HdV^iz?h;OH1H zv0y5)ovQuf@8i-Qo}|*sUU0#8O;|xIRay(tHqz;FSf@$Cvx}y81*>BgzdZaWToQ2& zLG8@H43>~0y-S}L5$g4(m)_^+$I?}8Z>BYa!+B34SXagh5LVQ*<1VqN6oUZ(V>zY) z_d=TM@?UkVxanG@fA!2%!{-V|PddP&88CgHipO|H`0C)G)Z*fcOl;c=b}IB&%SL;1 z&H?;##C{C;D+3dER~9sn7g}>Hw&9Di4)H1k6Kj9*9imkf;8V`-_yq1%Dtz5Qbi_B z#R=HYwXjsvxkYogDkK&)TNwx1(B?<w{<5GNJs)Eb3L%duJ|;)t8YDBwg1jm zgOfrgOmG|19mkkQomBA7MWsjAOCA*Q)8?*j4pXP^&f5V!f>6t&X`+#eX}MUE>}559 zk8WT22OLT(Emo8xG`a$MCv@?ihw>kFQzS=~hM$0|F3L_2 z#mCYhSASFrB({U(&T%~*&J^p|ymCoc$jjT5Ekp{%TXp){c58CC6G~7ArHxV~trn8z_#9bR(+nB|m{+=*LQ88J?_o2r&3$FB8|@*n#WB5Ap# zewJc!-QJ|h=@tv=(onwIyq;6#I+#~dZw=ag-s#9%&DZC=@i^c7ck=_-bE>yz{u99^ zgFCs-@pQnsgY%O_r&h@AIPiuEqh@# z`5bpI#83qz1XS2k6P^m2KS0AKzF+ zvB!u<6eXpym%$I~V6369Gu|nGAgF)sbi7@=FG4Ixd_QuT)BJPOfCM=zV4rbN2tj^n zt8nna*ZRq@Oa`GmTn+@q>O~vzRQSENh)gI6>(jHz-z;tNE=L)LXOGaF(RO$Bk>%R! zmox*0N%I=2PfOmy0tM6fvadgE!e*a%0X$mH?Y!hMzSK{?Oq`z5+}ra+Hem-!V_(+S z=w^JF-Ojuc+Z)2>r3o$DL<*sRKcQ5LiSdJVEGxYj;zMh+p4!80fb9v!JrMfq6i~8j zg2p3>vml&cdZuY`GWSWsvDI7ajfcm3`VqO4@UPoBpz4D&mB=&c_)DF&kn^uIo@FU^ z2S9QQiBuFe)!P`NZAGkPX+=L-B%Dv##Harj4qpnSU({Nii|P;k_4xORub#&qUnn3l z)5O_d3JL0Z^3@*3(tI0iMtb^`;t@_at_P#GP<4zwLHIxxo0d+_oUZ5$wvvIkvPvw} z&R+?7$N&BviZ^U_)X)YqH$SWUZ_B7(u3GIOxWZmg)tLIk#mcKOY615zE_n82+hyzU zn4Ovq{-)59s*h0>^>a(B9_LRQSvmbXdP>hEz2Wl08U(=Z!s9v`cE7)WFUb1jAmu^L zzWY6$XSJ3zZ(9Y3sfv_~$T@B&zSAQqCr7DnfPKM;yHCUalOc_PD~sQmzk7uFqCWoo z^g|G=X}nE1D^CX6{v1;BD}2N94p4ed;vS8Bvz)`LFd&8(gSe4D^x|e5xS?Y%YtfA9 zx&S$-v=Sg-U;j~XnOlO^DQDi_i@S+(uhs=OJGoHwf-g{hS6l7qfyzjq85^e0JC)KG z8y0eq`MM;YM+FJ2ljjdQ1;?N?U;Dmk^k=QRL92dzU$Ll9yeM$$-X)Po6#Ek*VcCpNg>3GsMV}F z=mD*CkkszTs;Hs~c_0S?WwdYjdo1R+q+X6Us549}8lGmoY*esCPmK`Ly(P(s!*h>> zR4h}+&^Vb~^8J@>f!^S49>VMFsZ=u{k&@zVB&178=kE{2Mw_Ld6Gv0c$#Qb{;#-J% z`bB0AHP}Q21@o=6ZiUz|P!Do;6}qy@=r1&m7))ko?{5dL%NM0FS`)cc?>9Kfre9z9 z>&j7hHv}~wCV1UPR{3epD$O`wKsrA=X9R=Z4RGV@GX5{eSsrqzKM$st`122<21h-t zsNeujnJN5{f~_C50bAa-^g?t?nyyPJ83x_gtm zRtSqzx;-#eWI(0)xH9YRRB}0CBwkjPisirP0B{{2s7oDE5LxTwB3l(dZx?eu55*^s=d4cKxnDxsXxXg<#lDssN zPT>dezO~SgeC!}6*HaEE&_3#Iyncp_gsi|v5?YTH9e~_B6gSTC3*Qt#gnI4w$}%2+ z*P2J4D%G#JN2qsyS3RX!tvWhl_At2om+E{>?Gat8>`V4LCaQGJjQ856M4H)m>*7aC zDb8CaT^dDX)=lxzU1_U^+&(qKp)e#4v^EGdjA9$i;aMIAw zkU;w|G7cugc|~Wr478QSM2R`I3=UWiemxh}?@HL=D*aG%(s41TYrxLKF?)Q=+9bLC z*Lqi+kX7fN>sz@!(uU5PX(r{tPbv2&Hiyrlo+CG-I}+yP35tJsh>wpX&j$@^7~48L ze0q6*ejhe;AKqFYhk>D0@;TJfU#0|GAb6?bg;40bcle;IXW>AZ#5$8!Xx}8#PaAPp zojYZ4(Me1AetB?#*Wr&GCHWc$PIUX@(zn$Ypx?OBWX7Ak!Hl3nr;VMruI999b#I1+ zx-7|UYtD}tBTYP;9n>b>zK$80-*r9ec5R6+<5$-jR+7QB!RNHSG@(K+q)bJ8C*N|^Z*Xkh_;uqj0yr9|sz)t@EmD4yV|VV$;#PJEnua-fm|`G>LRp zlLKY(bv5hbKa!aSpARjk|70a(g7#e$8Vsbhe?Q)vjb>?)zh10`ezIVf8D}$?s*C?Dz1s8rlK96V9{i4W$~ zadH>^QTr{I*#yc4xTwahwU<)oE9%+W{&h)h3b|Uxs+t5+b&b@E2~+yC$s?R+=Shce zZ8yafMo|?yd~ayt%aiLg*Dg~GMBsJ2wsAIBXFK$M8`oabKX6WBUT`e%bEJl3y@YkY zR&A)jf@X$HQOq)`fc@te52wwj@dJA|WImI4hwD@)XKu-d%6qCd<4!a+1HtI|BX?!i ze5p+?n+asn!o>JO`y%(cMlWSi)dL4oT*OGo-tg9>xqNF2N-1wKB>6SrPb!6DjvTt!hi*D> zB)xf`d)nI}kN$GKRybz6KW2O?w(U_xkV|FQO+FK~3YU}P4zvA+{ueagj2FKwL|u_X zd(Z{X&wLUzzE>Q(5iTgnyMYuC^FOsrIK z9qb1gC(3?*x?8dtMsAiEZi_)B`s(Z#vg7fJMi;@yeJSO?G#hkekUd`Tu>HpCGJ*M; z55{S(lk_m-yJo|tL~22yT}W=)1D&WtHjC2K_e$nGQ}QGUVVl-Jq+5~SCJpCcRK|vG zh#3&!{j#49bm%%b3Fa!gj@Q$bKdpGVLT=3{o)9r1;nnR|4MS~hBkQ*}8{@Ioy6as` zV^As=8Txg;&L23R4!er0EmV!XI{svr^hn&Neva-SW@>0I2CJhl{{{ZNg?$lNQ_|)j zXV-ApLpQdc$#|Ma=P8-KsPO`>A^&utfV~9z>AdqCM)s-DRQN4#59oV>QccY@=Z>_8 zKG+lM(MYh|^w@l*{r<-AccpQyjnf)#3r?|an1#x#wbieQV&t~plPkEoERRf{T)s6F zq5p+}h;{Mf3w4RE<;**Y<#3ZWoA*0?iboZ*JI@)%a*kHoF(V7kq*df;Q%Q{c%PR3jFDyJR(kR7jare!YI5aOzi#qFd{9nVU|Q0&=N@9;^5q`1X3n$P}=3FVA(g7`=a@Ka^g~}sZsCK>~w^iqNDeMLx)0(9=5fPlHrl*Ae^k;)UZMB(ETS{j$4<4`%traf;R=jUELGnhUu>}VOamWNlmK=P|>^IaOhnO2n_lfe8hDwF4uK@ z^PJ;IW-2`K(Q28%?2E$V0#52;%kmU_(zpC@9uL!1CF9X?YNPS`_|gR~JjCo8-($g{ zmUC-2<~wT5P$FVeh%SxV-#;2ZgU@iL0L^R=z0-I>-yD>sOL>`$1bDe$eB^&%7GN(`z8J`xVAk5_opAbM)ta46FQIrQq2= zU4X>IK{pt~=eIT->?bfkSqXIi`4i$_V5yBk)0dE2|6|VK-~K%L5(wA~QeI2koK0X0 z#k-9^-C)2JM1hiSOR@rkR=xX>4rvn1ex{C{bDVI;XXR(x8~lG7#PAw|C#mU|8@cWl zsUg{!Ej|3_PY4SDy6@PbgKkCJpdZe4(ASkLCA+04aTZ;n!LskcKTo=&A!LVlPdOaO z&WKm9`oCm{8Zn_|3Mi&*H1}JfMkj>qup0RO(3zCxddVIv0G96etf=V0lbPfMpB4ew zneIa8`tv75`y(Lhh2Vi_grMJ03i9}EPl>oPsk4(11z}-ZUOX@U#V@2^2J&!*HZ24GA7LUJk8M2MkLa->X!`bN9bsFgV55kr_+UJmFQ52cLpsN{V1_bT zEl{9;+PF`zUeei+m{qQg)*ROVV}vXGqXr|cH!`igBQKERq-fqBW4C)3Bb4K(*~=QZcsunlOL!D7%a;F z85nv`b6OO_r{6W6aeeqKEmOP#yWuPTPbH5}UQ{;g6VlO>s`e-v4M{OqbnSAp1IU0j zvDP9|}}AsY9Vp7BjJh&|ut*eOXLDAg=YA)>wU@6OS+ zRA6{kW1u|t$o&Qoe$kXCp75xC#hbC*R_RG@u2E5RlZB>gcC@AjQGIrL-k}vW0_bRW z<*X$#a!)Zb^S=92KxEY>99h#a{c6_Ag8yiThzBVK@d*a0*`oEj@jINP24S z40L3e`KqK?QJq|o6krmd5n%}3dBPVeTfM}Fjs(R|;x$C(`{h_kN-p4bUZugDW!~4P z_oLiwz3c0${o~-cqv3mcdIq_&LDe)$nU0TxcZUk!>wQtkRrSPuQuG0bz=$eWKdtg6 zulb)&U;G-=pG(yYl~(RdI3K_g-M(XIE)?s2x8*wAx)*ffO5Uy#6?e>So)oJ`k45`! z#j9R2QICG~ihd%D2ND2#t=vU=2Ql=Ivi&s>dm(Fhi!a#AAw)-&nnll7is+G`dKXO{ zYj{YLGCSozw(S~{1`eAnA587D#jk-q$LVwGI95Amtx(xozb_I{vig^090x|zUc56{ z>EhdK3I8@NyeVu5$D%3^q3(+OS`URwuOOwuAj_l0k+QbH?(PK!VqIBLX$cQf5Q9ue zyyzZk@;BZ)#Oi0U>!Q%ppSxFju%_|S!_UtmvIx^4s{BJbcXYWT^3HGX_Rm(j^G>5e ztYErxO@p}GotWg`gpJO7y1b>3_(J*pN3LIo1ZMz{OPbqV^=EluystDpNFPFq&pt-- zWp$6|EG8#sk_T2A{}`GO`w^SDtF9sukqr6r;81JqQE&-?CN5tmC#a}MDD3^Vx8 z7ps9d7`%-kKn(tCz@R)|LKB< z5Nu%kJJI<<8|$Q&0Z4fO7VqWFD`p)IqXLVJq(`yzpZ0gxkZyr-wqpT|!2r!duhYX& z`9cX>%4Ch&?j&-*@~ck3emS3c<9H^`>dNcxA$p`g{yYL)+`newA&ZdjuM|+(fcu2m z{MS5Y5R<5XD003j?1KoWZ?#Rk1u=Kwx9Rb#;0OdjtCf zo^`eofRR}g$vFauEDRuP^!2NX00{u!z#EHl{NK&|U*UG@)z$ZkKm_A)W;X->*fzw! zrXPd3LinE9e(zI<@GF5WTI%8=z0yS#-UDzVWb9oJ(bd&Jh@ms$dvO4Ecz=lNdE$w}4jy0U99}x5I#{gAYjMJa~uyM=m^g0ldb1&CKuiFG&Fp zY#{)PiZq6o2xvVDDFbtIPa@<181wG|E`d5q?y~;Jzkl=B-w44g`C&~u(R33+aBHvw zUK``gmRIJ41Uj0ErgTEj{%w6hD`rX{S_XVVFv5pmmwLdQkQ^PC{viHqNW|m_4ft*P zY(+b1-(Inh2#X56bGgW#vts)9pkD6at6?#^K39~~T?DL%y>8kP#Xl3d{A^xPpril; zhu!CXE8G|ehOT8Z-o4T+*JB#del}sJE$2TgCpo>-$~V275u^PedpJ%&vR}0`qtQ9}4q?6FdB5ehs-qWr3x_$yXdI zR0@3SXZE6Z{{aJVwo5@m38syefy0mx()KFsA<30BB*Xxk{oX$fXftk{!~eUL|DS3lFBOE((bgn0 zf`HTd*qwOAatK=^f#Uex9}(vjMJS-Zp?>Hep}+hWAwXfk4yH#lObEkwf&O?+CNOLN z7IFUPa2KVhsE&ybRc-}CE15qcs=2r#d^T5<)6+;J_6}7=qZIkw`o)*1LzNDU6-hl&{yKn`p~t)l4Z|V=Wwqj*Rda zkJ{g1{7W-=8}q>+&dh*<%~yJSCJYxuOs-XsS>mtBiNba4Di$Qw@_UOqd-8#qEcnyWT z1@^ozv3VY?!f+@9d*RM}!B_=#f%OZ*IfHz~{10Ja?YYn6$ym%1@6Dy_*?msFdv;dy{bG+^b^u|z8WBX9ith(IL{1S(DB-EfSpLa;P;i(QIH4(Cal zWv{-e>cz|MnPgJJFbsLT@(Mlf+N3jyE*D!-fWfEzP)(E*(?T?2@}Be1v8SC)&&h(o zXvIlLEpepsF+TJjf?F*9G;+o3Ue4Y__A;IUxHT`DkWv8PR^Udc3zfI`-F|fuvCLLt zd+`ReEL7H+KFDxNrpRJyEp{~y_qp^XNJ_6pJv$wjJv6~_tfcV?0Q<2{2r9U}rW|q%>bHsn32jD2sO>?wUW}QTziz&M{(e7XSyq+lsT0gan93&(s z_SU}hJ;L>ojzdV2T)fp4BzNgMrJn)4<7V`PH`myX;9ZA^seqB4rb&|%(~73z=Of`YrXlokMcN1eb65XQ$>7*$*WX;cP4c{Lai2Pnc@YyII97v&<$~!+JCjoY7 zljwbM`KNz=ct|6Hns^&vs1Bj8I-vHVh_wpeOV-h_D|(~KP|K5mvSXUp?Km4n{-dVLk?4XW+y}j|E}J zX9-4t;aYM4A3rVxg7xh5RdN)7HPJE)@%(4k_+>5ur*!ScLuRBT#Ox=_Fd%Qb_bpT@ zpq6Y#_=rr4JwlgWb>9C!ZwgpA`w3=!$TNg1sWT*n&Lpk>ER%rESq!k<1p0>{Bf!oA zY4l(r(pX04gB5k$JNq}m2ZIU$i3N^lyV?M3fh=MR`h{UlTtB`V#=={F=DfKL+|e|G zB==y^1hC$iyS5L{6Rr_Uef(ck8~`K(xRV*1?ih?M1YSMJ3IeaI@a<>f3;ilH`v7b` z*v8KwNcDrt@jE~CjxSQH+}Iz2;PK_Of17ma9Pm0KnGwQL zY?^O(zy>v9fUTP$d%Lu#AWlc0fVGEg;CX4~_I359LQ)iqQ1%%Us7h_8n*2GO|w;YkN)0J0bYf6)A zYw7v*u$i@;Wxr)G&nzjPk*(5WtSoPClotd`ybikd`9#3Ov1sn%{KvzU0Wfj65Dyo9 zt$y+j=Xy7YL*JOUArV8v4v53gV7Zd{0b+%*DKRlntZV+({P3r1S{H;^1k27u4N&^7nmkqH!C{k=wlX+V<|5)#e{Pn!W3W+MK%raJ?%-OH+F3|J zXZZ>~S6U>YtUFFqpi{CD%XwTT4t^$6iF+T?_5Q-LpgRN{rx5j4*lqcbF1!K-2ME5B`wyI zx`~9wmIei0%lx-0EH010} zCdFy-Pd{INU~udT`kBC|0LIA!AM%~?T8ZAOnG2JCZvEryq2%qdWv;Ufdb)FpKTFi? z?PD<8qu8lnB}4MFCEbfWr)6U4^~(BrmYI;YduzjYK}wUI{`yp|G}N<+f^4O}xAcZ9 z!xHe6{{~REfU(>5M`YsuVlSHNmZ{g_tuhpcZ$`a?61GGvJJ~1?wep=u?goGl)nJzN zzH?G1w@z9V*3vNe%tYaC&1f4TvZ)mEdzU=lIR%{W1x#Tle39!S@k3SEqGc^!;u5X8 z{R`HTaV31|+?sh)l%^JU>)a708pBp904#k(9xwbRA1bQ5GnZ{94#Q+2dVF7GqG{5T zyT$8xQ1*o-8jdQFl3WT|1$K7!EZkw+v)xr(tlF2E)NZCU3Y%Y~guyL##IDJg`G2&3 zoX=mPiv-vlKXWtSR5olt^#E@phzQ>>S(D4=0Dz~x9f)C+N6sz}k41VlSsFpis=VF!!z4bj;Sg~W& zv^X+i^_2p&v^#GPRM$Z7b$1fi%88o*7i$(Ts^=l;HOpzp2(O=MCD1(JQDz6mx|HH; zUl!90qPPa*m$SV>A_m6d0EX&!2Y6vW!xXIl>=Sg37I=Ubewf!Sl;4yOFug77aKAJ7 zQXd-LYMwaWCc67Orulgu+`0h>LtmMZBslfZ+QzX<@NFZAyHXGDW^wzs5me%*A1$kv z&DnQK*>@^d3J&fst-nW;Bq|->@aaECzRyS#xnqF|))1}?2~)F{kHz5=QM}{} zD%7~7&_B?SdyoD)A!U4Yly3)uo74&dj@;*^I3o1|u4|upb{33|Bc2D)VPytqYp%6K z{U?vg3%Ivh=TZf}D1i7lApWg-xqsIJ@FA_shyZr%6%Wwe4Rx3qsLlDLeR#G$nC>K5 zdRw9vEAQj=&?B@8_Uoaf56@d)JfYzDg5o_;Ag4I|a#B9}Ec-o{VsU%(xWx&Ps(Dn% z8>f?{*(|eU&wYgDOo1JqWp9=-lggEIBo%_{40|I95gI5a21Zug;H<>8j3_Cds;D^D zd^jFdrIgRxF=PbG09^O;My*X7r?-JWV zF?y9UUX1s814~P@Z;ecDBM{CX&WZPx+jYh%6NR3an2_ydV6tRD*$<+40GO;dv{1`g zcbqI-(OafJl2VP$&nLWi6>A97wkpF4V3uOtx^=tq_bG2%4xh>Gb_80Txx}4~0W?L! z7)0vM3j=P9+L`G9-F*ZV9)ueqmw@u-bbIlp%db&c$@r>K`5Vt|qP(cPaAcl}DI7nQ z?Zg{1>W}eOF(`jsl=yxBstKep-7g>4!?~`q4QT$&gOA6JF_KIby4=Kf$ zm_ln=u6dImQ4hi$zE2~T8V}|slxhrrRNQ7+ebhF{iv|iyD8oT60G

JtY}j&(uO# z+TCSL$++szbS@SB&yw{Bhgg1wfD%yu19Y#1H>##Ko2u&17aB;T=wA#*7~<_^qIjJ? zHLT0`0Q{t{%|owKJ^&}rF|S?1_J4jrQLi&Lvh*m~ojc_&tcpkg%!Z$|q(=A%`~&5#kf84QNE)so1@H$no`=@J1s}uG-auef zxd2y(p%Nb3vwFhqCI?i%5-p`*bc6Fm2U2f}b}~nPeI#DD8KxI8+!Byuv2KzW?gHR~ zMHN^0ng<+f>sO#WsK=9FYc?zYmrSg+Ao zPHoq+oYL^iUU{C=TGca#W0{)1iChM-jIHNys4{;7(IkH@_3r{L_;j9o^pp-Q6vT5c zeBplicZqRDu6cw3XHK0vof=|C3bkBqjKbZv5UJZeeun-@FU={Du{mnWB{QC3WlH+s zZhY1)pBHxP9iYA@JyQ#C^GsmxL~WR%vQJarF|bwECp{RGLAYy=N=c42@>h3kzJGcM z`OcY*?q$6yD{0t#IQd_2tnnO`+NP!xo0EA~JzE^QBrzc15U!N!_PjK~Q#biQ54aK3g2 z8;d|I$~U&4hA3ub@|sxc{O8K@UarbY83_q5BbF2C{Gp7h|78w_qaQpqoL7`fYsKD~ zRU4PopS)4<*XQn_W0A`;O2FhCmgZm03jn~n_19w>oiRo^77djjedSIzc_o#bipRg! z$I4&jSG>?jpP-c$v(|93=v;YIJ^O8_daL%P<8qKg^}$a=ax>4y$waN zKN8A|=L_v>ksn+n+U;Y)YGT_gNiH*SSec9s`S2iJtPYQ=-Ui$B(7s+a`vd2kf)=e? z(^IMiEEoN;rq2s~Wvi{Nld zf9h7QY*@-laEwo(i>a3vD9@2u|E0~#a6P{?qLkBV^SqeC-Jv4a$W1#|}0xQA5?Mz)k4bN%0J2{G~X{J{un92~Gf1R!0rEe*(Jdj!aIvRYJx&4pLK z7+`lL>YU`urSG}+y1%S*3`6*aKI~m!J^?iF5|NKAK1cw{HZ5E&i$VaG zLa^aLv_LF!X=C@dQh~|Y@&y6E8`Z*;j~ZX7lZ4;QPp6QfcPjA;T+~wY9hQ%+7EA|o z9*ge{wR)>IXhl1{rQvITdd(6!nE6h#>09&A>+hXvj4`{?C6xeFL%kI zvY#-V5W^~7`VLf2`CR<;>q<`tC9}c?@irNHOy6FNZ)&434?e?`kWN2l5ux6WSrLmb zm06vPOD~v>;yhvhd0UP?W5NAtfU)A}(P)%;^y?olXd{ZbC1WWvv}j$uS_JdNriAkx z1k_A%OQqX=B^6^(Tm{L5**!vIs{QlqWw|0ZHN;Wx%B}3~sa~Ad)}@ATeG)aujWvp{ zkgr7vS$p|WC_gzqE5dNKoU;G^%i_gu^_8qZl@*FHM)8TcgC%0%r;l=WDTu2@JlAXnLIdNsfpZ> z^Z}HSUw-WqQ0B!)Ha&ko*9@5tcj(0caEF8S>Uvlj35AuCTfZ9VpKseCRsXaEuWtxwFy7U5v;KJONq}WUY&Ep@NN{{(q4dFh5ZvkM@j(bSh`H94!U`c>F*b$CLh?W zNGn9g8R40#Dacw&d_wVFV`~4lHgt$${N!iIo@$x3NG?4=xbE?Axs`&PWqn-ksf?7( zY6OdTW79giyYmyr+y%ywECu7fGHXRQ^5J(%1^PrBZg#*c&SWu|0$cg$(pCZusVJab zUXKn|vh5;Ne>$zynNUYQMSVB$wvu%aMB!OxQkaB7FxSIT3cun}6!VDOsFVU8hT$xk zi`UsIh2#cy`+TPNaDW4E^pVnDiDn(-Tghu9yYzg-A`BmkC( z_VB!W2uGR(1>`f6r&WMR!DdlBcd5rJd_CqGajx=7{qe$$)ar7q1Zg3_r6r)^n@Uh2 zsDi~8MygSAkDC~pwJ$ni>VN`j@6??+vc(tdzmK?=@3V)gw;55WUthUc_Bo=K$CjwZ zBnUm-*_6h04w<*4WIsly&1f>hDxp!VV1cOhyrUCvl=0PNfJ6WMTV^4AX=z_<@*Ff= zHp@5S*c{#-Yizx>%_PE~8F507Ay-SIX~~;0+*4Q&!wL9sFQ1EIw|G4|QuSy+UN0{5 z)qVj|$!59S0Njs@q9Z9=-!qKCq%b2;Ehdj>v~4`Du-v?3XsB3Rvi!YgbU+~BK>-SU za(tE~#qwA!F~9K*!8ai(*xaKYHbDsAC+O7(2S900zQ*>=V(hsWprQ$+ydDtdzPs)L z$ANmoMZ1FwB1&}rswk{Z8_@3uUV@;}U_l_hK6|*AJ^D1~1&?Nhoy1cz*(&XKSZ%Mz zKGg;rDfG%O=41&|e2~eNEt3->V_^~hQDHzu%h_@?>8f67mOW(Jde%r~p6rr}iAfR( z(_EP1Svc`xqS0hfef$_>!Jw+4bm~V<;QzzeTL)FSc5%b!C?cSANjFF<-AE(d9V*?@ z4N7-Or*wDcmTr)e?#@kbYVZBs=y~4nInO)u%{O!Z<1mB6eXnb+U#zvRsnKA4Y?zkW z6FU04F(zdrM(??*{uWez$P3T(rQCwPC?SbWAA@oO@BS7cRsdJh?H~YB7Bz6hVh;d? zM)dZzzK^oevac(DAcmP@A4W!8r;6`phV#H1X=Q)%SX{X)<|&^Un7j#S zwce?<7%48dsSmeqg6T!AgZM%Ah?F4)EM5c=%SdoswEG02!tUBdcRj|PUlAN7vn%6QmhHmmSK{-fmd z){uEh8-82;Iyl~(>_6>|NEE+G3&0>s+@G~S$Y~~Uj%Po$h3R9{ma|@3hFIw+Uy<>y zAX}7qdq%my+O=m!&Y8EPWPeoz>H-%5N-Uh72@ky;&%L(|d?wO0;=rOjXri8Ph^;PE z`?X8%oufapkM*rf=%>R3&1H&yOUMBZv*+heu_bYXf)%d43Tw)w`cHQ*#^-+mNqSb{{hiC@V5*>N>7CxGKbNfx>#0oW z8`%ampn_PgPHEGt{<0YSZkUjfYT-w?ot~x1+gR-2Vq$s0En9aTIX}cT?(eP(ROl+U z^{{^+B7myZ8;Ut*s zl_107@Crh^#L#)+bd|W^X8_aQ3p}X?Dzxhf0q?)w8;0DU3hfSr*c8xfA{VXI=l2fd zw?n70{L*jEM8`U&Yh^HP=}62>8;_fd2*YBkCC;(2svPZ8l6MNAGb}qnwy-j$G|04h z!CrLMpBe#BlrltXn07$fJUrD@4Y+e+30wg1e)a6}w5M;9K+zbkDk={&8#JP{hfFSJ!|P$? zyhAdhO7kx76+)=8)p2_{UROqN7B6sptZ#tUs94l;F=XqjtGCwWZ=`8Vjy=<@+X>v4 zNo&>Ch9kc38gaC2uHc+G4aJV$~8$g+;r_ zoHLLv`@4t3?Gx0VI=x00zhX2Mbw%{UJcsQZ4x?++cE|)}yP(7R$3Simr^*WZtSr-o zdFo?iRasS+)x<^LFh_N#!QK!Fzk)Q<$`*owX05r%jC_G6rPqZT%KG5d{{ z1Rb6EjH7P~jX56v!fHX}(0=iHhFYb9_A;A!O~=~=k%xMK%O@F|*8^p?ZYOQx-!!k2 z;SbHj{zLOR@AgdekPt!v$^xOC1Pqdx)`bID>!QWp<`n16y2T0V)@tHKDH@x_5F+-< zP2t>d%MxEzzNEmCawSO65G1ct*=TU|Xb`IJW*QP}ROP+)r$bV~p}BsvmbC~?SFOG` zQ6QUXC#xQoj(t~HxVu1MZoZ%O?;>PV=b_vf=D`(p`*{a$U59}ItW|!%r41xSKgtS-~KotAC{ZHZCo)dYLs)1 z$zf5xIAL6NQicb$SpTS0;QW>a;v2mx0c>iSW2|*?z>c$j%Kbuqv;PG>moz1&pnWP);<1gob)Jt-J)eAis_)*)yK@Wo)dTX~%kok+$KCUE_r=Q&ZI(Vn zQIy4<2m3@Fj>;kh!H%C>#YE2gfv6CTXBIQ=P9KBGet`kk43FqJ#g}(TD32P7us?bA zTTH&g2tJSF+fDiHQuPBnKXL+sd)8iuwQWpwDiO}-b;`{wgE|*OFKuo=#Rnj zI&M&&!Z>LW-6rjdoq)}f!|-U2{mT8c>3$~OMrW(eejMOBE{wb)m7~T=;G9(aX|?%3 zDjG1l`a2ojV*ioQf}|LX0J-ClTyZzsJ{PfmWwbd7AMla4z5WD>xo*f^R3{$ukGh9a-hKRt*XxRM{~0@OKZ>bmaLcqJ96c29h6hK^RpNzu}c%bq%mWNYgs33O!sccOKeTB{UCO z7Qu{F`im>yzb08NSb-ni8c2&HY@}`6>=Oua=|Ez{ONcS zKJOnG&b)_VDrr){5qBYXd7p5y!?Kd;-7yorIeTMbZNkvccRW`K!1b^Y#tZQ3W_sl{ z+D@bq9)p=#;)N@bc=gv9AMXQ;HQ%(-bY$nb?N6p73+Z;`TYC)&9L`>b@);eoqS+< zeQg2AKJUZ9uPP(zi-+Eik3mr6cuIikw5r-V>cAy|>NmH020-*FF)6kgS-m(*)R_(48#aI(TyXQc5z8O0d4EZ6T|(dR*Jpv4}aa0scR+E zPkiFKzfY1BC}S0NS4>Gsd3FsxdcivDYe$;LrmQSMDD~z<9H4t<32*=1aF$K?rw%dy zsYBV2Cet1yx5trS&nb06kr@1}qa3TzWtzkg{HxzR;8e8x`D4} zN5vgz71D6_b1j$i=9-J};inoZNi1A{qL*|{=sDmrgp&3HgEp^!ixWT+veDI?Tx2C- zy|C!0xCJ5K84U%Avic|Ug_bxkz74Zc6JeA}4kH(?R1$AC@115~B>JsAR-+Cv)_6rw zj*e4}I__pJ&o7)#2$Xx6>U110?rx*BACz=%E+@3JtM1D-GFmO#9vf7Pwa(_5@A{Q5 zw6mGm@oateBTrzEJUkdqHUC*|!*Twtx8<64^};dRpXEdFB%0scY0uu-6fS<2l6fOp zJ4C}9-doguPhyKH>b0mHyK&5Nt;ez3(w-;xZIpu%CUNOvZ))6345ry?;QGPL^wfqsVn z*QyOj{B6^i7yJ=E1AZB$PEf8r4!xhqYg-_Q*fzB^XA(_llSS#2y{I5IJnEb#aVTTR znwjHeVf`zv*`n|QG7{P90NR0itDdYfW~wOyWKZYKn&)x4?GKNF+vT zxLN1bG=P6qNa&J)Z#2~7xm>>`uH2^~yXFx)5lGS{sgHg=PTyT!F2Is*;#E`|tpVg` zixNL$dVZQI4xZ0yGaXHj|Ya|LvHwy#O-WA_HF zXv+3^Kl`rdvpM|9&yYs5L}0+{zrSnUpYOWy&v(5POYfw@xcSZI zawn1e>MYcir|8o20l24JI+lfN^~PSFF_rD29XB>v*F#{t(pl%~h{Ms$;Utcg7ig9C z2AvEJKs_gEm>(slh3iEb=9c}!cG(_cw{x*)q9ruF#ckR`JDjSR#?!mQ>D@rDR$f{K z`!Q{AiTvz1hvRkU-`_r=vSei-1NSG!Yy!Db?Kk5y6p5)pHgW1~zPbV~biVr|;sy8@ z2-}4w%}L_oT9tVBr0&in^KIkkQ*{yr}A#Tt+j4N{$kDkaX4d0 zVf1t2$5Iz}Mw+_flF?PBUoDM0N2vaDAKu3!e^nE#EH1gU$y+W}k(-GD#n&4(QZn|u zE^x`o8O=&wC|C&LwTpN6Sq6+6HhA=FqHTnCDrPnU#@jJZpF26F4SB%pPiX&&%O6I3 zI7r&vn0)DX$p^KDp3a!l349d8d1j*uzfpHJ@T^wl%{zYEe*nn>&8{PeWD@yg^?98( zIF_)`rRPy7wiShhK*dPy+E4RVyl)B2Qj!(>6;+$hana}NGb}7xZZ0?LY=%wi52w|m zK@UDf54FHura-&&Rvj>L^WRbj`Q9Ia{hP=i6>g8T;U&`7wa0$M6|Y3Vn(d1ZUv0V+ z4&xZES1X2RHtX_o_bA7g!>IasXWnu7Hmc#a&@%RWeW+gxB8%rMUz>y|zdy5l_{7>f z&03kDsK9F;n*4M;10QLBx+6^CB&AGsgsjzOA^qf`TG##JYYOUD0r=2ri}z`k44gYa zCEgy#8BjeW5Hnz_X#N`8GS8 ztzbbao>I=O$F^Z1*t?=`J-WVfWV)hvF+GfgcZYYu2WagOOyM2tXdu)Sy| zkT^Bw+wj`v8c}tbN-UPPDCH;1AQQdn3UOMo`ndd5Vzq3#QFm9jTmq(}fvN@dk{V&? zn^mdAXbruKp^~4qQ5$LM4kfMop;F;5wTkCNN^++kxcycaq+EY!x3JL=3eR+xCX z_3a|{v^Ii8Ef7UWJ$5*kJvY_E!lHf^3NLPd+(4g)7m~K<8b%TpV=Eq0>CSYs9I7ml z4_J*0l%TJ;b@B$Q?r-kT;%L)C2S@cRjb5K90BuDzMvEGe za2TWf-IY|iR*RM{m#va`inMx}nmTGKhic)bXOV8@6b{KZtJqbSL-k#&zIfqjh@ULy zX~pw!ekXm`b%Hyy6DIx7z0NHMef;6xUgTtNT>F4Ev$g2;mbWV9`t?in7lzd;xa#Ew zQ%f1kvUKSV1q|x%QMM=$oL8^6w)P6`KtIVq5mSWh!ljx_s$-eN>Lq&WgU$z~_k)F{ zrOlqgv|KDjByC(gkJL;PBhRE3#p8^=)=MY<)w0v9u{UJ11X?f=#1&^}Y4-#lH{(>Y zMSIeu5!vU+AY()Au&OhP7<*0&_EY>gS?|=*(M>K7d!-2S(;kHp+tiOTh4v`6ylUVx zHe0AhUl2#Rw{s%k-!}a)F|g+8K~y~u`YF*cT3QS{t5db8Vh+F4^3ZB-&2J3}Artwd3=(t@i zoF!u_w_VlQXaJj)SGF358|i$7aeRLi9{D-dZnio+NC;AZ{cg~%_5M!wYB%64EGlY( zPFUVKF^Aqi8(e`kEoS!!U+Gzf3LUw72wVZsQblhb|9gy^`?C$hg)6i|hYGzvU+e-|+<9~Vc zD3%5(a=Bvm^Qa3Q1&dp)CYP%#Dlk_Ocs_SLXC?`&6Cde7)pvhy)PB8WPk1rI25dGk z?oH-TI8MyWJPr_9Dnf{Jg+1aT^i&~_Lz8y+-Niyms?PU9RED`PeecaKhh0G*UifLH zm6a_WaGK;eB+)XQG`Mei2;Q#g(|)*6{TjURW%NfY>Ca-bt8rJ*NW{zC-D?(G-G;1D z-zScyax+utsFRZtaGW{wdcwgLvl~ZCAGKDolScO`MDNoDc%56P0Ctg1-qDfuObKwj zQyZpllhEIEW)Z>;d6)-*ULPnf!oHWBx;IROwOqSVRZ|aMS};1-wwi!xn+eLXisw}4 zrOfy&*`N)h>DPe187>i5msOGnmZD`3qEf+s9pIbdxT#B|mT0NpadPz&m+QZ1Fdv2t zk4&;D7wAamZOEBK&)sc@O-Fg#vaEI^$ee(4;)@UKZpIALWhfh>xn6xr3a?HOJ6eS# z59wMsa&5EFT!0hJ8PfEoL0>by^1gN4xCD;1)~)#(hMz0ZkCG4IgT^Ng$At>Ug*~MD zuXrRN!nY0``suvRakkAhAnYFxM@jo0UIQe(D1KgdD~Dr7J+|f1Cq?V5ZTcUQr>-rw z4&jd1jl=CrXKP66?@J7DI%1Xq_iR8x@ag}!7czg`3(SAqivx<`4;V;7k8pC-0@#o7 z51gE5DrM7rYL}(9_l0sa<43s=|M2`c%d>A>j=2}!1_|hmi6PayZh*YmvJM*MyvZ&m z^cg<(s$M>X<~< zvfZ(MunhKtj@A1dTk5+FRgaAuJghNt+OCw$d9QzYc*a$xpKCQHEZ;z>(A1pSnu=}` zeY_$&WA#fV2zj-PdlrOx_5izZ9jkfCg>kttz^Y!UJmpVV=XxM)@`T2snEp0%WW_{y z?b_41uNnU>i4WFe`xdafE|r_!F0(dDJ?$6n)!6eFS8GP>bZojou^Q=aHHUa`K45uES9kXBP`;&Ux3S%)-gW-ORo=%W=%`wM?41db|GI=9p{ z?-Z={%|d{{c`4WB!zsnxk$5%r0 zJ6n_ggqHhF6w&2{t0CXA-F$<;Ey;P2<*Zc<__L|v{nS#VS8J_t&@xLaOhf-+6~1V< z3M|@t*x!q8kRe2vZ={CfaxYcD^}NM8mTQKeE;-%uMwLU~oR*LKE`V9AfrSRiqYsNs zP!PW5!q%#Z@G0?i7r&*aobB4qk5R;I+t#}$^FvIiX&ke|WWKGdEG|(jV8-IIadUMCRjSZ|32PyU|nAJExS}c3gp68S8M8y;Ax{z{1gL+$GNk9m)+}wMn@R|yI>#{0o%^5Rf#_f=qqzcn3 zq;ZAjlpVtn6|ODlIwWYyJJyGH*-#8vBCCNdo)~eS&`2hR58Cc z|BTMnCDC9|SE!&!B!+fW*Xm|1Ey1WnXWQmB@a09V)~6DJW#7Yk&#Xhpa=(UzrBz~5 zb#_cHKS^QFIj+pn$raEm=H`vKFZ?gG^ySMRLt&Ksw^D>bdI(s&kGlYt(lRGe{HS}R zERVZh;1Xa~FkG#wTI!s{5#8DZmmtP9+5t*hsccVPS%)|>vWZ&hd@ulhMgBxWbR(M}DukH>#OlsO>AS z0qq;TJfJgr(H6Bco|1hCpX#6A{qYm%9Cao2lk$r>+P5Tm-i)(W>P>S%S5WCndK%O++4AM zwMt2;uv9&A26eXX4Q^{{iqbybvNIe<{?1V>woiLbA)f>xRPoJ>+&|#hmhS48cQmNV z5Px?xwStJ{D!f}&VXQ8!am;gKY}5UB!Q03 zQG|a4Lyr+QLIl6ZMLC|TIy%5sNnRElFyURiM~08fS21ntlXy6| zxsd06iNkHrN470}_TtrU_hdMXUn$AZSGVI>z-86u?&Ly|cuLVXb4R`5%R%EGB^t{% zQL$KCP(f3FK^*RC^I|l)URx|keyS2w$vEkiP>fTW7oJ+WfLk8V<(d1djYD;ju57{6 z`s>WQ^J|7Y25CTu-bmF{Ip&X2w$2S(xE_`%B$WP@xMWg|vRI-PHL;D)`D=8xewx;C z#JN#!8t@ZFuoNU-#Nzyd0e_lY8iz=u;RRW(npT+*`*8PMrTgNrBHB#99cY6|{pu%s zC9g0G&;tp+!B*f^g}n6aLw1;RoGX_P9#c?aW*U*xc-w$0i_d>Na&zIjTk4%Tw77wV zb@>CEmH+Fc($eFcU>PvG_%C98^QXkr{zI&9NE;)NzJC8rtep}~|4;Yie#uwR{*^1< z7JpHjB{|p6x8TXj46Msrn|l__TB|`WlR{&j*7>YqVE-{0-!@cm1SZHP7rSjVGW+@X z#<3i@TtmL&`1(*)DtBeSxO!9LVA^N3^|^1zW2l@1NWKL?^cke-uKT{uqs$N-t918a zi#hafLN_PT?Ze5$uMlq6ODD#b$AZK`VW6K@~Ii=4TxL9D{9Ss1sWl9jK z-Le*T=rj}Qy0chVZ6uUv<2s-7Oksd>ux`FgUAHhtth<02g*X`c=CGUFkb}%remZfK zC_#y9g6U#HlrF9Jn+Ik6XyBR zV(trm@fWbn;_LIqpxturs$P?brpQwiZH~eD7bOCy#ZfoT6N%R@ax-y ztbV?(P9*wO?jnk+{>^gl#-MP2y7rFWHG|BO2oBY}v)vD`yknu2Nqeji0L37RuXS7i+gxFld(V zcx3@n9=rTrzpa>L+n&}|WBXOtHxJ0RS-PP&yF1K>><-VvzDlg)ck|FVc}Q>Qn{oHi zwD?(XK#Qjrv^uz`)ZB}@hfSx}^S@~K=#q<}Zcu(^HlO6sPs8ZEgIHTPT-N?ErmN)Z zR>qo=y2#Omz4f;+8Nj_yurZVeP`$-=2))8y-fLX|czFOKsAkqEDp7=+ZG(ZEP3Ed7 zdBZ3b!2Q+v$9SvTU4Z^rKwQe(^vrBY+RRz$w>U1ry$_rYBShe>=%*iZV0WQsXcfHr zNq(XC&~X9%(MqNUXwX@3bhF{1p~=fZ?8}wXajUV*C0}$#jf$K`&`oc#4wfa6NQ_dN zec!)V5g`=*krp3q4`3bvVb>^0nF533cZnSWcX8WWXR}*?VX6{#U&4UliOk&^K8C5we zgobYChYI173rS{Mp0HpsY!6(?v8%t<=WIRJ_BC-xNOBGPy-Rn4mP?oS z_s4=C8ro4382E!x+wQZWLS>8tHfuCyyxA{XGmM^~Yc74(trmJ%ZL{#NIQC6-sBtvz zx8rWTlr}cb^GILNoL%9XyG?<uxCtKWJU^&D7r9o6OoCPLVs zgi@mtx;0y`b=%&vC>uTH>z3m&-L9btCUyYm>)q--umfA7M?TJkWIFd2M=XMbBv;^gZphiPHt3xsj}{Vdit8yV@zByxKJ zC?%2`LfdTe?PzBu1G*#V6SFkW&JJgf} zNp!5U={{I+Gr0@w5bHC~`F@Ejb`adgrWG5`%B(b-^v!4tdU^7jlivudDUOL4!Hq6YFZ= zQhhjbb)R;6YV!-thD_1UhDIw&O!^T4jy1X-{qqmw@@g?twGi?`3|}0u1D%5!L&)L% z*ydc`aq677qRcD$C&jw8ZzMtL*e1hUeNtKA8F6y6+)D|pGu~4;!;KgcWg4mQk@G{< z2iq`dC0}?w5o@@oue9{*4#P$S4t@cWBTrO4a~E9_2(UnEa)TH{L{NuTojR`9s8&x1nDpT zdZwvAYzuPPk!EA`ybl(|;GAWVl6W$N@g1W_K+`lIBk!Ysj#lgCN9&s_oD-Xl>ErJw zH+d=7ky}%SCw;Mv%i$8l_=yDGtSAli(d;j-sVq+n7b>xHHe+A0qH%1*p>bdt^^8-t z%bs}jDw&QzQ{NbCrafC&JsH|)mY=9`w-7k*kzvw4t8`xz)EYyfkOuEASSXXotf)wO zg}d6c^uI<=(BUk~2}RSX_r+@u;1R_O#-P?b5zyJYq3o6U9vL#N+@Yd={MSJeCu8-; zQHSyh0VepT{X3jh@@r~@SW!RCOiTKnC#{$`#1T?iZip&P6ukseXrw>7>`X0U#f@Wg zp3paaW)`m030jA?Sb|!PuTd5nv+XLi2=K?V`p*L$IoE@kigT^Y9#&mnac^-ldkn@I zLh{n48Vr5=h$@}rIusn5rShhVJ?*HN#X&gEd-NSD-6P3dq>e%PuD@hp8x6C%^*V6#y0uV&pZK1B z#Pr@)-eOfk@^pm-u@)-MbfB_AQ!&W0B$48@SMN9O=eJx>XUwMJN^u#LQ6OP<+p{IB z80sZ6;#zJ^tk^9=h8NxN)03Y*A)!%{_hb4K`H;W#XRG5}f1es4RxM1Tk^1~2Wi~Qm z>oM>M0|v>!eE}9Hs@eGkj8vA}MJh-VS(SbQkOc9|iQ%TRaT@XXk-)X3bsjF~=VQzQ zYcuo}$|9c>40=r{sAIe0s=8uDA1EfrkT44jFhi`1azY%~?B(>Qi`9{YEBL>jK)E)i zEg<9IkurQ=WD(-7p^&54)OT`Wm?RK6`ZXeU8;$d-OC*s6!HXv?SH6s>VI*n3orjbX z5p9aYo{K#M7ctDQUpKF`;D*0Fzam{2H)Mt528QE8LNC0gwFOq13N*%5TZJOE+MWcG z`nn!G<5^@OUi-nUltT!F?~%jv{sG}Eu%U{rlZM{j#R3|y<{ejR&n|FHLQNgr&`b}^CuGO~L4 zDQ7^;MtUNmSV4D8F9kv@oW)a$X0$<$WJ70X>_JObkTM*HSYWl>?z}$}2(R`L1k6#f zuxDG`8Q>Ca?m+pJ8l$7{LcsVsX0Vo9!1Te6IwZB~$A- zz|pV1KR9|)u24aE4a09>JTJs}as)gn&K&zZ zgpDMIiHc6XUl28|V1H-2TC95QFy*yI4aW}B*XY~{0NlA(Q1v}|5t7y3A zE5S^Q@=y`u_avCq>>aKz*k@R`mr_`I$S)9brzh0%gtxvH@8q_ia!^FBP^#{h={yLs z7`A-RpO5u5jy*K_nLJ3}QC>Mqdzer2VLM5!Hh?@%1?IKx*5J+i(yN>>DyuCBbJM50 zi$=;xo`QgYI>*U&%gW(Jn2;`kNNl#~n;2AXczZldB$1YyIv1a75;mx%o z-Y?%`r3mqo6r{~8R1x6y>Y_6zS21zM8ZXNYhDn0f!8sC#baBCP1Qa10Y!=fW9>9yN zODk6TswR<{eAvz>-aqKNWbwyy^}7jEo2aQQcD%Sgd_}?W)B5rLh!Q#GuYW&Z6rX6U z7+rAjpopY9y+$}|eyQ~pLHb7)!fS-L(LNd|BBG)-A}GvZc%kCW2df)v*^Cy5w4hkM z8aw9Wzhq?5FAfN)^`d1}$1zd2rnx=st&dDA>5Vz;2d4`{@HepRCf*H&R$X{DHi%6( zo5z=2)?;8&r#@ft-!8-Ot7`}GZT&swO?mzm2hliB0J8U#$7KtnWVYk^rZ7~8eVqZp zT@#6G>+hD<$@1=8O22+GN?;z{5vUNy|QIx6`BN=D0v|m!{-AIf*5~n3dC)?*vM2Ll&3|lo8 zKI3Rogy5V=+bbPV=JuBv)V#}kfg~FJclS~OsusOC`X(Yo9$T>YY}AF|z46HqGd<-G zo(20z^Ee%(ID*weGlMKa=O>K#9sNw7OQK;7azgW4NZ#7R}7OG z(1&4qZ`JpDWN~!F?nH^AgDb97WzuNWOA*+gVi-gC?Nuu{{?iNK`jlHDJ|=l;wkIo3 zO?Td}mV(FZbywK7_}1}l9jH5O`<;?_hz58%$@8=A#A=A(rVwXRs{$^=tFH><@lsi~ z>YqiB6b(qK2o8T`y_1W$ztp@#+-Xh(1(4TBofFVxsYmM6b+NOC7HQa|ns@bsXRQ@6 zc^PU&G3W=rjXxn+evg7E3^Pr^gASghd(>Fi9N((#j~yfnczzwfPv7idtt2}?;o$J9 zGBI8L(0oXbP@O(J_YsTy@BewY5rF$!cSf^u{CM`2faSG7_Qv@67{ud(+Vlvqxmu?t z*mbt-tm{mYnO?1snd8H5mQZ#_Kq(-;YP;}!5Des`?_yE z&lE}JVNFgHlAw9r`-jqPqIw**nkH;NJs$kPe!}H)Z`jJEU0pmwrcCAT!Y2rLvA&Mf zNLU)B5RAbWPj85sH6|+~yIDajd>0*p6kC*^HkiWLsL}hHBE-t`?96@+O_vd-RFHO5mxoELh1MN2$qh)S~k_u&J5~3F7^`MWoPcm5_r&Ua5p^v zJIg;BCyr^gMOdQbuXaaDg-duwqrntqO`bw7mFngI4sRrxZ6vppqJ!1>K=#vx&O)XN z;C{wC13S3t?6=^2;D4O)qR!18h!?NO@3`sfh-kyY!rE{b3YDfKnyu)XVNCjbKBsK0 z*QgU7MtKXOr}P_e?*0d9t0GYjBEGPf+(x;5WBmaY7*i(>PbBRU8eg0f_wepz`yx%sb}q*1yYuO5_-(rp+YV04o>m{ESBejMvk4OQg8#m%!2 z!*|lKqXCK>R|#gmFI2g0g&vL>s2{r|H}AtYr|4CZ6GI?{Ctbl=$Gwq6XDL}6q)a!e zNHrEv!j}gV@3H@G@HuezqERs&d@T<4c`ylEG1Wk#jD&VvXbA!i-e5khh<}ybu3-b%CyJXG` zlVimq@y6a3A4-S@$zz@K1Rz!T;kG~J5<`k>v2hP+@VP=yzM4Qt=XDpo=iwB#6UC59 z&1z6|m4wU&dl08?epl8=Znb1b!DA_zaYhnRDReqB-dpVs{%j66h_&1$8}J#7=Rbd^ zRKOWSQ;)Hg5=^+Zb>@5Kgnz~iA$=dKt%9HOYbTozx6ZH?<&oF5`&_Fl-kJ1nfKNwv z$t*F=jNO~TP9o}^x|UY|B@XSy-T1@_B-V<#;W}sb2a9BLH5N)^8fkD~%*Xbw za!CxE=1-jEXT32yS=|wVeBxycAfM_(?S7~sWjrf_cwx6G$cLO8(nup-50=D+Rd2d{na@#cX0;nBX zgtWvvm=?H@-Se*n*OP;%g6v^y%Oxm>8#5nes5jh;Gf;SlJfgWtqc59DA=?72klT7K@zcgD=_*q=NBV?k(f8?#Tf( zISrs3X|H)Izlj_RdO2d<=k}siZ_oVolOHBXD~)Rd5h)b?<6d7}w>LF_1)`$vaJkV8 zXlJu@+qd&12rLaX2J>vqX*iHDwW#x$NWhv+nsN%i00 zX(h5IJ>Qg^?s^Kr>rTy5$T5RQ@>H;gy*I^+5Dp}-Sv7io)mcJwQBN^&f6!RkSPsAdR+9xb+(^!ZJR=@CBN@Sw8M-n+$nMKMiphlKo!lifFJ9ksDd`T}9Ly4dbs6sB# z2Hf^6U%C5-MY2XqKmSV{_wu^4cNbD`-In4n^-_zc-(atj2J~L+eAfz9p}gxx)IT2b z=XU=|H#`uUwLyxRYKTWg>1Pc!AwhKVRH%jI?lv8;L|@@dLiP2hbb$0 z4KDD$*DXMfS;a^aYRx}7P9;e}`w@FW=PVx6Pc%E-Ap#qb6`Uw;y$>NjUj#E-Ce7Y$ zG9V0=fxSh*(=C`$Fh`70UE!~=?$s-G{d+yq7?xWWdj0MkRQ`GnQI$3OooQsuL2_c( znXrPqG(^e&|RRV0-W*ZRRPRZ@8z<~Wk&RyEN^ ze8x|OZiwiw8gSDZ(%&n7Bd9pEqZsIOE`5^+3D<#x+gj0Ry5`>Kuw`Ps8~fQ8ZcfMKir_>(p!|!V<*&X-DmSzXdym?y()= zywH=T2zi#?!xHyD#N;pJn?Hh-f9@YaDr@))E+APwy#FGKaj|Dsk3mgMO$1w>B7OEk z{JU|l-RHXz)JlKG2jgc;d}SSYmM}neYclzuPu4&B&n&G%Bh3EU=Wa>yu66{guJq7-yosBn94E3VKz{i{oG*t zfc&&YsC1^>)6j_G=0@O_FBn7IN7n5ZJdV<#iSbZ_sc&HRo9G1V!!7#O&^OKdMt+Kc zKu2Y_vI*Y_MpM>z`K@u3p?l1m!R=9Gcq6?e31F;MkLw3iGXm&loHVne)HZ*;7>_m^ zHm31OMD*!k&s!uEw7#4xe#{iA;Bgk&&fe2mgNcL4RKBOqV4FPXVj70=2gq)fNjKm6 z3-CtTGsE#7fHl|K`LZt7u=2`;l2U|Fm4q2nq0^Z#e3>@6ntb-^VyDzXrF)=G==?|Z zV7JYi&zItjFO6GLc69~6d++=S&A(l%E;zaMj(OY$SD9~}qq$aCg)#$D$l5CNy|h~_ zSVa+xTqQ`GhT>(|azf-7siuajjH4b)Z>S_89KZN;7rqIVZxW!FJuh zjxDmXbvR<~Xp~Hkpdr9L$-#)Qh(q6u@v2V;FAKwQ9B@MPdrt!b1>kC2z zKk?3#})mc%1#$t2s)w>y#H??yG=&hA|%q=qHg7sh2-JR9i*FFu#6k>3?c1 zmBgwq5N$Bt&|OUxj6qE7rwG!G(j8jL6rcnm3$_6r-|>iu`l*}uZvN_?OWx~z8y!S# z2v$I%6pjZd6pGtrXw;tIo=qcy$!gvQin|@uOQJh8Lg6KyQV2ACoE$EuA<3EogAU<9 zonOUa5*nAJHZ^Ir@tU#`3Qx=2zh(!1iBAkAlD6>>UP?=^rn{@TFO%U-`L9_!4I70h zpAC7W^RxTh)8jHl4op8eI@KnvGmcT|zq^JNg#!F31?9BQM!||5P>SX#K(w%`i^_Z| z_1*bCuZXgEI9;*eLtovQMF9C9lw)cY%WlkoOP?;SZ|ci|Su2$O9lG$Rv~C3J8==i>#-pSL)&QmekrA6e$ zucet8f^r8sTrFp$53~41Mh1Jzu8*a(lCq1gg;M2tZ>#ndqaZ(H*Q~Dy$3&^ zx^cWWwTT)E;SCJKxtNjgIr0CU4}lb;92CC$-}VwaNZ`vyBbT)xS%k6}f%SpeOT4Wz z9i&3gN?NfwIU2-*3(yY5Q`&eqtu#?S7T|oHF4umQyV63mJ+#$XR*AOOUd(ULbzqt} z=8GaygVV?ssf?5p!N`m8e+44v??7}U{wEMULLE=3F>Zd#B2q96KLMz?_Q-7=MaS(4 zd8Wt5jPcGvI~;tEBQ$1-2qqx7q2AX)7priIhmcz^nCEuBnW(94J8#^aeDYViBDjA_ zF!NZ^mYZXGX->QBm2n1JbL%Wz`yZW92?jgC3R3_8d%oy9k*v~PTf=BB0 zr!l>8HI5kL+{uC}y55xY+l&hh8l=O30rbllcfK51P{y}vvHVfL#^&<{Syo!NX9 z#aNBdqGAT*5FW<=aV3F&ssT(2DB=(Fzl*qdV8YPbm@i$wgSZ(8VzuIAe17iw?)6;F z&$=^tc60X(Y!Y(Dy-#%Nd-iya!2x@2$G`_k&I6GM4}-SB#KQMAAd9QqBGpoi15WJ- zdEN1w65EB{#|ZY1iAC#36+(41^La`C@=W7=YcyK(4zxB>(>83q1av;T*^w~ngv+uDW|Q3;Vv2_m)W zl928$C8QgqB&EA0Hw`M?CEeXBDGCTkmxOdkH+*Y@=REH(&NH5K-shihjCTzG+}_-4 ztvRoG&1=rNZp^dYL;l876@m4M^PIlbC$!II(hcM@z8BG~Qj)i2_IM0c!XAb1JfAqw zK*UwgQqy0oJoG~s5cYwE&lOABw62j&4T)2SF0r73J~-;)e@GpxW+=XwOU~|Eqb$!v zEge6DO4d(xq9Vc#0qx&51X0+pJ>yFk{GBcL?3NEh=2D;TdqrpXSImFdiXh85>aYb> zIWe!vklW=MUh0n#Z9=8Q`PCZqnb|KJ?_3h`!%&wpDoqGoc7IA7KUJ=hgoY8BMK9i% zj1B^|&UQ>Re2&33iZw5-VlkX3;V{f>tD%7u-r?=rh_@-ScWfR{1Hn5*`X-s8e<23V ziwm57c71*QN+ouqZdFJ>ua1y9#_d*3E}+3J_8uYecunMIlSbun8Ga849Ouo;R<=_<&-T5_6ALPWRz-_b&fw? zW&`LVAT4>@ueb=yC2M(wF*7XSil-<1og}lMims8RvvElBgQETjD;QMYjFuZorW$oxm+&)^~ZJHx7VU$g+ z)0-BYQtOQ;L*&!R_nX!(ATjQRRJz;Zcxre(d3G9E&x|5;(WaQ(Fxx(Dbu@%-F^Pvz z5c9QjRLFy5FvGp(C6Dc5cXG$CT4;&h&&%e)3?uil1>?uA_fV0Sq3~j=7pf5Xj5S7d zflkpUVI+0JXxfE#xks|WO3WksX?;q`1X0jjPve{K=%cVITKK(@iPt~n4XU4>$?@F) z0`O0T2_0!D?3H%k>$iVW2fP)oPY~n!1T((B`T0Upknd`_ieR~h8gWz;(I0E|svz{u z@r|=1ifWa6)ShY{U+slp*xr@q4v)rbn$U(e>2rewUH2|=>{g;HpgU zJ4S4uBfC5J69>^>Vgb+fsI^@oh4X7wokxY)I~ZfO)~iSI?uYHhYP?qA!^__CSl=p* zG!1wJ&7Z=nb7tUUY6}aI7+e~BO85o=L!z(GFknG!mk;siNfG@Kja%!{a=v9RozP>X z9%&$fzeU>CH-(V~@!R$JLt75qb_H)=l@B^ng&|agC_+kVc?7qRsiomUNYWZ3RC3^^ z5>f&y{p(mB)o-8LQn~H4PgQ<_f_16hAkA6XE-z?FU@`nvUQ}*mn<+F!YBE-cO*yZpfuf>eV)A z2u0CS>c-TakMDD?AMFxUUp|O7dgW>k6OQz@_Wj8%1cm+7>bU>sGroab3ycUv{`=Y2 z3J`+_Cdq4WNhWpg_RA{zcw{7zk!y(}o%VfOKP@Z>8$CTSxX!Ej)}$7O7PF=1uA zeVG0wL2_YBM3priR)hUS;a8N1duyFZ)H<~WCr>x>cHo)f>;W&e1}o<6c8-*v#tjEL z9|{@KO=cu7);@@}NFdlak6H>xf>sit%UEu5xnH2^F7Sm_I^WWb0C($|v8pchT5BG&5 zDIN0Xx_^E#8FQdstyxJjy7*NCX=DD@=<O&c)BhA z5dmXPt~RD#Onf(zM!P%uGX<%OsF^(f!c2KvI|WRj*9z;|b|5`milW&)On;_<9py`! z0Sl$IU2kKPIf7;ebGDH$M)kxQfwzBihDX)Lqkbr}7wQtA8g&C15g#6LfNrH$5hNV> zVJA@8RRjuC=56=QTo)18nG-mXH@Rbi5W?iV;L+Y3*IgnE zzk>@O040(%WVp`nR!9#zMS?Hs6_Mry4lLq9^N0rA0G>j@XM5PdV!jZotf2XmsBB}O zO8vQhKrRUFlFg?4sQO6m#aX#;S27=>S6Kd%odv){(KZyYCl}x+Fqb_V@HbwGgTL_x z!>kb)(T8xr|I0E*dLFU>OR-j-0&B{5i<>9=v-7w?u6nl6nMtqg>p<-b0R^&J%+-m7 z1N-$LWRMQ6D%Z5XvoYd)8d$?aNw2pId82O zvExNEAv9etw||dWd!!WeuRF$utmYEY^T_6U$I2GR4NIgxuwP{@LqG`XWG9QELHvxw zrXzwt{z3vyoU_3vlU~w;v-yc$uooZ$2RIpot49X? z-#ju6Vwj`w_D4Y&6_e+f&_b^)6s8ak;^~Ltt7q^2-LoI~5RAIqnLh<3|7RQ<%k|#) zcA}z4L>4xv(}|-@X(#Qyi2Q)YBg{ywL;t!tR@dgl{XW2EK+g8MBU>*DLD=h%EJ#t6rt2q4lKygZc? zkm~knu}B;Q#{!qobBe!gptZymn({vVji#qpXbO*|lfdm=ELikGUrp%qc{aF5f)YgR z_b<4X`a_K^OkO9BJoOA|9qyWAyv}x#gskpqN`m_#$;j>q6RMtpN40oLMUEWZF)d`j zc#^`2h$dUmdAw%ABfl|yH#t$`E;dyDs~;C!SI~xkGtnyL&lhjJd#;&igTNjdgSa+J z$xV%6nIAC|wg&t4oem?$V(`b5vcOTRqmxSik~n93C3m0me9MTZp})ic9Syak=`gnK z2>B4ITFlgP;2)+L0Stb4_o18gUpz1}#yk3OwDI`uHMgkU0V?`$L^J-hCZIo2-@3>q z_@y41)oYnu`nWV|^Q2G`{uD>b7yGf_3sf_*I4z7s0w zG53yfz{1;?y~VqorIFt5fS!T_*ZN745eqNgB*ewRc8!Y-dVD<84u%+lg$7nGzbeI& zM)J_&2+nx2S<9WzA)%plhjQtdD*}Qz`hA;#{m&*zE&gHE%_3zIP?5Ly{7HfzYupb+ zR3d|84^fjR#RDrR&0w357y2aC>z+ z8R^jVKd%eeY$&j5n?HHoMF7nmN#jiMYDUQ)q7H?@UcA-Ja#035l96xB#qejFD8&VS zQ@FHM!k+Ts$mnhqj~mhjzH;Bv4Z#0{VE-(E*{xjG{p6%kL2*PI%yft! z$Blomv%1Zou&~be%9k$|8xpDSFylJluPGotu@}|mo!nvf3*6QGtR9-$146G_oVOWc z-nI=gAlH<|I>ADFVQOuno$+(Y`@8&N{M+j;g{>9uN6|$yg@nc+&}L{9ha4vgcBr7C zp$UoOTaR))uvhepOpbr)W|#c%_~y{TD1mPlq;16#MX2`ZpLX4_v>3*DR`(O{W%wyh zY({b742h;-JMD3QlZ3;ho0pUgHI6Xp^`Wkiq^&+Pem5wS@Hp_0SgiUIFiY?<-*q#x zCSh9Jm9sfY6`@wkxJTs0Ub+Y!xtmkef{eIx!t^FAAI`2gjgkFH#EbF90pDOs0xJn1 z+b<9z5;iYkC(0L(51SkFRm`eU#at?>BEsnCMI z0DY&sU10;?o##GR9>5dW_u}u2?FGY4BKyQIvBMr%NDID}#pp8^255Fyn`FE2+bAfo zeemk^O+tWYS_22d3;$kn#|7!9>X}6n+|J&?;WK}%ca~-J?|dxonfKi(P+4&R#&(>R zxYk;8sn)86@Vb#dl%Vea9mBQH|G#7S|AjZ?(IXz)&f7HBtV3*#(Ld^Dt{x}d|39+W z7k8nOZ@HCie(o4mu5)AWPuL$&Sq@GtLf@^x#;(LoYPl;QBkcTFKz0MYo~4t6T616@ zIViruV5#8NaoU9CT4ujN--{k6I|NH^{;}-4i=NzUKTe`?2vGotE*vTUFM;UP{dyK* z7AH0FVp|D*%J1K6_q;4BHT`Ju-E<0LkSbJczdQPg zQHe_+Zs}P;-xH(OeB8Tmgw6Y3a_!Q2p&Fu$={DlE10Au5F^N)h>7Ry*0_P4mQ^tfJ zLm6t)RpKQhWS(Qcc_4HBs*)I;)i@!0^jI|x3;U-dl-e_1(@*J7UTD1EFnTZWkVw*7 z3l9LOr0D+=ynP72JCy=k#EcTS__8-w{dE7M8|2Z}*PHXQNOQGJyyQp|5-NMkyrw@< z$ox&*0R~PKueGv?Nl!g^Rk{**yWUDv0cq#gml6_kPPK-Yr}@fiocr2SBUF@>a}ffU zqE!u>1I2Y~uNRNN^ug3ffeLfvNMKaq|JIRfqt|QaxrSWW{CtV9iZ-)0j0|dA#kdwk zDi~a!e0jMCHsyu?@y@i8giyq>Bw46rf#uZOrPF}p-7@`QiFzx;;#bD(+(Db-w`%p_ z(XTA;--=BVKaEQ#$qk{e3rVdHMxo@CuFTU}$&$ewg0Ta`No>yTYMHwrU35Tyxi_+W`d-@}@jJ zZpW<<#`jGnRmz9y)uWXb&Bcz&Mc8ojS^RIzN15Mmhfa+hB)NhJ?4(!WkwNMBAw35& znJCh7=`ZUF<^g`>AFKWqk&i05Y!^gDvzB=GR74$iPaL!w9C60VjYN9g{R=t$=r`=7 z?O8GXsHu%FJ~m@B?8rSSbd_7lH^_Xf12~aJjqKDSI%&EFMS>i_iG@39}w zB-@}*HX~_#uvk68Cu*SipEKe91Hw}SrR;^2E=%pOo)?|;j_M>OP@W?6&dP1IfR1gCij107t-BxfKt{Z4%*q1jjLg;dz_s!2Rd?gn%7pBCDPATg1BMkfC(F z9%MFQ+4hDGegM6?=7BN$4TRaKex@zuBKDDjIwFqh#KpT-2WRceqwkFZ{Bac!%e^*8 zlRSz_URGa(`_?PAa-M8!ZE-M}4{&Zs@JQT>nnwq*sVi(xfb8$K+!5l#TC9x&Ci=v` z6pP5W$QZXiyz@pV8a*8$hy`9@5JaHGy2`jx^Um&7&r_z4?fM_^fu>HsidLZy42i9- zyuGKTL{AIh(kkoCf|#cXBkz3U|A4-p@?%A~5lP#=5zc=|x^3g!oQO?u! z}PH1ucH0?Qa{u7^euG;P>Ap{q+yk`Cr*<~*Ib3dv-$o^=VnRhswXKsFe`%o^V>}1&nde=sAfsv0sQC}E)XRkurX17Cz zHCOQwmc+eo6Q_4A4DdMl>%WPU`R*WzDZNf&EUpu2?c5!fxJ18~eMI9<6u{e;eE;6t z!7|=~v4+nu$U?O+hT0?tO_RTT_Ho0h&APiqeGjPN(dUcbMqXgc+BuQj5(Rg0qG4iU zZI2}Qt2r#hjeK$AogozHJHL0xcZ~49H)*lT(gzZ1@3BbX7ZC80(_h-PQ$PCzo+2&e z{_8yQ`A-q*79XQ|xNh)*>^hMYj!ykJNzUqa@U58+hyk3$1c>Y9T!o$Ujp%FXZQS6e z;#j389%@5wIU;b7q2{zouSZgk=nB^elT&3G;9cUy1bSFlb_#}uEOp~ z&3IfWQn}MUf|A9+9TCbnu;U+#Qg%e=NUB+ePWjAckV=>wamm(LUZ9+Opvdx0?>xG2@n!81qLSq}yNJ9Pf{pwY)rkG~ zQApF{?Kg{=!R9i!R1}jFT{H%#77@yx)R1K zesF2W&dif1T`|NDkkZAUC)CmU0c7DIAVPn<5dDn+ z>izrTBjF_`0#t3CnGO*tNcU}s&&8{0*1Dc-4@w~+I}D%Np5Vr@*`^(+n}PP?nSg|LxI~3ej)P2kbY^gd;3oNL2)lMCjFFL2x5h=^ z2D&V1zBmx({GE6^R`rzjI!<(-L?T2CPq~?_sN7#4ea)BXIkY%d;uI^^v~ia$%D-@4 z^2-}n%x>(*<)Ozfcx_)s2p$?YkS0Q2)vOF@E?P?!Gi(rFo?5MIU9!y0&q44X1gwVP zr$5gdpdoXGxuU+8?e|=QG3|_h@o1R1JN}Pe01PZFUln2LfrU+;fkNLAot40S)Mnw0 z2d^Mlk3venJueD3&>GiJq{f8Zg3FrP93silzZKh?)QJ6ccxqvQ01E&&+(vh*&`<_6 zl>TMqGdO!Ak9>2*Lr>KK52c02)SKfR0e}T{SSx)DzJjpeKS7x7*1OkFY{`>R&D&M& z(VY4PH#b+Xy(J$_bXD6URC(6`j9Enab-@U3>U6ijg8%(Qf#WPvq-n}y~ntY)CWPOdE^*YB0fU3C`hd&Au%%!i4$Bj^P`i86GCmD1N@Lgu_Dh@7v&PDNpIdU=$781F*e*! zNp_tZ!8d|vG~Dm-Xu+FFsY}Xe$j|b%AyfjJq`OPOmkOBT`)bGnVh1A+Y?72<1TGcX zbNG|+W0WBPMkN50+BvzCj+!EX`P-EyQCEWf2f{1RKd1(v9}Q2Q?pCI{09!OnNvC~q zWsAChvc+h(9COx4x0&fc)Dhk#8B-foqQ;44!{EFhv;z4hX6*z_ap7`UUuPUGHAgRlzU-RA*Zv|Qi z4E92MUEQvCwOA)wp2u)6V&=5PZ_Ru-tr_C;_4q_lEA-$=d>b2|s1hXbhT-X|GH1OL zBl|FQL6GEtre~8q;raa((U4w7Qc?+pw&dH2l=DpyR3yB-UkkY6DHn13i|G~GNWW8$ z*1PMuHoShe;SUuEJ z-b`MRLVe4P56h7xOc5oqy)Omr>L%o1vhKM3>M2)7;8DH!@IKB%az1%b4Ptf`%c;!i zK9Q7>0!cFxvp=@Nx@H4XK{&xKl5NM`RK3#}!q21-n$gISZffHA$3mZA(lYaqxb=y8 zv8vah~@>;xafV)sW+=YCiu_AK z%b$d-r5@(rq9a$lA@yzh$JAJv?P=J8>oW;#p_Y}Uvcuf2KGJS&qgJLL+q}+Z>too} zF|Qh4Lo432k(Sq1%v5{czh{<81)u)vdedApKP)UIk7dXjK=&X51=(1w`eii2`%@z1#np^m(iG{CU z&@sH2o<)ircVwAhI>U82=xCO^rg>QxLO2s<%QH1OW_u>914)g9HQd?Q=2q5jr&sx} zHIfdQP2(%Rl-}p;a}8EvDstQV&L1l;NU)+7+8kIv{?^otpkK%^QPEg-cXTq4*yDA4 z>mAs>g{TE4i$pZn1mN>eILhCtUT2YmeScF{`4`c>a0j0L`Wy_(d4nb|7R7y(28;V^ z+r(R~uGD4s0iN_D7J3q^%udIHNzj~1CJI#l7yX+4gITYbU7I=ArDi+HTIJ?Nl^PG| zR6)cXQ&ob1ODT4wpEl4IqB~_}AsHU79;@wcA=`UZKce(te+W&7epU`Va6>(;-bxFi zFMoRnYUJrA8(# zv2gsIuz>5bvch$Zn4{qAo{9s=Be{f5AA;r!$&T7Q=jf||@TX)^^L(1d;AYo%rt-<- zMN8NVe4;N@jFZ7`-9II_>&Qr9*!o@O=KI`wd)PMSR%;7$NSMh^uV$*|24)y%!|FPD z4=B{M&N_3SjxU9R9=0!q&HTJk>N~CI)M`bvS&{me<6>%!t5klmjEPFxg}yqBd!hxK zd6FQ&8GI#`hvjyMPL>Z(tGiHI&m>O(sF?qk3Xc(&CqZr-xFNG_x1bR@`_b|#bJ z-AR2;9v0Wu9#cuRuZ4E;3~OEzgDms)BnD=v=CcQ#s3qvFWQ_bFUB8%$T4*Ie?z|sW z{3s=&`v`<;EROE7HP+VQTg{qo0h@7d>wA?4E|2-|}zw+L0YCG@ojP~;K{k$DWGQYj>EVfdh_&t+ynw5X*f-wEHC(-_g? ziv}~oC;Prs^11UNwvq|dMyp><6P8=$7y8Nzr<#dxX|nHd>U7>6Y3JNBpCZzXW&Ex% zt(JXN=T86kNwB67$gPM6J%@oglACjCrsG^;&Fw#8P4!9BAQVwbZtq?vfi=zxUV2iy zB+MwT0mb3a$H85&tXn@5`-4o5I`a0k!ZS!QKP$vak}Igasb40<1sE+{(on8EB2fe? zAp3#0O*_;NXB|hIR^1A@=lD0C*BCcsXm6VZ!aE`N~Sw0f`k%WClVqtH*fRairDZi!UJ545HhjQ&^rT_ zDq$==+sdD_#VhEme$(}C4J(r+ZrP3_6M~|<0)f=FeP{o zZMCYjIDsxiUi@Ni>l)ROO?*YJ_NC%}9xXDrEGJKCXD)%w0?eq*$|vED3N^_Z_k^L6 zu6+6y=Ym?qxZp;GL8_FYJG5k)T}ZgDA=u)aq^4QT9Z{GsXTQ^oK5q)udHa6Eyz-Eo z$aTAYA(vzm|Er{HTv5yA>td_M?0D3L?@v^`I+l}3erJ?7v3-`c(F!F%6AHW+=IC~V zX&8vAM)<7w*B$AS*Nqlag*z;q5FlM1P;H#T+X^oXh)o_(fGiu`>5pO6V&5$X+vn>z ziNYu6-ZY;Bhg~vWRwG)ZK*+-EcobegbBQWcq95U-i4q%v?xnqqD7j>U&}N2H*NodU z^tW^pkn!QLwj?&y*{&nfjYh6DQWcAa&Ed_eWkmOypFT^bbOHNXz6jE2278|_`ciO) zC6XiuZTm9iNQ6X(B5Cwq%DLd;bVu7gBX_IjEaaQzx0UIW<@;7IAxDpCsx~}Aow(@w zm`yt0*0asJ4OK5V6B~~oL5R!leIBmcIwymyGh_P}YS1!NV;VQs)?o#6QmulreG6zp zvc&wM2d@(9W!&t3ESs`66_E!&V3>29w4LJrwh7YVn9AN1(+QL&-BrUNY-ac-YbX2% zn>>mFXx(Y-K}9&&Wc5z&Z<<$_F7WG*tQBB7VV>T={0KPui<7}AqWD`=y@C24moO6z7T z^U>OjT8;KQ;mCP;8)y5Yha0=?t-)!vkd&+%CN^o;pp^ov{ry?)?&0JH{hlQBvH=;5 zICbJ)!O!D|FSaF!=W_D1r#{(GA=)UtqtP+kR*~@BEYQ)nXU&)8U zG(d>6kRp*H=&nW2&TuSiSSfW`Kfv+qYmw2uai|XWf3RO_*>J9RbHf;}r^g%T2H(Cy zC)~fF6APJeFLtrDjAX-=j{~|bezJA(0(4v{{Vmpmf_YDb5L>Jsl^kiSpjDR#DBFO z7E;8AhZ_{`4HpUQIK$y|!IM!!2@p~7ITLNhyZmal4>5$lmsuEMu)4O!i)YRzV;t?K z;@Mlqpw726_(euqI3N1Eo09r0z`6p=Io{fK!K4X~lwmTfjS1v?*6)~XUP)_Z#ORBo zNE02EBp)0u30`*YWc_pBO1n?gD&29WQ#fU^7@mrWQ8XnGYvJOa_{|R%Re4sZZ@iv1Plp^qPubP0tK^`wxF)`Gi*zkBSM0S@=L& z>uURpjVM@)^~X%CR^M_xr6zDG2kzm9Xv6)8?7RloFFN-u#;9db;(`W^=Z0`oIgEV_ zUn|22D5=7=5dCivP}*03fTEiS?7|5suZS}JRY|wyPrB>SR z%bc0r6pt9QN4xTw4HG``AuY_fGqrt&Y7SfqxY}InxVH%ueC}bp)zA**ofiXx6riiS zpN{8q%Fsw4U3AwE=R&TSCr`r8+;{sDt=S~_>EpO>wlKBa#!Jl)Ywzb?o; z1f6=*Lmym$$#}xM_H;`VhjY6FpT8H%)Pwikk-Wyf>SCSfp%w5|9tR~EqHmsyK=yg# z5|FP}3U^blzY=!<@_V8^*83ipeGD&pwm2$v>w=jLpT><4_xYwePPfT-le?+t5*I5iXsEj^sNp}KN?i-6ZgMsF`0n#jwzzr(3Ak?!vsmk6ou0@b1)>e> z0xc0n-7DVr!Qj^GKvTMb)-F%kWUj|D0`v1&OebM_Y9~LJ7Nze9s8_*R6#IVwVub_n zH2$#MXWO5Pon$8F zO!;|92I>%lo+AoeEb^U)G)}WANTxS_RO2s~+}T>ZPakUAF6Io0&2Zw~7QSuwSY;~| zt3ZIi-;oA8~?=8zvsku_lmDfFeGk}5x&oNXO1*+&sl z04gx^GUQ!tVs?rj2{JOW$uBLrd&F#!7(xhEE^C`n*9ln;U@!Htx9C8h?-6_q@*>Sr zClM}|NQA{)izQmueb%uc4i%Jxe3l^1!vNkWeoq3Y5OHT#N@W*ZR$CBM0ap&B;KC-( zW^#BgiLNDY1apX-Yf{`tp|M{;`=H@>l0hdEus%y-af85rn+$ff0#zqn;e6)Iy+7QSEb;U z_{)6`?=+Ih(b}6Fo;s;#aDkx8E0vf>{FFx?NfD)qhiL4RXpU%InI~T{gVqlR7q+8~ z=e7db-eNH|I*&rl(5nR}UhZQMr+QB_?iq?khE8T7{J{ThR$yci;YE5GDzJ+b_{h!h z`u~+#0j&^Zw^96qkHlJMbw{WP6_RXZv&>w6wJ1H--DC6%-%1(c!5R3zi!E>Xb2)=L zlFo=0zu~=q)Hir*MkznJ0T^e)NcYE{VYiJ zWnGK+v__I4ZB++Wrx)!z@hoK~i=7>;cqA$aKne|#yyh$we!>tk)qAgiu!biKI7@5P z$xs@IG@iG=T=kHD5Whwa|Nkj+sQJ6)6hN}ZfAGQH=6oaS{-M&|-)z~uAZLES9Yv5m zAH^MocOb393hrmz6^6`FM_Zw_8|>S?SQx>DmOo!+P?+r3?=nrQTbAZ{tBWM4f(-4_ z)YWPmcs#!e8gi)jkzWZrJ{~{E^doi3Hv>n?_PUSJyvDRWk*K^a+4?4qluZ;%(N&r%*^9U{vsl!X{(R<&!?6TMPLuO zLh(_yI}NmXP77zM=IOc!6DrkIRT_GXJ!nYkRI~hS-kG7Ze)_`58{{0NLFu5ry(TO3 zmGlc}mvtYne(DczP8tESYak?xQ%nbvyhIR%5t`=oDAcSIho4O>G+gACa>^f z@&RSeUFFGOpe>Ti+c#c7fGyd4FsQslzqrm1=H#;2)vImRi*@8cJz^l1}*!8~YAVn>M*po2lr$#oiv$oY;w4f z?ge+D;Aej|9g1~V8&*rLj)jEMF5exU`>9`9X`Na{O5|wn8)^UvHTKg^djWi32Hu8I zj|yYHFr$#zhY}6$?#r(mj=sRKyPKl4`6=Vss9x%Gb|PTp$moC zNRh9{p*guetv3cPdT00H(!&<>p(b>GE(@oIC+ra?`qA=6hG&)A9p`x?rKo`qx5s9G z-LJK8GZJgTr|c-tGC=*F`UIyae5+w%mqDB9u4#JYs;c+K!6X4O?cI_!d@!pb#RvwC zjM}bdaBP7%L@lwJE0oNUPH_86FFYoFkU+FQm#lI_aqztBW)$^plk5F?KA^smL)Hhv zjGpQQ>@2unTVGO_fypaxGX$N!*7}8BC1}^;By~8^Wh+q*x3V*KpQhc9A z{-j!TvjxQGkf6*jT`i6k(NPSZxZ#h6gtC_ByN2V{PDDKOJQ$Lj(FX<*MiX!)4in#0 zk8||2VT}yaIm)>V2{sdqJb3s?WeyAtJBZ@eEcqWDZA1vzT=IlGudvjfpS|^(WU;5Q z#e_sy)2}^{7-rySJ^yhG{ox$Ci_%wcNk`CPQ6lO`F#;+!hI7d{e{;{+2iwz$Tl$+J zb{H6kkNFzwj*ug15u-kZoTkR~mP6X{%Eyl`dztClQDT8EbpijP~5=5wPmON|C!ez$r~{Ak#U zDLh5J)RTqsY}=|VXr09#k8)q29|ChO(twT3Fux>I8es!7X>W)?dNF45f(Jx;2|xkn zkQ^tthg`6_+5b@{d>-muOq}N^SJAumf{`9`oUf%)*8yzKIgeys2Kp!#gI}ad8ZuH!a2`#h5385(J56jGm2ff1hY6)$h7s%g>aV8pm-h zhAlHXO}Ty_w>lhsij(GkJdY193b`obh#~sa(P0^m9^E?Z5EdpJnH39Y!IP^gCP6Mh zDc_Mfd{665d>-y&v;04#?7-M zzr`tLCF9j2qxqKBM4WS-Kr<3sCd+UrW1Ga1V($m^tzPD{xq#RQq)^0_vC)KYnNRBE zRSuUQhsUlc&pF5Y^~6y>d$KV3EGi{lSqUTS$+>#nVUMm?=g^#F!bPjZk6sqJ55a6+ znf?6!2#kzc@GUyC*9Jp)w9N8t%F52Xx^`qGa@rgIAjUZe1q!8ysp}A{-CD z1G|$+I;MwjSsKetZ2^Ui6qe+fk2-4Pm2RGg4hb3~}E73Z7Q~kA!_6Qi*mEykZPlAHrPYJTFb@=SJhedK} z;V$JnEZ(uJxzMAiD{tz{2HsQx_omKDT{gHk;rHq+xA!DcDfdLU)aD0O2wYKb;7v7? zrea7tvyY3Ow}_VyNSG37E8J5kmnkyyPn_1YHE_EJ+Yu%4vOvik$s#^95$QD0n{i(R8NxF;S{xtipt{-q*D)yo%7@ z#{@+DxUf6bphRKq2O@6xi<%-ufYTQL)Ueu-mQSM04q4aE?jOvNrcdq4oE`vEZsV`k zsaTI~*JIiJ#A^|NIRTm?aw&i8^A;LxR+8RXu~Q?I#w*<-nwsm1@&XR0+T{R{SB={v zm2aA7r%vEkZ;j@`sJJQyjG!{npetm%|L{%vQQwiKG_ufmjp=J#V`!(uRvjZgT@(CIP#}eU&-@(JRWZo=S3(UT_2|_ znBk-)yPB|k2MT_oTnZ9stBuG%snr~><}dh3)7B*NrxbH{c}7D*{2co@HYVVml&7Pv zJ>^$Miuy+*4X8N7x=0pO=)qd&BPBP)vn;e{4KTWo5%5m{LbY3zD* zI^{a36vBfF18{?xN-JUjoa+W_Y+o#=dGpL-zP2jMB%Oo2MDi-yFZPNmM}9^fp3jT8 zEL$i<*PX=E)>Nsnj~MG9c5lHUdwFSDUDv;vpo3;(T65CTV)eMxzJLn9fh(X9k63kz z{r=LurqOp0@>!BR9M0~1q&MS~&~@s?7sBM=<19}xhr|}P6#Pkw#IhsffUA!;1*K*a zp}o~W6CKBQUJb(YI{%f?4ULk-E)ei+(jv}*WNC>Oo1|THn?rDy4^DbVAW-J0Lx9t` z9tQyMckRKJ0N@0)2#PBsX@gT68$fN2!FBKOY@1lKMBQKG z8fe#8PO{&UuG_?~XEYt0r4y!+`k{VIWcwy~#}x$jNLO zt8+M_sQvME5X}Zwi2VlQnS~;&5Ro2r&>Dp_FgVa=^TeidTsc0gF)ag<#Vfpd)KqK^ z#+u2`LxdqtZTP9+jO3b}`|GrNo1cYancT zIkxsFlGcRQ|6>wkc(yuO zcs9+}|K3`!u>8#*uzVD~PBB=BRs$z1E4Ie;oo{Ra$5iI-VS^K!r$&v4ly{dINxce! z)D2re`q*nkl;v!QiHL?l2a)z zF7if-)p!lOUVKotpI}sCC78d^!&~@<5-wiEQGigho-;|)PO^g{G0(X-ywxLX6Tbm` zn)tkwur)X)Atp1IvZczt8B zCrPi8hlGx>U{gDBYy9@ElrXl!@@%#)N1qFBRPJ*XWX)ZtF|+=BuI5X} z+XE~EArq^N78@T&<5UF%Ej{seiQ|Ick;vYiTkk{9cKVyZYqx6xLQOQrRZo96T!bRX z%e({MD{Ok6tJ?&KF~04S4QWVCkb)bu7?3Qb!-l=Dj|2Oq%#l3P(c> zOYlvPe#EG>r+j22g>ad`dD1+be&5rRm`QKFCnPp_;_z+l$70;^g)!38pP~eDmp`Oi zm$C$ft5eU<=q)}oQZEL6d;w`?z#~n>4How6Nl=ep{{MLU>bNSqrENu&O>epz0qK&E zZd5>!5_}7^Zu*;+-u!y&CE5| zTr+F3kc|BJ09E3E>ey-bGg9C<{b+kmjC8{yul9jfH6k6Xgzw7nK$g!!l$-w0kxM5r zv)hcFk}kb3Qlfi7Os7wK9lvX7Pq=$6ZDM<)ctyI1!H*c!$`YLU2 z&m)|;FYco^hR$2bFRZfN^ZUTO3IOx?zB(cJRrJdt$UAywJ=8JAjv1HS$OGJXHr!nu zb2vodzLHHkuu&!yqCYim6=GyUJlvdD%hchrC>K7ZMTmIi0L)iNIPFvF?9C>!q*{K5 z@}%~%E}?S(!KhN}WVoX;O%%&uDv}WDy{WBEZ~G6#yKz@&uYT_2n4LQa{}S3i zqlmF&&DbkWex!Q^~AX?)N zKhUCq-#^eAaG*7Pb~g_po&v zvo&paXmPi-wQQRHMW(&7`lyW!+7dR!Lqe(?&zAE#)(v95Sw?TufrbHf9X)O`DsM^= zT5n2NLY-!5==N&tp&K`G(;AJ{=Y^dl7CIg$t3%8fftfQsuc)HcNZeO7^{ZT@9+E~} zxnq z@}s^qWP2@PjZ$HdVQ1S6FI)HKoQm_DQw!%kwynOGr;1nP~rJ1g1-=^481 z^DGBHj&Cp8skkWL;--vukKt2De{yV3_`+fs*7lZrZ(B3S`UqKOI+abGSmtxhd0TO& zMy+$KTNLT&ccJ5_--8~cXeZoBPwYbtffGlEOI6L%U@$2d-l9arQ6dG>Joprqwun2X ziVN}#GM|fVz!70@VqNBm;vi4F15c>VOY-4zm*q#!> z=;)|j_C7(V<@9oY4qK5ARKNGsA+-a(ZkJ^EkQ9B+hZ zZhfDgJ2;3`ms7nOvHuqL)tK`>Ewfe$ZW2q3{!;At$PnDk$Ns*XpM%4zguMZHVj`rR z|M*AybV2N)E;)}xfCb1uRd4{7G+bvMrP))tY0yvxS^g%=RCSn2QI>joHk_%2Q&)uP;*@A09S|uydB0;I42#Z{{3<`_= zWpdvVj;Bd$_UB!iH;e@Ni~H>(jBzPk3$bn1s|k`zxS1ygy0n!ulArAhr!#rc20wVm zk2_C8~bD>9<_LOK%5+yb;o3L?zU| zhs)I2QrO~~4(9m1!Zi1;T^V4sIf{0#CLXn4m6TLrbkZNBk*?Nw1DomILn47ygLdp( zo);z1xE7{eS&|&#$PsPfRNQ>W-521T46=WlyFGS_=(em+J{?Cs*@2lhN@dMe?JlPp z=8Zh28mW55#dB8u`9L#xci$|1U}%*v7;c~i`hRm{Ro1Xdj3Pb3wd~pgFKpk;7Yg7C z72K7Rq;_F_rCjvz?iY7)mDeLW&J5lU2s#Rv6-G)Oz-qno{uirNgox+MLO0=;ipc06 zt|xzsN{Z5DtzIPb&YEpU(ydT?tn0T`R2LcAMX>e4XS(i?++H4R3Vhbi?y~9uz4xGe z`QhV>wITioYXdjlGAa4A7oa`yu7AC@u&u4H8TSiqPY3n-_|9L(mZ6G$t=cxtJ(^Sh zL3AfKb0d54TXwygoeTVe;{W~yr2qhYk6?r?4mj5zp@>&6?x*!XzMq5?MZ~h%gc4tk zRFOIDR|Lpm7H$uU{x=^40HUij2!uN@4PhSbuCeS%|c!}wpY zc1)#msZ4jGDgub1BF%od`eTBYXsp6Viu#P2_8a;~k7A6u0~Hwz#s~-o1QA|(-gIc` zY;Ss7j!(s4E=S(oSFu0)S^ayH-+HluOvVN89REia_}8Q=pq=Jq$!=!?wlVeTF#pAb zI{!BFAO@hlu4P*7&UUj(=(5uEiSo<-1RQ`FzuKo)*SqN=3>mf z>IauAD3<@X_x>NO0Q}_4v-HxqnTC#?IE&OvpN9zuSaa?IGEf|&K|G;Esnb9!Ld%=L!+OZ8;slaBBVbl;P&=@h{EUe@oYn=gk_9OoPf8!p2)f zI7Bp({qG<7ow(LLKvTp&Sxx}ejN3HKB`LohW^91t+DJZC0YptV1vcVEmeCyhOO_EU zpz4CSrg3v>o>0&AQ9`GI3yK)ySJqtx;H}?b;XnTUboRH8^{Zi#8|=-|)5FmnCQDBT z;)_q5@qhG*3AF5R66>t=n$R~DUU`CCXAbxG@xK;r$*7C5NF+Q$`TffXMM$A$^kz*J z=Q+R*q&eXFI-`mW>a}?dWX2}=QqbAn`bNfpc#8mw1XMD>>{2k?cqwN?6QmxyKU-?w zb6;A~=)Y%0mR}Pn>h>|T9qoDCkF0NQzbK#aq?6~^T;1sg6TKk5;*p7Mb{?nTvAR?5 zk1$)NzCq8v2hEsFb+9~rn0`0^!p5LwdsOG5{p@#tY3i8jDKc)Wo}%8aIo@j^uz-s) zdD56aV+XbqkMrA!Vho@MTrk%%uz?dk3;(-Lcy(}$e{LPwak)_D`Se}-)V>HADqNK5 z;txrB-{Y*N;!#<@cvzAtFJ;B=^ajPe*mq<;oF3)0xam!q5Vq!P;YqjLU zA!}u?FtW1y#Y^*qFO*&7-aSV$6ghkp+xMcW0E^IFKA9n_#%%a?)6jz zzsB>#$*Gdiy6GmLO*cPZ{F&DLPc6WQ{iWuO^YMbKIP}3yFA6J3F#N3hdtlQeahB2z zwfh|I=e?+1)BJ@2g6r$86)T}V#`aHb`g7_D$XyOzQXlUN@u7}CSgh3aD57o=^RxX# zPvPd@?u*71ntoTSva*t|%mztIc$KjuM)*SvRMN6UYPpSvEIuFl-n`*)`s}vC$}m}e-Kp?;!X0Fh^B*+Yng=hJ6>s$=0$Y&ZqVl19 zSi@~O{q~^-kA?mFrPKfgzIjjXLrw+fOPDIP z<%h*|%i1Hy^|`~Aj*i?SM~2}DILU-HFRO&6U&1O3|I4Oh#QX* z(C=ZmQ)(5GlV6Wapyg^(*>^KX{m0Tk!%zX4>mk$|6=kzK*acmzW$Zd?NE-!wa$(1D zNd2%!^QYoQUu*T%^7E^Xhdv9NQ>Xh=yAHyf-gpn+Ds8_O58orh;NtP}(5n10^hiMq zRoes4A&lge$-anZP#2jBEuzL@0}9%z4N4W62ZHnd5+>J2nQD1ex-!~bLZ`Ir#JnRz1sg+$vbk6!lU(ZwbdBV0A*Q#st6WY9 zYrw-Y(%R<~{kcy_!UD5zh~xu)%V9;E7Lka56~%RT?gd)?(VhNDGqw};&2aHZBk%5X z`B8f*uwFmXKny>JMvn1NrV$l32LxPhfVnGg34=+_fmHZzd#WF@)YTvl9}mQ|sg!Zh zAUZANT|ao*x~-=lt(VKhDvYUFZvMH3ck;HRIx_^rguTu3<)O{*ZNBn)Q#y>4b`HQup}+b>vuovNyJm-XHX>hv^s>q)S29+A3uHv%^&mg7|bV7 z6>laG+8G+PY;N1AhuP$Jz(me-VRy$vzZ~4{3(QW<)j8*N4otFJnP_-=u=Y*od;FQ( zRzE7+OhJPHk$u`w`ec?+NUB}Bzmc2@BL9L{(DNM&{dS3uC;RY7+~lW0)dCy@p{k+w zlLKMXZy)tLqH#r-kEYyC941H>M+)6~NXsny@Y!mQ(zg~sOvI10No-tBQr8u+Ht6t) z*7B`0!r*pSR~sO_#ZdX9P1kWFp}fF$i#}6ZLM0Ci&&iU)f!=f=+hUBViMU8F6xaBq zcAaf?;62sR9)*9qADRp$lzl`+1wy?MnUa2=O%Q2cvaWi4hFa5eO)%5$jwF?GcnDQP81eH)yOi&Hadv`R~JL}D%SpzEQoglZT*r6aA5}@ z{A~+gU)-}Pt5M$dzYr4dS4I%8syw1F57<8z-gwq_2-)ojV80ePCYo0Cd=RsGqQcRK14 zM*)J`^Tk$bglnM5Vt;aQD)#&v&ZIsXhx{L%vhvP8+Y(uE5!5QFE1>z~bMv?qL*^t7*s4`Zp?s{V83wWH}| zSP~CoZA1_}(gLtyRvg^K2gnFTFw9|`gn9=^G{P|N6Nb9h8Ui=j6H|fngZ*jeXtF|7eW{2i7 z^zV0EHSR6Zs1(+WM2F{G{EPn+q5TV5-tsY!Z;_kmpug;RR2S~i2qhT7tn?%z@DSjN z*KT+V-nWs{-Ik)cAe7{OC6vnN6r5@#GhQ|IuzwpjP@!d5b3TjBKv!ze(8JLrN2OsR zd~4sjOi_g5p9|r%m`*tOk+TtayOkxt zlYBTVXnauVBB&jAjFRR*bEWWV?Kf@o0-zEPL>8O1#^*8;Qu-lx(}!~9T-%SM{0u3{ zeH-~j_T2m7mz^OrR-4p&e?e5Z$dc!1E5zWT5t;oROJi%zo3s8u@_5`fUe& zlE;&h*7M0j)ZkRT>?2Uszi{vddvC%b`Gp=X_Uy)3HgAaNl;K9ldqgSCi3j>UE;H5l z7spm#25zvWXJ;t&`9xFnRA4eq;7BlD-TqlMDmn#Qj%jd-vW!YoMBSUrb&l!4`vuS1 z4FylXF!{1*@MpC5z@C26Sim0^UQ1i&tCM*UT(f03V-$(y)pG1&w-LztB<%CzmIDEf z7w{KXzb=mBxNH>XW0h|+g4au}`7D1h)a>lV`3E|V8%?@dOGc;qFl5ImMKTBp)n-ei zJo12R`kwwBP2azupLkh7Z6>TF-&b_^DegYJ-@86!+Jg;i8%Oy#gef$g`1?8A{%+7ee| zA$9^3%?AyuCGr&;10CXUnH`g%;I?BAS0s2493wVXgOKaHB{#rhJ?n|La0+c(>3zWs z(rTCAlZ=e;rqVb~u7f7ZQnhrrWDv=8cew0~a~{(29O}5Qv6PsOOWXOsHR}RZ)AWOI zap+R<44uNQ$SlF54DHh+sru^Ed6KO`uWyp2F{Cv|gU8Z0V;dvE()Z%d#nd7q222c^ zLK|-~4H3!^vK-+GNL?p&^1j!a&Cwew$g{M(V#!?f;OIQMT?AIl*2%ON4?y>UMJKWA zxyPj5*c!M$QUo(qaneKg|y`W1~V6yr&63Ppcsr+n_{PL3MNdV`Kdi8TUT;c`q zt;;sDGztR@-*9V4*=3W_>q|vn}F(#Q<~dtL{me5t`U8Xlao=55@RiSh^VLk z!A_`g!59WS*N(6vz98YeIe#JHsyQ6os}A(F+RSlUC#*S(rlFBgbE`>qZ5T5r^|DO zmhtUX%sAk9#fvPW!Et4US(}hlmnEqWhkLFGm48j)j2Md##DMxMA$w-a*8vGO*yPF? zr#Ge9`2kr*Vt41z)VkfWiF6$L`N^xq@v14pEiHgolb_mzR2YHTRkS?C&juoMKGvYI z_$*3TPANkk+N(WRc8w7trsH^rH+f2NV^0Y0T9+_pQHuOBIBzGH&np#Y%ev3RV|I>4 zWeEy_i@BN8EGxh%%~theJLMSQx->=8lNimdzBY>BHa?colFwmGYEy6fjv0V$w*~r@ z11YLj(EX2uk8{EJ8n2d>C=zL6z1(jE?*7Lcv3e?Uu}m*~YxGhWQ*q5AYtp9fk(>2> z-wbu!?8#86zauxgb0pBbD*6Yr{5v|(pTXV~0*c!>8^_RV#}3kcZcX!2g6N|_wkK&a zSL6(I^qr)OPn#~ZD1pCbj(L^JYG?-=J6-Qx!f--pC=fnVrisp;I!v&Z6|(qXZpQ>f z1i6w19Hh6t7PX8;%6vg+ITYMW9~cXjwi7M-8E74Ij9LvpSO4?H46ZGVMxw+0qN!K-9EMXF*M^reS1TeIZ&xZQfkcQiC(ZxaUcL^fd^LsA)=HWN2?>k&8UWAH~T znmi;jI?RU#5qwdp#Gy;}q`o>fLeg5+0fijr>-0&wCyPpRC}Qr9wuIJ6T}Wm{_J@sh ze(>8|sUq(~Z;&d*0c}r3m#=HkDMgtZqzfRGzsUhAHV5+z!oC^_~?{Xr-@!sgr++;no0qn zewDC~3D%8DPnwhz_DS~XKR)L}BRWUow)8qCcUIZWX($oOuh;Lu_)pqK{wnsD#1sZ_ z%oTo^?l?-?>Ms#%o=gvDnjRt_-q~UY4Fa*({*gi@d(S_+I668yh*vv-9+7#xu&eHv zn5-RzlAgkY`zxtqnYDKa0V}BW$4yJ1h|SmhNa1^7?3~s2IMqd?1pC+vSY79xpha zX<%c%Ai*I?I%m7*MDX?wk4C`4?x78b?zGCxzLK?EUw)1U&xr@1jDq#U4dy7FB5xu_ z6k2~DK1KhowiA^X80xEWFi+Cl!|{-Ep!nM@8H<|8F{fAAuS1kRWzx|w{;*y??(X@t24UliXR#NYm3?Vc5+xL$9lGJ_oOI3j7nVeNoj^Nf4?m zbnCU2NtS9KJm|8}SIkkf5IpZtc66L~b39JHIb@c9Lv^1$a~G(9wEKSSyE$z_briGv35|3p<%2bI;ExX( z6dt%c^EKWg?&s(s#A`+n-W&0DAFVy4!h9q4+uDS=HsXBizvW5n%(GZGZRQk6LB#14 z2!m|C*0=B#wFEomfI1|;6W~>&8%W5^Dix-w0!z_gZ(IqBqYRK!{j4K+k6=$$*E={+u?P}%|L>s z<9Ikw@BjTeF}zGHbTs?`BDU_ds$Wy?N+#~FJ1ZqKT|x7Xk{r5FNzmB%;GPIIcwY4M zBsqm<8z6Qf;a@#BypH^Z$Yr$LN`{?KR6*gk5&3)U+A4luLW;i`1?MbIyp~tNQ28L@_++n7tBWs~wX8&)IYOUn)aVl0;N&B`=t2 zzhCgiU)STC{RV~&Tm~+x53t|YyIhp^db-?qOZ=6-xQx(H==boRi!ujO*4WU~jXg&h z;cl0fHpD1f_opscG2eif02dc9@yIUdkIlc8Fa4=}xu|vyYu^U-Zojs|zf%ug83Yxly0P z92F_JjVcSw6FEARkdm2&s{vepm1O=+u~fcHT^=r#ev$jzsup&*sD=D=bpb*p`!3u= z4s@l5)oWOhqSNe>e}4{nf{`CW!nWjFq6n=N*v3MChJOvnxZKYad$10HjuMUHSGMA> z~*kiU|`)Cl#N zKLbe-OOzTKxDfw`-|HKsDVRowt_xeH!F7k;Yx)skV;@%ZIYH3$5Asg-gW!e`o>6;z zO7b=aum9T*cDvVSQ$kCbT*IqrG8fMa6FgBJkOZOf=cA*e=koGv-jnHkN5sIu@JRt^ z=#vOk+%Not#IO0t|9}5b*X=+UO@(;q%mRfPeQJCqbuDCeqcL)UEJQif48>X$t!zCQ zLF^Xp)kj#8A|9EG{&0rs%vG65D&ID&yqZl*)`op0&mc>o{;^Y-l%AL#DMF)h5AN>I3I=a{U}Pp zu0GWilY>Zl!96Ah9{GjGyrTCDGi12_|J!5M(^JWg@uAWABY1bGSj)@RCs$jW%O&!$ z(qXp&EF|KPxp{FmH=zIRvw24(K8h8l-$rx4;2^FPf;bInmXNxJj+EMh?=e!u7gCT%7bpha0AnorI2vT$cBVHTgAF z_lFH?`{kP0e{)U$c46;lZ0CLyHKkAa8)sHC@rBB_v@GUkIJNy-aPi7Oq&TS z^`NBBxMMn)orf2nr^%x~Q%?d#yP*U+Iv$5~hJJ?AiD&}<-7w8|yj>AZOf-GoG#w*o zhK%n~jDOXdT<&`h`v+vPFX9jc?p&p7Tp44YNG0IMn}_+QRmdAv)hdn68_B&Su)&Wl3*DD ze_6(1d1nc)r$_nKCy%dWkkTzPFGb!t6)0pSto*hEVm4}g%R<d|N+$*q9i@+%7V7Y`oS(O$F-zscGW_-Uc-cwUVX;(J(7Jh53k zUPiB$dsG}sH`DZ2$ADZ%^i@*m(ORz-M@ad(5~y3*5Dwolfb zL182hRs=54LsTr9gVgKY+)Vz`r!f1J9f$v+%0WZS<%3RPAfG{6(uG zj*&1bT$Q{ichUB+Ah+Pa&P#cLzrS@r^#dc_xr0e9DCzF|(teEDVzah>D+i>Z+xC_X zGjF<@h3z;)l3KGVuWs3pfr(tXohjdVDf2??yYgcFRC|9U=0(@vu=jqMnCI!6^7P^K z2xYdX9KnESTh-o2^x(z0+O6$?aS8Z%lKHR9C@Etzio))%pBkcTS+B8tr2cfVts~tr z!oS+qzb|2)zmYaRk(%TNDrnT9x5Ah|Pg@P5Q28+GOui(J@|CA=F>HrPStIFK3lwicLirY zhUETE?Mtx~N^yns$~|)_1Y~%Bd>?Gwt0UNUYZ52x9R17T&6n9U&>$%+psbS3VC7p+ z>&yPAk0Zn(EGG&Irx&mhL+kfpBYc}P7RO>#+p;+4LH_zrB(b0~*%8_YY{17nWO7}t zG9mD-fW9(#Ce5z@gD6vn{+bdMS^%n;KNarQffTSCj(n@>QD{t=<+ox@2MsrpC>G$74Z$S}quqD(9>JT%Jd2bsFagyiCb$PM z!I&oyi`JOwpoqTc{UAz1G0m1wL)Zny6GRD*pz87+egie=(hrsT!dKpvO!)l8eIs+6q@5YK#wSo)tIN;wjO!eynwcO0>#yNccyIWR)fdWck1=GCi{ zLrSIrQU5NL40AXiM*5FJnEuuNoP7#nUHYOc|LfB%`Mx|yGXoc_{mFYyMdupyi*7}<_d2H zDc0pH0t49Hm(7_JN|1-898D8IlgSK(q>a?<(Y)V42$)+ubcB}&-lJcBf670rjglSrJ2|n%3S(b^u z#poSBiEdmK?L1ntXaO$MM52hW(B(1g{5%FtP|~08IL@l4e{5Xs56g1vJ@2iH?M^s3ZqeQcqXQD-I1OMh6A(CIw489+VNp$Em$HI#K%wt8rw^`Wk0zkkin+ zjf%ou2aju${s?y?gpz`v2|B-njwHAlZz+xK({1iYWfN(_cx$(AK0qnE6>ZK@@bej)T)s>={2J3ePF(|>Ds_}YYhWaFKl2R8{Xn>3C!zN z8ZMF(WqQPoF&sh$!gETqIH#u4jHl} z6Lif?f9y8BxTTzLLkgp8OEs(ke6Y_~C6)iQ0NzsVO7eqMUb6?>@2`bN_J943W9{7$ zr=wAvoNaeb^AbZIds|pl%>>4T7~@yVsqCr%|HhP8%YRw`ObIeQxHw}2Hbw}-^ia!RPeFmXm%ed0Ek%ymDpO@z9^J>Dew(U^M~>XwE&_IO%Jq%()}1|WPjPHKPPulFzP{i7#8gGC*rT{nVyGP5%Al14j#PXOHzI$wj zkc&&!Rrcp4D@r2srxapAFLb<`n7BhWUt3J9iAwDYP1`+lfqGHiI%Buy48D4k5bgc@ z_g7%#J&t-Y_G?2@$wx2VLoV5VA&^d zxM+s;76N}7GW!%nAh$1_1eqPP+FI>E4(@J55wyX4p3CubY0$>|Sgl4kuTp>=Nao)K zZt0)cbs+^xV>r!MeF3^+Z_h=S40K8Xe>+}tS*91ESw;IYyM>C=9_`oza^d<=7l z)^p}?!}UhCY6`zSJe;TGYG`lg;r_`J(N#wD5?_3jqw?SQ^6nblRV(JhM*3ySc=tEnR*CnOOvt`!#nT2_6fw_By z9zsv+t3>;5hyt7#&ii2Tp-&^PeT<(Q*8nNQrJ>9JjCY{sI)p384c^py4}U$+l&`8O z5bVKHw`1YLuZ>^Aj+#GV$JJx;RV5k;m2K!8|CcTHW_dS)$@8eN=X{fV+0Se&5ix_; zeR$+eTcw*lr>7IMiiMk|^S=cqH9^@<3azi}4PGb3vL=;lI1=k1<%Pz6Wzpa0k!cpF$Vv@W?vl^zmVZS{3c7s9 zkLl;(z08G7M;g!Cy!Lzm^2d~KjUeuS_$GHb?RrZ4q9sON>t~X+KiY*X4aJ5Pv;ow?Y38yz|{6*T6EGEbc)FISIug~e*14;Y&u9fR}5Q|TDfq_@awp-u63B6E) z=vkyxT#cP=5;X60ST(OTLE1cWh}=ka5O^O7)uH{E?|xNVTg|EZCW{Jz8!1Dm&2Wao z_XyTwNUioWRwvue^7_UCQw!Y5Q~ZWN9hzzXg0!X#t2V5Z*Y_CjG46QQsNcFeuls?| zB=~Zdem{5F0bY_}FW@)8-oyqSiZ$Gtb0Rt52>^yg4s#u5Vn?%Ox%R%%vJloqZ zk!_faxae`H)vsBQ016<$gTUisM`Srp%80TS={5W&vn1)w(W5W%Iuo}SE70QY;xh@G z?xORr^{0?t& zUIJ*Gp8$HyLWHXfCssql7drddC~7)H$}BvBT#^~erSKBVPP{+~BH1QDe8ZZGJZtr4 zBmLHM$avTgruq|G287RYvjpB)_ja1oX#j>M_52erx9WF99lCSMudm*Wmwt5d=n$iEt26Nc-8XIbXs=r9tTvL$hVFBl0 zSx6uI_vw4tin+EeWo6h;$;4YW`DM;lq~8~xM3 zyk1J-FQrJsO&B&I~u!stUlp2 zP(eh#!BmO*SV|fE#O>}sBZ7TdVr|Xzpaiu~g3Y6?WBPhlMk{l+@pQrF4^6^8uqtjm zSam;?`gNO@hgIlIPLkfETGqhxmSy-rWiXQ$9Tr$L?RSAOS!uf0@x~9}jOKq#1!q zBy(W7@BtBK?RF&e31SeCC$zp2hivBqp6sRL;~vo&DZj=?q}90)FLu2MxgTr8#02|z z9(md)%=MJMCARxP;BCo5p2@##v@{eMYphsDW$Y-{&mV>S*7e}1T*L`%JZaPUE2T~6 z7*;5xy^`|-f%{Z}yt*@G6rLCRlc45djU5Oi7OKlgCqxiP%i2mT7X|F7b|ed(FCP{C?>poU1+?e6!^TP}0f z?2+YcZx;_@x{XP-kZzAt^0{6 zdDEed>QtSdUwiI@ylc9af3y$hpE_WNkuLuQ8YV6rab&NX=f`CF8=AhR{NjW~E7q@| z0x{LBTrv%r*j|)Sd{~btDKgF{f1BzQm{LgNOOC6nLmHlFhc&Eq@RQ~LtCKx@inj?f zTp8T|h#WuEd*qhokbA)5J0~K&wQ|Iuc1A9-jWbEP3A4?L+}r*e@uZ{ zRn7P}Is3=KE)Qf$W_<28+zdVR)u-zLD3Z>{X8LF=yiHr{>R8M=L{f5zyVHeCTtc1% z(gDSmj!ubJb_y0U!mnMR6zu0Qe>fB}Fr3iuRq!~NF|Zm7zlcu$|MVgzo!a733eYrU zo^3VcYg%`b*(lLu+({9qd{_sSoWLXSkp#3|I}l@u2|95HzqM9bL}_89{o*djKu!~w zH@d@aXv{`BUWtV;4b!E1jNI~qinSJgL>zy0M2WRyRdY6&1YasSdwZjEQXJ1tA!kES zDL!nO60fYDBjsTaSUkr7HoedAB#}!&2-um0u}RG3+0g$CgP%Ycq>bU1!`_59>et+{ z`5*#EoBtTeB%Q{0E2Q~wV&P8*-o^Cr@2b-d<5seu!4I!~>*FCHMEF2$awvwR;aaLo ziu{`q@%KsHEG&MtvhOJNt8^0XFsXnDBz zCZcU?1E-(ihwBj$u}j!Ru4wgG3@u#*sw;Y#+T~YSNjZD18WtSye){&)76*YX-f84_ z#C|RU_B|#dqm~FCNybDv6m?;>@2BC8GLH|-#sSPX0nweGqB~g?9}vqCRM{R^Y$i^T zAJiO(6q-DIL}u_n-I_}F`??V*7bfX#eKQNWN8J?atHgj9;kJhBA%9-;X7u}NpC&bf zy^g~?EIf+!>|R|vyZ|Ea&q@-Wm8t*{!xni1BP6pmrq>cOMR> z%L^SwHFnPPnC_dHTz*F|qwzZrpXjybxgKiKP8t4;7I(nbNng71fTIT4M>GzY@B4SN z4}vaG;&B+lM6s5(Q)<(BdkyPL;FTMb2b|j|MNm&Z)22D`@TUy^H3_5a9?eeTE!g66 z{)&2AZ|g%hFd6}4Fe15FVe*<05gGB7^ln1qK<+aVE&I;Sl!vnA^o80kC_RZJjLNqhxY%%;#S{KVV8fBm4;5*rUi`6PTR{{tEpl&HLF`QdIGo$Q z@{i!$bR{U0U>p-gkhOHQN{X%?*VenTqze}j5^3mN%g5kjpnkpo!snr$T(k>?G0P6!#OD{F~Q!VzgKqc#>+}ceReW zM<^Dwc@XILNmPDtT^@I7?hWc3uhpfIoIBk)c11q%J>QzFIg5x}+;=@gk?_wH&Q5|k zz*_>grjfpyUnfpmf&w8jo;lxB&sSvRIK1ohj=n8QvvH#QpOuHOBJH1n=d&`@ukh2lD$(!=3AUkMTde{F# z8bX~N)!1}CfCgTWSu&z#QelwBqHnHPh9_vY6;6GPBeJja?&Em9eU@WC?!4%-C&hQZ zo%2ahOKIA4J&pyD%%#eE4{d==t)}UV6(u7c-kCXD1aWoQy|c66!pdeWEz62*BP5RF z^i@uZxq%P5f?H}$p@CRU?>4vB2FBRsge9&cFT%eH)8dsHc_N_8d>tH?Tk@U{3T-$|Bh^Edh}<)!A0;19#7u)+P&8Xmkd%$w0-JR5 z@kD}O?J7;Szm8g^IOjPp zc4q~Z#yuHvo=+=`N@5nGxyC<`JyXQwH~r;vv_@SLuS%$A2X)t58pI_JNO*#r^}!O` zRQ2SW(?RH+AaW%7^Re?#L8V)bPB;CTr+!T54TLAA>}!_a3ankhCAcEpl!}218%~Qi zFd$wY1HT>PJNL!ca-ycpE9jiX%m;sTMC?;%A(*SA-)z!{0@u1mTE87oy9_T}3RM1q zvdQScy^O*O8zhfq(BOp)h@$;Hc-Aa@SsquuD38AaT>8#ljvw_jVI+5B;~`_Yf~Nn5 z+8i~*8D06XnT@5nx)k&ckS3AdhN?Tb-lxUJQoZ})IZQr-iiuE^k5pPz1=+eCUZ9L6 z?9b<|I~TF0Lt=X+s)#uEjmd*5gpm#~&!6aBK20dA92q~NIaD0Azp@eed=xa0yqvMY z3RT$>y|=WUoMY2npzx4+f24?o&uW@De&PeZ;beEk5ShUC4Bx^>!FJ5kDOLWV>W?mn zPEklxJ0!Nl@iQLnM`IBe$^h({hU*y9J2LQ*G%>_~h-`sagpt~Z2c(SVG*d`avSDA5 z^pDH(7KIGBtM*9DN$&F!!gWvRu7~jOOgn{iISa)BPNwpK(N273BG9i=A@QWCDa|_P ztBu_pR+KC;0hyq}y2nX_C?+Tsj#VH7!N#2qJ0Yu#v30R38L$7Sghoq!&RBh7w!vBf zN3_ViIwIIsY>wzJpF)UI7=1CKPgwI7RWr1Om>(ZKld@WH!=t5?q6BXfj0}Jf6Ka)s z62iQ_Rh3EpuxLo8lzFOguhrg2zD2@)XgHA4$f4`gC(G8F8aElVkguopDSqaq9{5q? zeJ{#?IKft3U3ZI}@a|Wqn-F?Xg^^^wKjwFjV~w*pvC@D&Y2C-1nt!C{dN3hGh6I-* zUzNGMF%#gC#^1Uz#d|r|9jI}!tKW*FaIUpB9T+b;D@oB9-W4e1=kL6v^asPf(;kv~5+2q?JzIqWGsOdZ|8`kc$3|7siSX~w@ zKauRyYTOIC(q}aLSRh>Q)IS?v&~$g9=7oXFWHqr^w^ao+qTRih1zHE-q^TbozXG*P z9w0>@@*Tu#0N9!z;cWtVEiT*>^OEmXfy0*R_aKVJpN3~1DY01I% z&y0HYT#z!GJtjXzi5Ai1;eE99&CKX=Z_2C&6-Uwz%O8#I&jdv%!h$LMZ=m;vEcgd* zRa{bOixmv!YLM4aQNA>xYcB=TMf61V;q`My%`SXA;d|9-5XnF>>~H7p*WI7!IFFhu zb$YpV_(%|^!eu;S8X^{Hv!R`j1 zw6O7dW(>c6b}NE>ji9V(v|tD6ve-i3YQ#9{{b0<__|8`i*1*6%WnGqrHb6Z{Dy{nl z*uDiQ*%hMa(fGnAYa=oUfJ~SY6pSu{Sk^@l69Ykv|2TPw$G~X7^HIg8AgjDDTsFco z&Q;KtqW%)hq#3VsA=F>*LU7lEqj0?tmG=bos~f59g9Sa$jWz_QQnQOh&f;Eknv{5Z zYp3m}yx04@j#8bo`0;?CeZ-!nnunRmi~x0SedJr6*L75XyTbRLl(i0!+sJ7~N9SXA z({H{pm;n976Jz{cnBs=(0{asiLi-96we|ckw6Jy`WO|Ion?{&dpW(e6|L%QT{=A=> z8BvL6n$r@coDQ+IrK7PGhwi(t06FAU(@Fv7q*6}F8|r5@1XLtlM6WzCsKi+J$PnBo zx?S^#-oBi3pn0{SbMhR$EoT?Y%T+QZxO-*7VQ)G@qm$v0IEuDN7SuuhmU(Y$kYWG( zl=QheK@SW3z>z{+NtSxKG%}4rU2O@RrQ2HSvkP50U*@l}?NTo3Is_eu_npu~#o{2=MQyb|X ze!0(=*;uIT^Nv<73&mG%W5iRrRC=Z==z2QSU~oL9o_^0ZD>O3H4o4mqok_PpVk=An z@jEK>8Q@4XbYF;Covhu5^9xPk68%5KL|ucUe`LTX<>}!%kiq$WIVb%yX{!`*dOrS2 zKtJ(#^@x-Rs+ZfcB@QEx8RnC-sSt1VW#{^JyE#1Z7l}!xn!$2ZF+6!ZE`I_9;e}eW z$idPUtTw)bCG7Q6-r^yrsn-H_cyf}Btj`8n{lq^JQR)O!#7J8Ws{Ez1qmrDR%i9ei zr_-y+Dnz2HB4xVbVtt~c4`rEnQ=1f63X2ih99smSzD8AZclJ}a)t@flTnAm-vN1Ss z&b;q&I77O}h%zAB;ZX9@es_h9>%w^UOUmJ7s_j`KmBe%`8h9_xpH%n+NDh29e+y;^ zs&qUEY#-x*PdHtyBqDn+136cge({M;UL=G(q!dEPEluvB1WqmTIO7VNaqRF#n;X1n zf5Jr#vtb&$;e?+`a+vRm5w%^F%M(#~Tmk$j?hSgVaW|~>`=l2b#?dbjgtu%_lTb3Y z@M({cfRpyVy&g*6Luxv?ekiS@nJ2&IhGNAtxer;LD#srr+;4RtZF94^3i55;J3fb_ z-1jGZS87b=Ln;QF+3i?t0F1tJd;JR%h`kjfdBPgSX>~P-@1=!UU=f7l!gIq?Iv4BA z#T*@x&k^`&eL4=x$utTvOKo0~(4!^=fC89!;9U_>7n3UVGx9;5^2qS;g}(Y zVS!Xo3Oo#pldeGv4hShUT>pJk;g#ILFT9}?Up2Q68%IV-n&oOG*79?a>L(AF z>eotgrjQu?hIB;OGimk;obmZ(Ur@!wpoBfPP@;9I*vW$G)*W(cvn<83d_-V3Y~03c z6tPpAJzfrBV=URTn$$*Zi06d@x0kmMw$c{+y(;T^XI!A@=mdQ_9N?-h`nHZOQ@VaR z5{I_v=MYQB`Ayqq`vy`r``h*_z!3g<5ElNI;iENdf?%s?O>&={QdAiYuhcH3!nVep z5`(xjT(4K-JqjMT3nrbg5@Z^wXk~F%a{yJpPJOZ=-0vgxxoL>M zAWnr^EGv@G(yA?+SbjLFH(l`3k*(`IsE9%BULu7$i$SGurIcbv6K;luXMRsHA=Pb= zS++jgaOmv3FNSy+D|sf{Y(0^1+H>Hl0n{f6&1)GQN_JH*?CXi z!&rpmoW=GGOc(_>iHo5=Ph4ye!t5|kXu;YZWg~`>U}I{V)6{MTwUsHu$OXlZ5KWX{ z=XlE;w(^b!fAGph1=)uanDELI{_IIp47>i_yS`r3^+aPqD7%P!1=L<7>H*D$3h|MOEF4;8cNQ8o}U@d z+8!BsmLW_ANavkllGAA)BFs{u?-b}8tmDEtLAxN&cb*{Fd?w-qUoldPvv#CBc{N-n zacCQbugRC)B3AhT#toGJGc&G-wLPTC7;%X#PZmGEfrb-{(*ibAV4-(W=JyVdaZSRW}g34@XM^5cvEXOcgu6%$Qw z79pA#(v1-TfU~&XKt#fr;rDBVcSLEfXeubdbsE5#;NLNcZ2ZrdjI;)4>TNAdfHrIn z>FPFP4pzh@I6an^)zgqAG^k>4ubt^dq9&QkB^TS3S5k5V-nxsSMiU31ceZcVY_2+` z`DXs2-{;F|N6TyC1?R}Cf8~e>tnINBX^Y@u{E3k@Zl#h^f(m)^T+Z5|31Tc zJvPi9O_zD9Uq5q;%VT^?RYEt=kFuipZ*DBPpZy$l9QZW4&s$C1?Qsx*yTw~)7!kp#~l}-7(1@~%oGMn|F%>uk+_?QX#C<@1I|KCip7DMGQgkJ<8 zS8B-W+j&UVO|S{9uM=e>!5eh zj`Q;l4uOtspcP{;71Y^U1K)?9_Ed{xET48dC@N0~30;M*_N~H5Gu@HyGrh&l#vhXM zQBmyN-xxze(BCIS<%2mB>qMm$JY5C=wdiVR3Ck|96r_-@e!F<4G+jRuY}{3E!{jMm zo2WR>9G>bf6tVbW1y`DpEJY&?Tw>LaxLFhI&=&@sAK!+4w=-97w)MDS7A01@7B?*o zJN*JWQ|`rPrz9QZ9Wu+$we0N8BK=KTeEmt~>&tV+!vNm0TmN4MS)aqE@BLN57~Ck| z7}=~u zJLJsGfK_>Wv^H2>t0Wv{!JKf^t&BnQ-C2(Omq}Ii=syL@IXr3L8SFg#2GbQRG*+A(tMm4b~GP9{9s}8 z2{i&Ww^bddwdWDS2s`Ra|D?>=`X#Lp_)Lw<2{i$RmQgg}xbavIMHM(CfZ~oRv>hIb zp9Q}W3za2+kTYalHONC`h|NUbzp$Y( z^5qYBaHQMisKkcxCpdcoIC-*X{Qtz~Q=#T=>Z4*U&vW3d>t*VXQ$JMPy!bAb{EY$u zO$61ZfE3CEL>9!eRdkv9szU0eD{+43p$$3RXo%M;ADn8p2<*otEw94l?rJ{(K)L?` zpz7CL@VOO_Z+>xpz(dx5NKj{Wn$g^c7jDE-JDrM8(m^`nG~jq``s-!e?E`8kH0agc zZD|*?r?De_-Gu<}Uq)&qxv{SUX6Zn}yMB-dAN@Jt=u-h+u*JsOt8>!z)0``j0CZ*_YQ;ZusMPZwf$fu`1~>&_BY2c9{kHOBCoF*j@9%HW+b0f znj3L}m*F|g@pv#VyP#vKpYn0XvjfJ}VK*H3cHdMZ*Zn%e{AO#}IlC-U zRvkdgL|Nn)ZP_%P*S+ncW$$qUyO2UTJVEcPmw={|q2S*3za!>;oWr>4sFCzk1!eI! zcFg`7=%WH!s3ZqTPWmh9#uL|_Sjfcdd*UnnGM^mD(p{gy4=3q9l$_C0FMm_4-eV3U z!7~KY-5bj1tC>|~$-d^OQ;CWc*#bUr_;i5qEmgF*3vzxP>RpIIkylkF-0^~hr(Qqw zCaK3h@W1v52aFVnJ0+2r}=$}DSVQYx4 zDMNvBuf#`&b-{g)l;oS4K&29xcRQnNN^^u$3qqIGX*-4f456|l0$S!viXkZ{ci37J zf{FNkq^8wJay5Z|q1NHKY;f~}v!>olr7{u>_JM)yKe1ySFaodA@toubzyq1yx+tcdTyL+rOfzs%WmEX-knDp26Ou z%Hpx*mIYO|syTP<4H0+cU^vAdY~*c)_e9T-hJ#}j@j}N8PHf<)c*>BLz15_YPt$-` zw;LUG`*ES%^q?wi=4;vIupfVTpmYVQSlwO^78?W=DiWYhh>6m=4D`Fh#`9;jGyIk( zD7gN}6Ig&eVXy!kQVpdl}hA1g-4C(=XN?7Kw&owX1)O{`vFN%%Z-tf@RpvFI@lUu*h-=WMW8>qWlsliCf=TUTcB}JBX1Xpnt`R9 zeE_r^%2_FEGeENV{PM@2{E`&g8U3uv3CMmBS@U(y8vP>_Hjo}N%_HlbE{aC?nc9iX zm-ukPLrC(>{Ge!F%q!3jKTR_D@cm6us{5>go(@*-2Rq;H98I~>yzbI(kD8`^iTy!g3zjyDD_nUv33#Mfds=+YIo{P44m?k3}0i z=)RTqyR6gi*drd_8vXKYC$M*OZp4*;K5t>t8M&wXXyXW|ratmcH)7_KT&e%B?<0cyZOd82WGhiruyB>~JNl zarXFf`E%uVyJHsu_tAQqUn#EBuL_}vy)+aM)S0$wT}#2;$%pZ}m3m5`I>fkmn$zFm zrj@iIa*RxrcbrUn@>5-VLAu~AlkxVn7UrnbK8Rx~GYaQ;P&d}{y)r`ihNUp$3-88) ztW?szv0+rcy~dvmx!yprXh0Nj5ipWN1M*0jsyG^(b@u8J;}*EC{}uySP}bRohW|!a zmmZ2`$bK^b06x^<-_b?*-$oY@)2`|Xrdwx^vI%F9G9uqDTF*0(WL6L0J>_tOAfwOb zFq6SrsO{m#&vXE+{Cge6OyW-5!xE&y=nN&g+_%G0yVIr?n_ zNNQx{6@pMy{iV-zxlgp@pS#!3Gbde&_WjLYH8je-PUMI~4`AYf?XN_>z+Y$-YD^dn ze5^|7gwG}6f}7E!77v4+nA4qMD1-PU3q4H;bhA17-$)og5VbDbVql-R=E9w4HGb%U zYayoaaJsFENI6z*{Ym+&@nMx)j)*axP>ws;kCcR+PyYHNLx*yTW%sq{Mc2x+2VEr=}78fFGhSVNIJ8xi~9pl`3?kMOX+2cBeFS0b1 zP=PX&!t+laBU(exO}qc=r*xdUH1+p+yeyxa$GcX1cs`OxktM3Zuvx2G|Bv*3q#jR| zuePT<yqIxhOM697yJYw*Q2|uV04O(Ef)G%b0Hn3C`rVZDQj#8s7S42o z33n|(xce4PuW8L~N>M$=ye!M`p6fTs&6lktB^vPzLk8Ayd~P4msz@o`f%+rqLJBA| zXQHG7cS(U<{>4x+W?~RXzZMK58#t`*JGtlcBXhY<6(~;T*SP<}jOw*q%A-l`cy)fe z_ot}{MpNmPRJ@>|vAh;Q)Ky7=+hRW~beLWy;^a*_q01piCZCNaA7VB^9OM` z9f%)_>bhEt%&N5FIgU!&-SS3mX-`j>tcY=Los2^gdjnYWmf-CoLA=f-EJf@;>r+?Uc;O@0=U_89yeTR4PqcOC+;_{+=_JXxhS0#@Ycl-{%`t6DT zRSwBoQTVK$T;C5|txFtNL1V$n>D-CY)A8gV*7ZeQ=Ba#_ikExL6>pmcjuuZhHbB<( zor98_1;C3S0WoKTe`TVR3e@h~izxMeD23!VuVIB{iTN<&v9J=Ix4+{$%}^>t)&Y!O z0fo>h0^9_BCjG4$g{uIJULT+euHRxiJn=197b?w9T{Y$^vyi#or@_oMm)|SE_`wVB zw^dr4bE2DwExv^oL6y$p<)4ZW(~bsiQ9#n-9dCJTJi`@8C-P{BSLjAX#>j~n-vC++ z*1~@u0fyo%Caki>k|EQ4)UA*{Gn;h&#;cpFl*%!xrfp+!jFTlFl25(Y;d%xwK^pf* z>TY@)iG&>QE07@na)wNw0ms2SrWg#!wdnL_#Py9fNFr1iO>^Qz@S7R6fKvb zp2yCAH7eAu%i@iyK!If;kpfiA`hNj=&EJaYI+!66b&y)tbL~-rAk4_i0ck`m<6?kc zx^D_2E3~)jys^i|avx-=6Tf=CPuzSu@4ZWqt?(mOVrRW;(GA>3;RXYJRQZtE?(j)T zXC=`Ug1m8cM6c&mj0z++U8SXmK<2?RpPPWEiZ;44(+n?tO91KSvt_u7Wd7Jz6+whZ z&|2w1>3*CiSN?SK8oBc}f?9_51ZXnyxvMwZXk9M3vMW3HhMdv^5+ z6igsih(Qo6?6)P{BMmfU&jc>`w9IO|wS9+vc_YCOR!;%}mnM?qZ{E1HecZy-4f&rx zL*?lYT{-rQ-QqxaVN16fWHYDgW=4{kc^}ErenecS$qn|WL?cL{)rU1aT%o7(@&S_P zd`zbnRYFZ)C7Nl_Xb3|YiUOdZFq455l%&})IW+&%j9!uOuTZ2roOk`rJHgnRWfhM? z;YT5ZktoFVl8p^JPY5(yYFqx}Q=BBVMZON4wIl^765j~kE$Rb2@%@F~`iSJ|)lN$C zn$TUjBy;Uzxc6+)_lMK&58^u8ja$)jdQ+W2qBz)S*%@MulrX^fO=|R&FpHs0Fe z&s$7`Y|bIs01g;0AzNzJVv8;>V3-5+@7? z?m{+elITlRHjhvRs5hQEJ50CtDZ1H;`lzwf2+D)1(3$&r%xH5nRuoV!Pa}#f>C_gU z$zpI!N6&6&bAzF$UFW(X5*wD3WI^ThPsZ8p#u-jppr{PRr7jqp^_eyz6gqzgNA7Rk z^03BJEkH9JmiN#0Mve|)qu7o!SU9sm#Gmx0#iB1JywuPtD+jjfxc@qM^4IK^-O8J@ z(o<9lFF_}YC(lO~9Y;?M&2YFnE8u}3n*^TIC%OCUR(KL-n>s%vW8pVn9aLsGs%O?a zNYYTzU^|)GaI<;Pg0{_-kBrj-#bli8XZe9d{mT0ZSw@PG;T#p7XgDIQiYy&tiP(DF0tvvA&&d^auS*pVd z6T4g~|GFI%Ok|Zx-jKP06WKj>Ev1rY`=0J93XStlP4wp8{5CB5`&?&`+ukRP06-g1{Hse-Q{z@a8q!{NMFNmh(rEr{vv9|slw>)c$nZ3Y z+N<4bRTH}+2Ds@Oagv0W{ICT}{lNM#oIuS=iI8%pl^yjvUp`ZEXx3Zzq5-gwZJ;Ge z4#(j~AcpRn9r-|By!o8nFTH{0b4yp~v0>_5bRceyrH;CjdivUiElzM02xjLnG|ryXpr}`03;e1$R&J<37kqkXKj8y4WFym7bMCI z@LD`5iyRdh?U2N+%X(e+9?T>b36)%oV|z7ne*|Avvpbu-Zsl>pT6xg-XXt3Rv zp(UNpG!BS0BD)|zbiwt&a^dT@JnOcNYuEM0Y*R7?M#cFRO=q1Rd0E=Z3-veRPz7zo z?gnT(&&~dRq=wE%_9`^h1ebluI^IcSHi^Sp_dGok^|F z(-B|I;IMr7AA*UrnZoIz?q=_jaF@C2pUf9jeA+ZlEkk?xoJ@Rg3^m`FIWqG~s>Txp zYBmRSTgdN}%D>nfq5W>%mHiUh$$DI$0+?peKj6FGlM9XWqui9|G2sS0eYf>sa&@!{ zXs~m}FEDtz(p!m7z z>6z@1n5=&WG2AWaEJ`Ui@lX;_LClQcM8HEnrGKTMG*d+FFic`_;Re} zYk(Aqe$I@E#M=g4gJ(MYE!r7+lMyA}#NG z#EjAn(|}%*9j%N*upiT3pcV6yDhN_hC&z~NSztJa;k3;vxADvSDumHhCv02W5{mqc zBdu{*EGD3<^ELUWc=+DWpXn>41I25zV|Xl|X8u|4Q5@bBOo8Wa`)_s{%mV?F>%GB! z0yrNp*jS5iU7zB03^c31Za=%^Sd}OpBy-m?thDAdsqM@~c*6m`blw2I>j)cyygUXY z^8@gD6DA8IE|zRTQvm~%{9@|F)9%NWemh#cpM4`CCuhAAn<$Ps6wVd1z zoi~0)khD2A>7+Dy%E--YTPy=9W)hDMv!_+lV8q$q?Vhq2koYLWQCMhJ@iU4baKNm*s2-^g9?5W%_^9ZtukLZa29(G4zpAZwIjgCTvIVr{($?LG(|neL zLBfz;tqM|(8200``T_4|(OJNhk(tT3zw>k3VB>;`$x6X<49iSjV?xOpy=FbiXPX2$ zbepr48t!+hEP$~EAzAEY2**NzT4y+3nnm}l*>&KskIG`4pCTNfLjT|u+9__sY&&w{ z7$WMf>Y&WR$%yJEelpYE)@^=TtkCfZeS$VxKkTS_`SQ}(pS1I7tdlm8d2Ra@$kl^k zLv=roX!5LU#%-@4-=uIbb7?)1-<}aplGnecZlr;vic2Gmfl~XPjDfQi_@-f1EhZ_d zurcnNwMq3c#){sUPSSa2GCSmF4Vo>9fGGe z2Src|0u%W9ep?w}y`@kJghroGTGQ@cA|I_18H>8+hEH@j(};_0S(O9)64VtR^)AN2 zju~W)sPMK{Je!53OU6WHIXVsg!Q;Ywos-&Y>F^-Y}`W6TemRFcNlB7e9?xr zF<-iUQ@`6Xua!saj+c-(;?!iplBo6%SHPFR&{N>E#A?Dv%BR)(dt&<_0_Gw$*fW1x z3L?Z7bO9_I)BVY)+ps8^3WwL6A82#J)u&*%3raXB`twUG6)&UI4w(vajmbXJ(3SN> z2n1TEXTv`r&!jKNw&W-=whk+YFzSNVgZijlGjPeLoV@JOv@I@M>&3Fs&aAZS@|iXe zs`iphoYz<2fIVw_Zd&MwU_VP!O|WTcqCb#oz!lxgL@RL9C{YT5gegQr9cZ8*?--jO zG*6xKhwL#{8W`v(s4&Epo9wY?idVAg_jFqx+*h_SmuYS-jC8j054b)LU+;=jhSSNC zgVs`=0^a-@RyIWiG*a1kj%veuOnn)*!Jprvp$In|ayCMp{Yf1zLw}MGKj-}LyZhCf z6)iEo!|zs?bsTTv?KsF=1?Hj-p4AW z;-lmp#@gWs$3S*8zf3UkD)KZxKjh`%tVV+Ju5FhhU4)mMvh7=;uiN zt?MOzA%+qmQE0m#&6;a60N&B8@y-o`C1sREuo)$IN9?hqJ=UtY?}wz#^USt20damt zotE2IUhwH>_C-pFVXT9l90$!SE{cdvTaS)6&2!}jLY6M>pypEEdkJ1RVSdXwspYlM ztLU#0A_G{f^4WH@#-XX27h@$fF#bf9;`K;rV_hPRXc>d3nXs#rm7TX*1s`q{($v08 z@574HL(vJcNP75TJa1pg!Q)BeUj=vLWecKN*u36M{W5K@dwi8CO7nzIQ~m?WfO$aAB&j;ikx4n)^N_jaZ+@Imzr5;8F{DMuyG zt3r0t^5B<1Vm!C8i-HvoGM}mk_ci|>+eBjz&`2%Z6s64E_OZ0$inktw_Q?KvxcDp< zg>o{4T-tK^^o_^ttX)96Z~E}r(;CFWq}Wx{uUAZsMWcaiI8PW4>Ei{ z37IT!pue3T6^Y6p!)rwa3YCzU41Pa2m)I;>0J)L@6-;)I0Xt1YZ|onDX3Y1?Gw5n@ zR50k>X@(?0gX|IPH&z>T%kNLlD$qXw^__@zQ-$j7E87V_(oSD5L3W%2&iE`0qF)XN z6A_ti_UTe2;=4+pMLmhdZ%?6NZKBph#Ttz7!!6OyM8zIZ6P{1TQsK{_*546>5$v$yD_8fEai z;(n&`wY!Js_p21_I?MN0yOVWoua|-Tj5X|^id&bM`kd_xl?smLnc%FqPP3@_dwm}* z`FV>3dHceD>Te{1o?vC$cZPH7Z+|%{nVh%WJR@&@IK(hKNGm()uuD^b#L_^~n7~t( z8B(@}!HM?@x(#Tg?>ksS@*wu&4YCBedC6?J9&gwWw+FdWzFIO2wUz6!&)Wjui46Vu;bh%MReoe9_+&oQ+}r=>XQ_4I@mVj<*N2Nb(sXY|uc>vdpIlmlK&|$1 zAZ3^3Pt7fd6olDrW(Eb&*^7dUekEBD44K+SJ9Q$#Y6 zpvX|z@Zg$D9z{-F^2fC;Cv<2td!&(~_jlngyQpU^aEi=XnWQHY6hm5zB#-)Ww;G~af z0;EMHeR)ov-g>7$F3Y|(`Y05NiJk=>(C|dF{j=fO*U=FahvtzQ7ydPCLjLC9-Q$Nr z&L*3i6bIaCYNWaka1w89~0X@6b6$8i+@I2sLU$86<# zl0RSzY5>nB@;dSHUl%gxEPig<%lX1qOEJWq>jkrP)(0`nTl%~rYr$6WQ;x`%b>eir z26H7psVJv$!7yk2(ah&2pmttkjwmT%nQ0aZelHv_9w1)m?WG#AICXI#(NZ6Dgywro zI<`SjUnisOD3iqxDyNk7?6;i2XpzWq!x=r01y#Er6=;MpacKoEU)J?WgWw1>$xJui zdJy;Qjws6y44ht?536F!iyM};yqJ#gkO?VA&8|Uv8*u{=7Q#);g?Im_vVt#^J@U;) z;FH_}MuMU$?pd3lAc6o4NrohjeSsn{KE~sOaj*%2`nWHRBr1Z6COaoB@+wj_{|$`? z0^FM+S=U(+d6xH<_eom>miOdJgqL=wrrG7D&RGShe&_XEG=eemu;{Pd;GP!ur0qmk z>nZx8?_B7@zI_q$4?JuUF$>X+u`-L~=Br7^&VGM~--uMcXVbFB+%Eh>BT z%XmYe{@BKKe7*MMw12uVRa~C?XwykYLsuf-(xAx5Pw3V1njfn>m6hw21~w>AM(W7I zu6XXLmvnlu>s74p-$Py^K5P6oo#kZ5M&8U7tV zA8!_jP7hbmo!{={lLC|zklp>8h`WHv65<65TA#IZUZ}Ne8;%YO+;;Qxd1kdC(M*E7 z-|BU9P-gS^FsyJhO@V4?PLuYj_yJ9ZTeD8Iqz`tW120M6RXvIYtD8hkd%{$42hIUg z-}U+D?(e-^z`=bT7r@jF%$rc;V_*Hx=lFlndB>JS_kS`i`S#eY`nGUx6_qg91NN|9 zBE1}jSOYsbleXBL=6EqRGRYc_VUhK~gRDLAHklvynjujt}55k zjYaM7D>;DM$S`XPS}B{5oyU37pxi(Q(;Uj4LECLuW;0Xdk^8}cBq)*hHJ%AXdQTOt z^SshV$Oze0ZR5$7S4{1`K^r;xPM7t&Jpc_e^t{n}6RV0Yyj_x<7X>xKDy3Bno&7(-o~v&nK* zJ~@g=cJ8I=e7pE)6@5t4?*_vW>>eRm+8ttHN3P_JH9WOXJlXMPPCZO2<(nXL`p0Z} z-jrP6b7XTQ|2Pu_#6rDqBI-Z>4|Vm88A`!w%LAh4{VA4G0#_S|Y++agRY2lH3NP5M z5)jq;Y54NvMKL>5j`!KNyLaE_Ih-&J4eai(ah!D#cY={N2E1#heB{mq)|?7vGJUpK zL{|?H1gl%@yl924AlW_}xQx&Q+z?}$kMZ&4i$`-!Mog~|iO~b6*Gd2?9Wee+DxII_ zKcKdj65k&E_$9M8TK#;vF2%af!j8krP$y4g=-25+`K4-|t<~ zvUn}KqSg(Y3+5Qxk)hf!AqZcl-Bk{wM4N8M*5G6eR8S+9PRDrL2;}N0<+V*zDfX4$ zaK^a@B^8ZCxH4BxoR3p$!@emM?K@mAS^0U!TmIA@NWtlX%{S;}UenwLaN$e|gI%AJ zqYAvnGY0nKyhyDcqtVsy!zF(ArXbJp_+4NiC+7P@6Oi*>fGLj_SlIdRl;=$~NRGsP_|$|VSjf-EFJ&K{OUYSXHc1}VZT1|A#iz7??>@GrZ+m==u(1VUS+F;^B&ufK6ICAfB-ecCZ zxwM%gUqVrxqmh*QTaVQi745<7)K-(OK&NF5(k_-Siq-oMFTnWRC-x`m{i50?o0-@) zKdid3lT5oj;^oZXv3u5$YzGr-XZRxH{SN`GV2jsCB)$pEkIkL0BlUC4X@(-No~Wa zZvwzm+;kX-9F&3sY)@Y%Ef>^>S_@b+#{c+kfWAVYaIZRC%WKRw5d!(3al7`geQWvT zsx+HRF0lMA-1b4Cub!S5orm3AB_N+i>@xJU=qxvv8}stEmiMit$g@@9{iztLPvRpV z2;|`Z72_p3$0d3A!F5gf+cYthM$xb9 zU)`5*42&2{&^|=m#2;5sN|wC{vtMRFU{dY>$k04%cr&d`C4OuQL2{luOULwSOUo#&vVX2_s%W_|Ataw9os)a90SY7?}xpxiNTSLpKc12~k`nnCU3Y z7|`3Jc4*FMSq5NuabG=026T8}6`Kt8MAUS;13m6=!6#L; zFB|hSVE0kfv16Y9KK)TW*nWa`YfE7TVwIAU`}>^R7ZKZ0?eNhyRir>#BJ6i0zF+dQ z8mww4(@?vqWrCwJC7_J4#)bKb(U5xl*{d)_122316a&+xJvrfRC-*$+KH$cDwe(fT z&8#$xOi<`F?*=~~Q>w{_NW%7&+-H~hZJ4`pj4@#|GIg@E?taSM6MXaC!bZ2!j0i(n zGYcLx^n7ETFTrR2|A;KC@GmW#NLaDCa%7^wOCb%sSd60ar^MH?YcgQYHHz}g910t3 z;6QNN#xPla+%Bn;Ri*@6*>sLWzjy&ZlhBINR2AX3gDle=>`$8fS*Cs*80w*~tkKZv zgQQR~fzn}*&)5r$^#p;m%|vl3F$Mc@=?u*iz!=jG)%j;{ksC1LetQipEh6~7P{5i%My7O=VnTPB*Jfr;`11%A_dTT13lsToOO2L~sf(QI_ykSpoI{C& z3`3GZy1LHO@beiueUE4oV%6vvJ?E$|abrBAXu5q~C*bUvSYp;f%i=DQ=mlJfL^4|J zaVUCNqwc4n20Jg4IUwf*Ww0}o-S-_YH?3#j1RxRxI1=%;i-5AG8@b7XSY!U#0E^aw zcMWa9abzvasEO2su(DtVZi+-9*EA1Dit+-%An>8_O+J4y@FGW)i8iXzUB1jx zD@g`$glq$xrMqvx01F@!%59dwTy-k12m7~6^*t&2A5*UdIAsA)H}e`FXa$}KaCkJG z`t&g-N(c7*{CwZnckFoy6Dd2h*VkpWxFZh}l-(Gi(4#*mb-DK56%-^6%O^D^Z%`(# z9uhK<=f)RCG>zm7+WeNfxT&y}FlE0H!T zIN?dghJP*Ho(YdC`aB0YE8wb^CF?;)s_kX8!TMkr2S=Fe!_`m$ zx9fC$FSrGTg@g{sz;v01UAy@{NFTrvvWxdmTiX0f;13OeC9}cifWqic;sxbd*JpI= zB?V!-auq?`OGTc39@hvEZWVKK$IHPje{vD+h^7kct5^U=gTLgm`u=*2hyX0q%PmI& zPAEH=8Vrx^>#6{QI?XS(IY2rwdt*}kw%v)+UKlZhHxC3B7PO^(P|-m8-TBeRi?s~F zH2Xc+WDFr)&_nm;Jc8evUX@l8);E7Fm+MCa;jtu%6=F3uV~UW=>!Nyn2T2WSp-uRS zy(Xs9nBq;C_qB)b`zA`OB`aX^qL*YEMcm??W;?VkDbtHgAPmQn%OUEi#ir{O=E<^e zWhJZq@dPxvBvHhrJ;?LzVGl5PZ#G!P{3PN#t3z2`PY;B}^zX(wL*!?^3Uub*%aMTG z|7rBoPvD9_6b@IK|LW>nR*Og7puYvdY-X{(Pz3izP(U0DnRdvJ1fJZ?g>aYElAhwx zgsd4oAIf3)sudB`kb9j9wRL-Wib!5`&$;)z<2eknL_(MzO+Pb?e%5B*VIKMFes`u7 z3<~-sEP_TY{>bfIj>zY9Bw}JhyHDt7e=?5Ig2IQWsye^WWts5`Ok$ZHa?8>2n~~`< zdJKSLEf@M{J;l@oYB4ze_l__iWOwh+nl2jwn{E;$fRQy8xFG-9N0*=12;toPQ*nx? zQjsMff`3A@0b}wd1@OfM_KLK@uD<C_oBt(`JE1{}i>_ zZ1rpA7r9H6GZOKI{KAWkO`buPlfWw)o-GkeS!8}KYUtT?OuD#FxliyitLWN`;#+8G z;;Y(JDzqn|U9>Uva{D+5km5%SxYjBV$Rx`|z7LogUlf*{hZ)g5vpYl~q>HiHmgy8) zl{VX3(c``np67VjCm)t|KpIcS5_@i z6Sbh>(_CCcoF?YL*V}5KIQS*UY6(-Qth?R%Ow&LKG8m?!>%DPh2084h27~v_HGq9{ zu=AG>C}6$sb-+8s#u5OWCTC3dlmiiJe6juRH=NQ+{az{wRQM0vK)2G)4pgnMhR~pZ z#S^rJTBtFTG(`lxvWX4q3{`8wOY^G1C-JCwRilOeCEI0PsQzx9>@}v1bbc6Wi5xB}=n_?4#L;}&I|dR)PT^C? z5F&x=)se5D$HUzK?itXRRmw;IuY%FbaXEztTq8RaP<^pIyooqpszP7@L}T+;ki)lI zK@V8)+MBT0e_`!y2Qa<00PlW^$W=K05YfJmW6|p+qoxjJ$DwFsp3Vy|D74YN=2AcH zX!f^mD52<)@|~y8^zC*`8jfr3(LICX{U%FIXo)j1`HjXrC7g{qti8YWyWALKO5ycX zo-0ToFiDJ57XBFoMH3$%uhQhm@OofSUQsigUY+q33PC`GxcC&KS9i?Z!q=cC@Q9-F zFs1XIF>nirA9ez;$?}HbcgZfz01$3)5JRsID9OEd(TVcgYExw3t6l!{fFS1txcDh{ z<*z^ezITBftmdOh2)A$oI#3QVWo`GLtw@GH_X@}-{Ko|^k4Jn&$mVKQh&9t3xPtaH z3l7FG34@Sq!JJZ$-l88J-5UaKJS2!r7Tq>GCw8qHqNxR0lh5Ezp*4(z3rZlga=bzy#|k75Pcx0M43F`61cLmC zg++0n-#((bD6b_Su|HsH-_P`B^$9XsTW$>_o?;RVi&>Qa3#cd$Gt1Y8WzCl+PUZH> zR}&>3k7z3u6Wf#0*Gv{M(_i`%pZ<#N#tmv9K4@MiFa8wLOXP_E+XE4%w|Zo&b2Xt& zBNK|?8;B^eSW86nTGB%wxo**SA0MUl$rEX3Xf;eA-cp5)khwvsdtG{2A&s+l!(sA6 z+)j^zq&zRHyt-n3$bL%L%Zed#O>!amB zaPf>&Xbp1Zb9gOg_3ln#tfHU0T-O*5KndahzEb=Tl<4IEnqX5G7u`eP)`=h7Lg;LT z8lh@XzZb=`{;P}Pk!Oc)G`xKqB&{N9uGkXc_`%K18t8#jcYw0AM&g)@QnfcQQ)C75dr59#Lrx*Ulaz zCq}p{%#>MbPv&IhB}{e7igMVQKH2Xr_+|#`0|%k{Br39*(;^&!I^Zk#FS7st_!n1O zQBBQN&Ik@8coFg0Va3J8F+qMCj)`K2$mx~%G%FP(%We)|7$)HpCWEWl=}d%ZWP^S{ zGKu3BQ39AiXH4NSEHEcMwpK8tKvn zq=XiwBfWPJ5s_Y`wJomome&7A>Ip-bkzYd0DXYch}Ypyxh zn!ok+@JgU~S$3T2G~08wrlJkL2U-Yc#3dy~dEAz*@QKO(JzoyhRzX04QxI6b;YaC# zQ!U8+sFl^EP%U=eZqRCT2R9k$z~tE${;J7Z$ls)zZ_m5QW0!wF#^%i56g#h5@~X8Y zTxwJ}V^GPKPw+vh6|48bPIz>%Vj`Iy(Mo%{0nU%c{Wj?+gp`^8mV9W;o7$xSRa;fn zne(=tSxCCZur8a4jjJi%iGw2PKkz_`st0zFys9ug1Pk}}Ue#E#GH6MJkkLn8kOfO~ zhxN))%BdW&j>Vt_&z9Mcp^WgeylkfK-#i?o4X+dB&I!xH!-fpD8C|6r!>BRf6 z^jPJltJ8BwesfklNcH;1uI9hx?xM5+>|aRE`u7twCnBsm+mJdh3?kTLB;#8@C_Q|w zf@S?2#31=R#NB>+yl&oZnN25*d;EIce6TEg_a{GDo#HnJfUnNy#D^?E<%s{V_J7JC zl$)WttYMJb%syveWADx-Uzupy8A78v2eO-c?>_`qyq(?VxZ0Ya`+{t1UU08*(ylWa z6B?V96=jpd#@eH~e?#`7%VrouvZ^g9_AKQVYmfXr@rIlZ&bTtkk5%=K&V{^_)&hUx zX)n<|M$?J4$4OGaMiBL2a`%5VFaUfP#K1exp6hzmh3mt@U2IG~b2<(Fu>^ASGQRv5 zcXRTWp}`(tn&i-dpVd#;RaX9?nj0xnV*C-~b2LJFo3aD`VIHo?5iIAV|Lna}%Q;J( zrcbK8oKT%LU@cQhsg`w&?==MC{~3P+MfCw-*@QxM%m7v_0xK6`FNoO2s!HbSNlh9( z+9jM@qq%s`)n_i1FH}sXsBs)LuJF?Qf+Cymcx~11bFPeomrnd&8vU^ujFLDy)13=b z52vs^7{Sg|n*}0UHPo&qWF=4~b677s7xTRy`PCs>-B*LhY@;v!uFn64Gu=!WK)u9p z&g(1vFx9)}1HM~gyY4bmO6d<~3f^rSD_uDM)qc`_sOM*u2wY%em~N0W zklWP!R?OtVL$UWz6IV)VY!yohsmQZ)#FwLRE<@I^FhhY7h_l+yt^GyMv%6F-ZK?&o zlIhDyXQ<b?*+eY%!?Z$m+~K@Op1i+*iBr+MA3ifb z1>ETdc?o*If=_opd*>vtd)r(t2#K?L+`tU9ITU~P8?XPD{l;CuQ|bJ&+l2-SBzIj}&Zp>4=JRQ;!DKGNDo-}LL04ped+R7eJRE37CB1b>G|Pv} zChdYLYGxb^bckg;{7h6wbYB>3H9;%BQN47YL%`eL+zN15tP&f6>BGDTH#2=q|LMmA zRJ$zlSJ=Pq>LI)W*afWi9v$Lo5zGvIsWl#W>}~vWW(1SI=x3kNDgkg~N~EX^5VWnC z=VI7*8y!DJ-fb^jgV!QZn8$1(2MApX>itzX64FI!5pzH+s6>hg<<1bfhG;?ND(@Y` zoo-%~git8Z!Y8CTAKUfDzkrVxI77b$vAD^c6C?~{Ek0@Lo4Ro``5q824S$z8yF{ZU z&ADf4!Kz+@P5*t45AxTn|6@U3RhoNL_qDyn&+&EY_pdGaQ?VkI77(Oay$G+iiiyy8 z0l{|V0bOJy?!3SnqgHM9Cj`jv%f$lq=Jih4&kwBJj~}&#?E3i1L`*!EiV*))RmHZ4 z9jsf7w)KPsj>TWScWaAwgG2_?$RPh<{Ugr%=%E^^o8C^L*@cIK0(o3W7i183svk)! z)CjCm&F?BLArvR3;(xS&AkgB#8gC_1gx@2pdTc}AmQwG-MPMI3S zgKwa80`+c)QG)M_bIgyK5E9vr2z`(XG3;#E{=;!MqYuM|uN1R7HE&yZcO+>utVLP7 zWT8T6KzZU;!0p<~+_EyB*XMOY^rPn$(xoJ_9yG|dAF#zM$A`Pq%+NApnv>ZZyj?fx zgGk|l73cldp|ZVCHs^`{}+JTzgoWdmGHK@Fem zcid;~pP_s1=q#241{y^qFL;0jGN4Z6ex`C zwSN?#TS=RsMMbw3C29jz_E(_SZ!!c0_rE;%-V&B-Y~ShBWur^D&)t) zung&mLQHl`g`W{0sfP7eQhZrXPNv=vQDX~W;NMUox*RgU8lti#fNt^J8zmIfF?n&v z8r@h}_Y1K_er9S9K$-RnB;Wo7l?4h9=Obs`0`28Alx}(bc{{ZKySMZH%9Gr8f6oH^ z|1gK_PQdPNwgX58Z^9MRGHREM=kJ{V8FPuw0t=h6LA~+U=S$0l?yigo>?;ftmG`T; zw`9jQveh(fe7K={i7Il2LK`}fPE|Sg7Yco5L{znxa!vH`#AT3d=}=_xV-v#XQ}6k( z^r5Iz(^kk2IJY7}c$bK)n_H#jr1x!VchntcRU(1qM5?{jW896@7D$(csPE29*rda3 zH8G^=32h}Ow-lqju%ohUcXX;p|8qP;9eADmr^~7ZRkFf(omU@#N;}4RaV`II=WNIR zO={0-t;pqs!d?n{R)XG-U(4oUpN>*3TpM1_Yp_w|(0*AqXI0TiHEQ`Q7Q)_-K$UHF z7MnQPVifzQKjGeg(1hs$$4r5R*lgnqv$a_NB@U3pVd;OS zX_9VV156gxK3@K%^v93$9?M^93Om~7Ura5)Pk#0BHr+y30MWV8_%f_jm~ZFnO?n4C zKzkrHEbixryVOtd5>F}Osx*DnT}*1oLD$Rkc;4pZA3w9q^i)sHnwtAuugmBRh#^3G zGJ!(U;nUp__quP|FzoF+ZrNFtq|7!IwNd~m8amUkRT5+J<5yC=1Jj= z=hM|8jSD;zl3tb8?pBL(51mVFrO%`0SxqAfKz4)SuXX|E4(F63u@GVbz;Cu+{It4+5f3sJsnIr(T%|=N{k1d&|lF&w-Fvz=|k4ThwVuM+V8UY$v4}pmNLC;$tdO|LZ#w#WxuRlX{+V2{Tutw;gK@N*ZN2D zUi^gFnQ-P1_RkQzOs|{n%go65H7H8hg&D0ly~(@|AZW`pW*0Kbr80J)haeZK_}jY_ z=sNyAm)i==Ga#v&LH4M^-1Sa!=bbw)z&Ssi%F$`wJL|`M7h!qvbdSs1Ri%6vyf|X3 z3CvAGqo&LZrk*9_kxi0=rXHILU8CYq6VqFKu&(i@({5@q{`WojOEnq`+w_h0H_}sv zK7T!JY1Cz?voX;6G21;$`0u~dPnLT1UyE)XFL^LhV@_oHikY(Yu;J4-X1{yb|M`g% zOWKtX_sVmXn6f6`Wc=|5p4gLRKOO_@fk~bIwFb{)BzRbz@W?E*S)DI`2N~~?W>v{eXkbNoV&%79|0-9 zNR@$&2lyk%pZ~y|onla&A!EG*)(P$BNEVr%O8iTPJbKjvcscuj`>FJI$g}^u?)jMA za)X*%o7qC6)3Ni2W|~dShG%G{thWct55(SHs=I(|X*B$ff9ePL{kk2f>dC5Sv_XAw z+@|1dR)^Voo{^mDgLkh~2z2%JsHX56KZCJu@<3kZqrGfEwt3=d5GeMNL>SP7!Z(#k z#J~J(bikW~KKc(RmA}mXF}wEn30%apS|5s;4_N7mrx}ou|9*_U=VC{{s`koB@d9c3vTr&wf{DVFD z?>(3pCdlOhtmcNEGlqtz@c>m3jYV`==)5%i2zSPEa^yf{e@Ouv4^)OW|5|QFn~bj@ zO~!P&qKPBlTxi&(m3Io%kf0;8F&ySvR-=cATHR--?l0)TI9D&mXgZ_fYn<9=QZLJm zKU}^_Xtu%WX2gvfpo&>p8kSz?5_va6)O?at7nhJQzU{|-r{1#9^0DcO;84>qwgr!F zDVN!g>l^*N(#+6{gS^j1->a%B-=5MfNqK5EU1M&>F-6n*+&1-tODTHPzjdXIU4I)r zJ+g+9xNBtp=Sl*l81*t~d~%i5{X5d|QU5O*cmAbdLeBBFC~zTQ=JA*?ulfh{q2zgB z+U?zT+eGX8C5#0cnL$PcGKk`sX|ux$F3N!Bv#}dqzFk*a`v}SCBK2Xu7U0`~H-{P5$f7s_wi9Z~K*`ZtoA+}MC z5IwJ-0oP_)ER5_sGyFgb0&g7GtQia4qFZrlFHpnM*0w7VBU?FrG_@ z;(BM?<<=e=$N5^ld{!mOfZMm+;rUmP&Y_?%L{bq<#`DeYpHblLP(h}M@*{u z@pf-S(X-cj_KcWOjPBVz6o(x-&R5tRJAHH#rpOZaBu-p{I+yd(S-fdNqi>9Sbu^M6 zX2#c;AO8{8J_~T|H}z(Lk@Z`GXMn!k)v*6{FL1o99k=19H7aYUO-N-pPE|hKHWH`& zpm^amu)m9i91Rh`iVAVKrR(xRx&jFlOz}7Gr*VakeNmviuPPUpb~9hn$}93AozR0@ zajduE!2{1!yCg%N$Fpu7?bP@TNo`Iw9B29=Og)i@Qb-I01Cr79+(jC~F&O{pMxWAQ z6E4Y6OTZ7%eEW6-qR+p|X;FMOZz@~ByY2RDtzpdw9VHFGq&H0`7J$6O-a;t?2$VK< zZWs!0(#mI%$_kOjxbbwd%DgN$VE1u>r<;+(_jD7MK z+%|W!pXCMMpo162;Nnut(K?y4D{u~FMg*}?ZGtjWjw!96H50SM8S5$P{E%&D!e)1_ zW~_OC6oqXk3itUHw*?)&4|?yq?(A!>4Nij+5;B5H6&s)XPK>#vxM==bBAtm-r2MI}aEoi`l=3=Psl5Y{Z2ag4ihGe7Kd%$8ypFmA+*SF8oxcQ3 z_2|~8=OmYjp0bb=zrm=~?5YjAy=9;#bUf!>+O+{b!e*(6D7j_TP&v+J=}&IiDUyBO6nDteVlfAhqW?{*Lbw-Yh=rgsMEF*Fx=1eD zWwm^Y_m>DzvG1p1p3j#}ND_9Nxs24}P>cQ?tUd1frX1r;8M=?Z`W<0XB6Cpn4z;Hn z{%KmfM(5^n>;1{68HGkp1_qBDbyPi2)C%3&X&WgIRf(#4ByNF6e*HwPuXNhNON<+; z7T%$s+D;2d zG@JJ*L6{X(owf)E{GpbJ0XIET?@aHWm>p&sn7JkJJ!xxw^CTP)$>>F!Ew}|p%uy^VAOv1S}}8SFL5^misuYtbO_R+F@;UUAM9PDR z;?K|%seE#=CZ3Cf=Thb^VeOI|9SJbMGu3H?)CCSRTae?m>vRtZIcvDEA2wM}P+U6U z^uL#Vop6`e$EP4jQW9)ONnhZJU`qkDV7D7z6#FNnOFU0#LNK%1WX^Wd1S|-9y{7!o zR|E50sPI9==e)$$jP^c|U7dM(D!Qpm>o@hEepgkwSYjAxiL|i+8uM+Rm{To7PvV3= zk4rMHTTffs^Z|ufvAyS(=VXoIGmZ|X6ccdiyR9jy-Cnb@H$@l(i_4Yml8 z>DJh{Od7Kn4Jq5f2+b1;n4erlp@-o(ab#{>-uldHv|E=S{)|7GS6t@gj7bP5U*wX( z#4a$XloGS5@FC{ZX*dbM76^u|Nesj3ITC7h&ghZIPgQVIz?APpJ%H2Das+?I<=y3N zUCDY@?K9`Dh*%?1v| zwKe=SsKNB$Vt=EDFN&SG2$`M_+fUEx;`Txm8!hXh0zNM*cN@86pp%_o^gT|hw zN596{kQo-p7|D{dl8ZxqvE0*M*Ljm;Tk=%_IH-2@ZJN-7?vE!X!pd)(sp&q5Zt60i zEMgdo`>*D8^$~Ms-$O!=qc3V*F{&&|4y_n6i4(clP~{kucFn6z4D>WRY-QplXa7Uk z7F|0N9o30KtWxMyQp-`&pj2L@E zQ}11FoIlt&)y4xInKdKW!Hv^9HvYYT$r&h2!Y30VR1(ZLHi9lczvvA?J2pqo>+&)EiDNNtt#h;4H&UzU^Dyg46iG#q|6y|vFrUQs<>jFloUx9wZ?9T#4I-_@~y?X z9GRgEo0WEp^r{-A5_)!lMM%xiIvF4K`VrD$=flP>&TK`I?mhw ziLDWr`T;uX3O4@~QliL}T&l1?Fvt$^N>j;e>8@smP|8=>7L&E9@UWxjBA1C|WdmgZ z9s>pY^SkxxbTe=!6lflA#A^bEP;^Yj%17tZSOL_sYOrurg@q52u8-29>l`pFp<~v& z2aHcQq(q|nkf6<{K)G89T3rugk9nlK5pH9;hpPkbty|7|TR%P|(eJtB$5o6w>xZ7L zpKx%V$lx%?OBlVU*J0ino{Ae{W9tV;D73Z=cx5c*#-E5Xa^T0zSZ%-)>$ zMX`Kjp_@NQgITOE;2ze>xZ7;#$gG3Z35m6lTUUe2}lt)1+a+jb~ec=4TH+BvKn z`{Hu=<}yF~`qX8SGfdXu+`O(|({9_1RLQzTxF~~&Lu9TCS_NCfIn;1F^kT*>h0b-_ zuYG+@&+vR&ExmHdn8ppc7rIt0I0T?73uUQ$<5*ttrQW92Qt!jHS4%tf>=>$QCZKw@ z{o3|abxsqoZGMdP-%|SQ;zl}93%fX*Ij|w=7jgEj-qEq=ZE)^T0TG!8u?|C@bmPED zMK3T^bpw(XOzZ@`M|P>xrhc7VJ^{_B4WBBcKMu7dg7)pME$B&_hOyjfZkRU?v?yx@ z!`rnxiL?e1w1`}Pz=YP@BF=kGX-s!g_@RV5Rg1y`Z+dpeS~i0f%R>0u2Cmvqqsk*2 z4v%mh;#>H<_WnP{SwKBT4a6lNEAuy)23KPXV!R9vkzLgr5ge+)E8rYkJUpk&=&E6p6^!YB~G) zDB8@nYk4mdxYYaZ8e^7|mXu+oIoRwPXN|+UW9q^S^I$V#S&jP}Gd^x}W3`h-cM9Dm z0?B)J>&j%h79CCw8ta{xhs%Gv#SM6E6XQrSRP_p+@A>j6Z|97*Ci&KQRqj;5olp}4 zDb1@p(>bkX*+CTdjEVrLoJfBiX87tN#J()Hn?pOko$kqF)bzx6YiUjz(A#Vff(^-= zF!=TPwguL8Hq#sx!0F154r@s6I`}EcEoIiP4^!1vA~5e@3GX)c89%>p!}$9`*CcS? zFgmNuaq@6Z?Fa$)^v2_P+$Cgrd(Kd;QDT33^2O4cshjLAC~emBId&Z-6zm zt}igbq4s0MveAxSsh*0PWT-uMz5Er9jIh%XiL*WV3ov#sBh|7Po#a*u$YJ{xF3 zr=S8qB{v#B1U5sH%YB|niG73R>Oz+(v7k2vJ^>`M*++=sR@B%bWcjGC*v)d&#DjZE zsMM(D09$pzE>>!x++g+0HBexvRRO^I5_2@cfg`UO$mELGssPj%MK`bhv+)XU?IwHI zjDINOTGH(Iixg!2@rP>tqI-`+9}Fyz*N&Od5xSG4!Dvfnv;=S8V-J4^i9wyuIWwUo@ioMl;;hW2OgV%_O2f z;!wL~J$5#6gz5;?=dY6|@+M#G%nP~Y6&3@%JXS~|oJ#Za zP$(%p#?3$Ir`mr5z1_^n@xPEoG{MPm<@JLB=Gzw0X3`BW>>EzT`mHh?i*BD9JY((Y zp=@7^hLFc=HbdX~z;`{HxyV1xsSEjI!HZTK1DoqANGAmUDw9WBFut=;J^%ccf-bUM z_DzzpFaQM-=iJI$FjO2QBvW7rX1+s)vBS6<)gdT|!DS$bfjT>n5W?v3fArDqbQvDZ zhU2Wz-?g<<{8Nm7$0U?zaOq0Am^RuRZcmPVLil4T&;8C!9-0ip4PHHFC75+;qH}HM zP78i#tygj+eSW7k2cba0-t!GPX%k(D^y!>*9cqyJxI3*V)zq&Jt2~K{7Vm;Kc1gOK zrg2L(x$ooV`S=|M#P@|#9{@vr73FI&z{jO*RR#M5!D}ffAXENG{ouWwIFXZAU zv3mj6)QM!nE)xYQuna-RJJvlT^+DO(G)KR;L6aV}oVS}1U6+Fo2p8U#@=m4J?G>9# zp{79)uzpJx4=?oKv!}_NtbkeH6KAHS+8I=TbHeIewWtozJ+Xu`yL=HTk4!0gF`WVd z*q(g9;)L~n9FOKX*2uXT(K7Fl_w}pq^}lBUa!h^`-zjfIT<4!2*jXW-Q;xg~dbJTI zPj*o5$3MMf?ADo&>hzSkLus8VhOpHBeR_cAJ$0KMB_&JlKt3qEljgeVA=cj1h$ckd zEahM-uh3w@ciEmxD=pW zkRGr(2aX=G@HJS-3L$edC(=7258q@RLzd!YuqTVS%2WI5huTB2YDu*Z6z)DJy0xYd z>)~kV;|K=LRXcLZJ2x#7AF~n=Z*c5Jw8_5VBO}ax;X3=ARb^1h4$KzY8?0X}2{cZw z4W91d;B;YoL zWS=-Qn*%u;g{rON>BRMEW6&!gdVB9FJRI@@O!_Hr3QJdg!1X~8^gP`ni(Y|`&3Ik< zlvpMpZOj0~e#$_!7D(|$HBj6f(c?J!9s0y>T!?I@ zv_=-qktpbF&dt`+u49_`V?~>J$-J>z5XD^!-kNL(c{hiaUzgfu2XRVq?mh zY(KpdZE-WJ`~+Nx(rZ&j%{P2POm)#zHZEoT;kZJ6yBD?IpO4JPe3=fW5nmR@BkV7J zI-*3RUCS)hYCIW$Hv{xcXr*S?bEdNAhM)K0p0QCYs$1E|@a%hs4?P(IV*0 zBuoT|IJSH5DelRgP!~-#6I)%T;b6Ul=V?hVmogXDW|e};tX)Pt4iucBqO3g^!_rB` zJWUrg0n{GrSJGe_~g*9!B}={XNUa{m~M;_kfKC zZ!;Q>NJj2JCj{?gk^ZsvC4SDFRH|ol?!O<1+%$#+5865!hNXSy*`C)Pl7gl%yuh*G z`l^gV7FfBB>ISb7A`_qf33s(rWlff$1_gfwM#c%|%?qM-2_Up70`BEqWmTa~3m_$W z`h)Ir5X;nvlKCq%$Mbtn3vXWmLY?W>$XT4-d{X-6Yk(eC);>6jpbEIao+HO9U|4gl zU%w~T85&S?^ul&K(=ZO3e(UaYtLsZg%s3dlBY`5|V9PWAom9C^oF|n`)5;untU(<$ z(F!mB%^stjwT;U^so$qst7zY*0V4}?{NuF>ayTMrc#~V~r;`h8B;laAUu}3;pHj_B zLYVtglp*M4uN6Rx56lk_da3a=)u%ZBPFZ}@2h`EDFuwT|%PD3OY%Wh^zVZId{TN;D)^PCAer?BX zI^u9lDqK&W%=z7yNLs1ZiXIUV>1b?M98s}&pk6GZ(3f&iVM_<1U9c1SEQ5VAOy8m=cSjtQgS zHNqcySvBv3+GK|G5h7c-@|eAU$dGniTsvOXmf?L-r|HxoB!hi$iU0;I9A*}u zc!fFWR+=vl17G;@*_z+hLSX_erCR653_xxfLYIZvKEN~G(r0^D?|R_;fZk-|u8?;m zgWo{q=+%L$YeceD1cx~D{|a_z0ni?-?sJ^DnUl3lPyZJF%yzQYFL(JlYtNU$@$u~B zgDLuQ^*X_6=Mid8wy@LLo>1nvb~=Xa+EE*K2TmlABzKzoc~Cp*<)>EEkV+N9teF`c zG8fmNpPn_rw%dfq6)9fRUuokysD_8)vpir86`7>0Vf@*zjqHb8E)t&irSL*^=KasM zl*M{8=mB|bH{wzhE#DzOkQIowJP+MrH5T%IX1#9TLFhSX1ZZGD+1hl@Jc2vl2C3db zBu^$%aU{xW9A*_ov1^oB>i>3FT8Fb5h59Awte_idPcV@TqN$^-pFqDg1vj+dbB> z29D(e5AOBz`|2MZzcolNV?(=CvaXT?TvHpmv9F)E<<*IE)2^vrw*Rsf4gyffr>9Mw zsMEG!fj1*8r`yHlV^anVu2v0O8z07s+))Q{zaLsVU6zX-h}2bo1G-Hn7w95NR2tuJ z%|&3)x9_Yf2HYoa@u0w7#-?zqi`f(L9FO`38*UrgP^`;z>4QP+esoEi%uHG?7a z6Lnq%?==`ix@gK$!8UkioW|5IZ)B+GMe$mXJb7XbESxJ`AOyO9Rr};0-v%Iz;`khSp*gZW@3@IcI&*TJsO;{wwRv}h6ZdJi>GfRd z)0{TpW^To0~GBaoMshh#1v2kcKMtEDD=_y5N7lo4-t{ z+;gqPyPpRJ>S;Ox2;>d^|BB8W0AIV0l#f#rWCz?j;*|01`W-r%{d)G!NS6(|VpE#q zBr0vEE!=T4xlCe{6RwW8O+^x5l{L~#JQg*FB%3mLf1e;B&=eXe*-rGZFF82&!lS?z$M-z0D&fCU}A=UT^PTIfk34hySGA!JA<6d?L`cNOF7V)*a z58#3~H}|{I(uoqGH;=kg`;zKzC1d~%ZlMe!Z4)Kk0z`IE749-&A3%U_-B^o!ZGQmJ zLJgb8@jtIR#V$#)rr3spc@LlDDdzAd0{Y{LJ8dO$S()J>UM=En8%K4Br99aTO+Fcg z#o&3`otl4>r+rK|7tOR&aEp&KfR?ofV5a(~=AY|aBLqYvPrLteg0E8s(5k1HEU4q9 zV&{Xi4ClBbMu}6LW0}7gaz_iRWCO759*7q{%y>vY1_MLBw1{_orRd1~X#rHNr#`CkTFb_T9XUT;1 zAlVJ7)+7wzj_=bqW83L^xaASC%g2lNV>Gj$mrz*lIpX5FG&6c1AbB?iYaT86p`)N% z4Mv0MfLiv_bxLgUi*GPVr$>)NYWkpw+sCfsCEk6U0MvTW&~@Zz=n1FO7phoV3t`~$ z;Vxn8gfbOF-dQ>CZps1lldxnPvQY4}}5;rYQW#f{r}lrW*^8`Y$4 zn(E_uWGS_b;%A(6X}*Hslyqn7l7*(DR#)^dR{z#C@mmFrX>T(4F~r)D9y-esN&vCu zENI>GNXX6sNw_xgFh&Je%$tH&tGk87e&XterB7dpS4%fka07rbYQW#+t0a1i0e71n zoytEs0XeQ9T%YOE+$He5YZT?ilceZ>Z^Kj&8$*Xvp*)ifX5nqwYaYlx3|R2$hejN( zgve1)=_{Y^+{Z_F*4YjyzWBuBZ40 znSMbp?)84a&(rjcu;bm2Km$8!^Y2c<7yyaqi2P`g6_6wuL9)BOkw( zoN{@&F{y5__ zC3aHRy1mJN5omiA{qheBcWv*!!F6@L0r5o5RD zW+~?n4#2bnRt5*q*1EVK7|WTSO04QNrQ5ojKLXbpGpm=z6xHu*8W z*&ej`1|+})&o0gEM@`cU?KI$2h~SlvXrB5CzS~UoNT)PO|IB8-P0hPr?d}4|Jn}V4 z=XUXZW1r4^>?9Al&z1PfJf=i`n7e==$WQ*|V-O-j;iFGkBSJ}RwdA`WYYzy5edq}; z@VdwJol?r{2PtYQH0KU>K142dHCpt!cqYui`>6Gc${hg1ZypvT^U{s%0p+ldO=c>G z?|Teytk+g>8fp#w{fk;sQLDXPFiVpUr#WB}xuR6?Q}V1w;qC~I4k?~0vOarvywlh- zv7WB0VRM9D6iC$r7&7}}U1}(BVTu(0f&-Dd0Sd)h6<0ZTGu;M2OZ57AF0tnL zG+4}4;|qAczUeLq9gpCbi{^km6hBAQK^Kt3Wn)qs-uZ6B;wIM@#3yJPQ&EdPNAWf} z{(ZyhZn{Hp-3;&>ssqFp;hU>q=DsYTDd%J!P5@v+JOEKpsAFARA}>01L12Yvyz3m< zIz9|2(%MP!XKy!0j5>{xiC(t~P>)e%V7l!}0r!_>#cVA?neP+g6Ee}Y||VzOOdP9uVm%@<=4u5q5}JtfnyWNDhC z*hbh3trSz2D2QQCF5yHnWXYv2bL3*pT)y7{=%88*v2IIyZ2~|_EF1Gew`Lr6`3 z2xma`8}Aa&PD2cvJ~XvBVye`LlRT1+lRW0GfdbLk?m#rEkn{6zunsd$p)7p0>jXES zDF+CYRj;u&W4V*6u92Lyz=4iB?#_euriO-`>vN>(xdI>eUV>gaBX8Z3pa#HAnmRlN z{&nD?_{JO^JHe@Yr>ocxiT#ZO!KNNy2a)9%yXgVah_7eruKw;8Dm-@3k#JEw6iExm zHX&k_l$p8Yac>qGqYt3Zbx-6w>GdfqdMTsn&=KdT{8}15i#{lg2cCf=N)_~d3pJ}w#>dr1G3q( z{)u$1!K-D4!Yp9I$6!qv*j7US%0+cdD6cni@g|H?arFNTomx^MGS~W^dNgARO0?91 z^92Ow(KGCXb2%mH%~f-;5rE-Q)15@J2>)NK!0a13^_6fyq!0|J$w`ogS_b$GV73hi!@~>)_ZivX0!P~1F@TEfIe9p~ z_9Jk+Hz7ub1HeHwKm#B(>)Ov9K_sh01_d#pusD09@AHlp9Ftdq$^hl2fhC85tUb&MY$B1Sb^&yVOqeC9zc-6B%5 zWv$q+Y@M2*s9)QeZaylQ#&gy3h%+^~-aJh*KW8E>YXqffjl<&9aOwRef38*LtXiF# z`-f)ofWq)@a$k$H0rB;N;!dX5LL993K`F-N^Or`44Lt0Q^tU&$kOwX`A`4BG$iGoHm=%GV_VMoGacPvOc%j{0`lf&J#d*eIj|Ne0lUh?71K^%{V* zT*B?oZogz-+V;CpY+(U z{%OcfI+h&Yi#X4Zz0_kBqdH^ABKQ~7OQYaBeR1>Qe?X_h1E2vctww8=HvDKBTAzrv zxeYXsHd$WA?6$DaNz4%&eV+%pUZBc31+=#(`IPqd&lbc`C*#93`};FGj=gq+%?U7` zGPZm$)Jn^BC{|%FfjB>Y4PKDPGHVk3HR@I)>f6GZ{}rYJVSwTa8F;W zrhGhOxn}{$^AS}5*m{L0k|J~A>}|%qE(xA@`gf+6l1gh~;w5}PwW#qk)<82zPa=D> z$_K&l$byNEmA%DYcj(P@5nz;!{+&Z7u>abagHEP&qIJ zWWXWryVOfcFdG zSxYJ$6a?9Q0T3obs2|^4TmkMZqM_{X3YeV&^44)e2l0_dXR!#?F0q!1vS&yGC#hkS z>O%`^>@oN#Uo3d{bZ1=qi+piHGgo$q`YKgAD?#Ox$8Y{5k(;zZEXnbN-+}NF1(HZm zJ3r6MC(d%6!Th^Gug>x*>(A`D|F|S!O6STaN8IZrMqr9>VLxd%xeGkr;jtuAJuGTG z)lo=(g@O+spQq9x>7>h8eGmdvBjB-;S9L6Xe(RT&1|ad^krpuJV9e(^#5J~>Dd^`+ z`$2cydJuy%t#iua{c-}JAKQ8ClZHmzU@((9Fkc1P0p{^e4-#V5KTBgQyR$svl{ut$ zKxWlv<};FG+DVH%2~P-D8hV1Qg1Gs8}PXMpKSx z`c)9fGKk?tUFjpV4CeV)%`7%No2%jL(702L9>O+##Q@(d!8?@UkxeGJ_TpeX#$4+W zzkYY5k7W^PV{(>PwH!SZ2aI?2?|Z(X4bJ6X?N3p`1qz(7F9YcdZMa!!LL zwUwkLd#N&Z*o$9cIDo~3xWH}3$63u(sxPr;#S8A|6!;k?jdXF7z9gHG{gT5x#jpscmAFQ_#1xH zZE8}@`z?(~uf8>)Dv$;QG>Q=cvdweaMnDa{h(cY3Gu_M3FH(4`{PeHSqLWF{QQtoBLfK+SXR3u<3l-Rc-*D->F;l}0H8GX zG{^4|^s&jKCS+wOFNs)P_qEoUNBgv_Dxu>N{bMe1uUN{NKm(kJgzB|)LDZqQ8 zNzPa``QU~F+?ZC99E%)QO{m7@yiFFAAHA4s;{}j6@b-s+)Em;T)O)@Pc z^AMSetYscDW=f`%qL5i6Q!b-Csbu=y?}gguoc2EZe9q_l z$M3p6|Lp79wOY^f+{5dB-NW-N=v+5`24VlLih3Czau^WuR|F);lROrK{XnA2qF(E<(cv?O0xqJOxU$&o^U(7ldEVibUC*c|A#9RYWY`I zbiw_C0#QUrsZ6TnA3`|2+_P)wi9uCDH+69AZPZ6#3DO;q;x9bndYnO6PbHQ8Z_akV z=ueyc{KSg~I76+RpAS-ONjdXRq3EOn%GHqrX8G7;9Out9PQ#c)%6XtDOQt)_bk=)J zZU0e^$y_EDVqZTi9*2lkQv^zZzp4jyFALa+50}%zAax{5xyQr7Z(hrvs*5a#?q@g- zHM#O=ofbu|SDpC}3rmDPCFxQ&z#oR1j2MZz7jHrnioXfm@FWd*jz~bjPMXffSX`1* z@N&c3+^XHXkiyBH%WwX*Z1R`)cZwyf4to@&s%~LLe~rMVL6#hpMGpn6bUqXovkPj3 zLZ_?@X?&BBo@;zVxbdT=ODAc9kZPII{~fBu>HjqKf9CfucjEs4>QftoS~J~EoAuRP z(KrVo-+p`gZ8<~1m;KeJ41KOO;!qD>h(32QT8~07 z>3~voCzsnoY^lD5Rrxqw>50@~b*{?60xFo{+Cof5AXb+QXBq$f@!fhnAHqQJex1jj zS2qN(W5>N%(ev+=d!OxXDr_;@=F#DL(yP8eeb3SjwAGFC*T%CT__oMKe07R%uoch#5Vl6^U>=y^F>kpK0Oj&+9rLdze!C~Wjf6Di9!!s{2%+Y(Yx=mBZYtzH?pu!_^+)7X+fnb@8E*ooiTTi-3dGOA>9eO#zF6eDl)zMU2Qnau|yA1?y~CZjVu9{Ga4F=hm* z({)IZ786+$0;3Ndf!v5;qYG;!j+(*-wK3+5VSa~PWYcWOz^26V4NF{f7@&)|sq?Wu z!a4n5nIc%m3Jgm={_I~Z6OQrUqpajZsqBwEy$!a(PgM8GYVp`%RFhu~leigwqHRTR zjG);qzMR`sXdC&oH1qrSju$JAF~8Favwf$-#0s$(ei(&rSRnG&AC#%qFOPAtRtvvxgzH&&bie-ob|duQ0WiOcqlnD5IC(PF+mJLhpVGRN%ctjRs0lY;PQ-oLz3w-|TEE&Ha;84R5YXue`V9PBH>lEoY#h|6NSUtPHjtP+?WXn+VbAOoN8AE7fs5uDME zhA?`GVhuWRL-{;wL_ILG&yJ75Urkcd#gQIzzZ#*o)ep0O{@9Y+q)W&swm%k)Zy*La zc){mu+c+PfL2z48J#2*B3N~IU9QjTb8%~Bry&CcaH>;3RxPW+BZ9E~#tpzVb<873v z7ij!2ThVxoUjzy0X&KQ&s-_hU!6VBQpdgV5F9&}UcCOo9t}3O{0)%ya4TNaV@s zySMCel@IQSf%Tc@OzWuWeY9~7plsNuS9g+uCO{p|MhCWf)c-pm25cOcc6!4sR>Cm; zgqFJ~h@sF`v#-wjgFpH9E4v9F!*U{y=Hy4y#{u$Zh#(^NP0!p9#`XsNc8~d1;ZfDP zlcFcpm9Tv~i0V#e^(dTLA8id-HxiX?a4B@per9!0b`+wEYukP=JsaHmWXO7uDj*8R z_}jqQ(>ZD+82P==0qnzezL9O(%F09rDW-vrU@J!d##V5Lh;49eC{_`$Oe-=WDy8Ps z_k>N>TwWIebe?1mj}oC~{K2eD!eAaMv-#NEHpJ6B2`?$A8~;b121XK-HAh06LogT9 zzdA5Gigg>t4~t@@K->mVzD(*%HpJ>N_Sby~X&01Cn&gcre5F9@^6|63M<;ev;RgO< zQFyfMF2rr%{_Q@mBexU?Hq^I^h>!+AeeF%%ciXHxDz>Kc-tr62JiOqYo^!yh010o1-KAUdKrp%cG z+|-d3{BZZVua}iz_`x&#wJ_q{6@&;riC`)rra^5+#=F$;-Oe4qrsB>H<@28I5>(6d zT%6Il9B-8K2Q$o$QWC}2pR8-K zkvdABh%#2g;Z^kY4oEJR3vYI)$Vpd1F;4HALw0*Wso3rNWx)>L!@ z{HjPEcYuJ-TpUPD&a934>H<2X7^Uyk^u>_biyjRUViF&k*><|~GkxH*{nw;npA5tT z;m<-6yDlaOi;R26Pw9|8{i6y%)$4(?Op0oD>HLF2xk)yG z5$aX2zNbHR`=tn_25zMX@%UapztaFns)=#`PQsH9#|TWl@)+btvK2qcpmO5@VCi9S zK5dM>JA0yo$hDwbt-8eU)hS?>|IJtb;+de>#T8L67$N0%l=PlyF#s8h{p1j5K7bl9 zXo3U$6XOn07WBG<^fJQ52sAYtXwVtQXB6&K&JhNyGfAm^#b8$u3 z=IX`YFU?LTZ*4L&Xecs^Q(c@H%KRblP5lJ9{4*JW1kDrrp zzE+wJDFACPqyU@cR3FNi(|q8DyZ_P+VU{zl;U)cb%W>76ma8=Z^jC;jl@;Z8ARG=k zx9X2i9rs~HPa{LvFC5&NU~mg1n+Er@IxVIZ^(%oR94my);;u+69P0`vw4A@JCk#;` zH2&C6LlkkaeF|WfhCX|5sQ}fYvB*4!c&IzDZRlZhLJxc0W7d58@BhU|sBD0Aoa5b*3&4jJgflc|MiVp|;u@TsH`VfojB-r)SGgrZq2(vhAi;|pI;lf*`uWET z8UioogMNSo(K-M9;PVPWu{neb6gvr&Kl$#aHr7+TpY+M6nW1YLu03CDD&19{B(pfo z3)q^tnV4CKTqvLfr9z&k93*tgTooeE_Al)yf?Oa9fLunb|8d(tNn_uPqF8lxonXq$ zeFcFL&Bu$^R%L7UZ<5E(7YsH~31OuLrpoqWPeMCD$kwWZ5chm=rWnF>t~+w8svU_F z|C9@rRYkT;=ieBxZm+Ly_#Pf-r)&R%e(AK=4O)5xt>_OcL0W=6zwR~rX$@Un6*MP-uA-W7Z*76VEmJjX_J6|*mABHa|W z&kLqf^mOnjE0|)dgl_->f%ZuR^ssxii5{t{eP=b%MO3V4{3jX&!MBAx%Rv1?@N}Bj z=lW&24NC>=_mD_4WeoX~Ty=@z<(wHDUA$Bg)VxS1p>+{t&J~A%I~0e=pg8nL=ey1D zzvg^9ju*QoKe&AQWVT$^L5m3aq1T7r#gPw5TPib4gMBcU2j|Jw9NG}Xtt*&XkGL8!_JdQF4UuCdq>@^c&~!Kxo+Zd&!9V$AI2o}|IkOoIU|?Cfs(+oaI`u^@mf)5LBh zdIsUpMGo74A=`(B)((f+p?v+Om*r~@X$A1|j2vXzt$7A=?If;m`qVDb!3bl5>6deYTnu zPBB_CK(h24wj~R1GHtpy7TnwQ@yhDW&@XHucboL9zV`RWI*u^h(A?kn&UBBh;CTj6 z>ha?ABWSDro2g2RyV^%=+BH~CZ)(Tyv)RQG2#fj!X2Qq`Apma_XVy>HJe{ArDiHCS zWu@u`@tN!DP0j3+-&%7X+dSuH*U08LtovafZ=wKlP~-liCs;9Vn+FZPH1!Hv(0yx2 z<$#>zPnIr%r4Q|{5 zaxh#fD}O=f>l} zrN58dW*vo9786Jtbw?JiL@Undu$?u+MQJ|~y$a+UP% zZ;Eln*C=eN#^C^qwFqhku4!OQ?0%p3-*X46H#V1%0L47HVSV`uuEpDIJGYtxwsufde{A@;A}HI&A3J>2`2EfMlkE#F3rhkc;kII(fw&{<1*B zco>#gj^-^2F52}lS2bMj{OMx{wQd-9=i;{m9Y8q>Uj?#3yU7;)-#`h95mLEY8YRoF zqagj`Y-xK4+$kms;Qft`MdSC1VM)VrSr5f59V{)N5Ze>xX4Nj7O2t(Ni8xl(+t{=e z;2Z^Y4#h1QS7$VzRA>#fmh`b1uqsRD$7`k(YTmuffBw`z`Jb}zIZ1dt1Io5E2*Fg1p%1WkoVjg*wzUOYBs@blL$-v367%GKiq3 z%lc9@qJZ}nH&<~rqKE?CdwH8on6x;46){_6J*_cqRcxl0T{yJgTCPc1!PIy;S8Dl{ z&f-wGw;0bc+w0eaE9O%yX~W9N@ka;jtgCY0ba`DDw$2JwgS|i`&&es!rS%a+aPSUB_JcV#z1jH50m#=_o6rqb?j*_h#+e111tC$tUOZ z`=Z%8mEUZs*KAW2-UZZ+Vx77n8Jo8Ji#nG$eR##|%+AxEm5=&g-SD{&>k+%g_5tz0 zqV2IE&(1x)8HTIjUe6Q1q8|p&dPS1W#>M3v0J8{>;f=j&WePr+&Z>AH^HOCaajarP zy}D63M^1bWD82T8YBl@sqtD++824XJh6l7NdxVxMbwnGU^IAX>qa%4e9y|bEd>~x% ztDt8^t58G5`zBbEVI`;i02m!fz!QpfHb#d;cF8B`FHs1gpWEV#d!+-hN9UaXx$VHX zoH+&xZWi2O$Jk#(X!pRGDp}h%OVtf;+8kx*QSdY9%PQv~DVW%Fw|z@|Y5PE;|F*TY zku$BAjmxTt=u3A0Yu;UE)9jp3q`YceES9ATw&@=l4~y-=tUuF0Z=8gty&`{`40QDs zi8R-!eh;pj3EIC|Y@+!=QUUh23xRn=SRrhgE9EzRo*XJtSU87CX#`2hYJ&)@G3aOE zA`3`2(!u@HQ%*GB<2K~9<>cRPd_Xp$rU9XdL1Y{8j0i67>~B;=a``#JA-Dfmha40h z4_H=u$G@sNI4!D^=ON1N_F9xJ(bnkPGp0M9QzkUWA|56O8oiC$d%`ZtWwC6BGlY<* z5w1Ag){PCl3dYFG-DxL9a}f&L|1%#os&8?ZS>-mU{;pp5N$Y*I2>E+A8tw+ZcCNJs zuE=XUov50z2DLFInv&v0F@hCIGMN*H@*#oY-b|Hb)8YTZkcq6I+eJ2a;I<(jjn;N> z+bt+na5SZJ+=Zt-O=cPIxv)y#KE{n914xN954X&O$lCi0I-foz0edVh^?Ol_FcKqkqT>SVUBJ)9?w@Q4ftanG)KI;Ou$MSj z@DxxD>VkXOZXUtaNF%7W7wUqVEz0ux0_nkiVI~Ui?s2==53_A+d{b@w-z_Ih<0tgzXdFFkbD(V64DdF55sH zGuTdgbK~!!*ThV@bn?{( zmXtf+0x>^Q{}|!$6ZS5zco?|Qc;k>0@3#}F6Ev{0GT+Nl-ApOyy;~y0?;2PCK9qIY zxW41O_FE>%G*g z7!TNh|I5oqfxfJ9Zcw^f8o!7s2$1(6`v`t`iCA0%YD(sNs$dK7F-hbu=S{khErL*1 zGBHu6?mKd=E(p+Ik0g8l9VGs58L+Q?qCAgjI7ZNPSYj&$K1^DtX@2UY=&6b$g@%eH zIhGH@ghIg8PR=0@Qq_2DS~w#sp%DK!ma< zXazvAXJV{O^71M<{pyEsUv>cjgJ&_7!@}Hd_PsTeZ3|c9=yo-{s=UClvUf6Ok~cEe zNz$9`isEw^nb^R@0ydO(LYXre@l9Cb)u1}f@1tm*Kt}h1{v`~z{3r-St@HKlda;v*pK-|OomMksdZ{Y~alBe;OamT%ez6=D6_26`IttCTSr zTlWOAQz_;I;!VHO&# zCZpC{z_=X>sFKd{2EgttHU#4=A&Y5efzAH=xsHNnicunCz9{`z7uRF(19nA`|ntV?*-|?!{4@ z^^A?B^v51QnT`PlPltFh^4i>s71My$?|yW6izvB+P=JRH8W0%Np5hK570GNz;h_k+gt`qV|g1m3l^ERgi;$KXwri*JRpB5Q?d;mszFV@@LNM08f+0OQ*OX(Vb$zUg}hg zJ|1@%iS8ZsEjCwa6Lq;bk7?#InR2Z@G$KEgd?NkP%(v|{T@Has8{3hyYv7&;7p4{CFh6!^c%4ZY>Vj;v2MX^}%A|;Uc_1_zz11dI-U{3go zJ-8xSd{*;2q(_{1c)-3>zK|5k?Q%erJLer{?`4}c%v7&7e%>GNPZQjFn%7aK!#)1T zIJozADRMa9ak`D<3;^zLwgLV<*%E~&EPB5&tzyE_vbE$?%etqQk{r(;ggwlZU38Ru z#PD1ViZ45=?t;y37I+PzWK|sRg~uVpUzKrj&F=Sx@vZ=@b*+;c8I}8DSYa0oSVu}9 zXcB(rJvEUy8B{UO?-7Sb-aHtK9zE#Hx_0bIY_=wcOP%Pe>&=S;x>~Oc(Y4SfKyH*k zl9=Lg5I{f~p_aV6AkY5I*yDLapqAbffyi9WMLv_#TBNbnaVlX!uEvGHxV^kD59P)R zpPur*PRZWkPm@XGo8*cU9rZMK$8`bK^*^eXPf&y0IGTWJ<_>5n~h3J38-Bm5OF zVrXC4kvUQ^YXZ%7?q03;x(HV0U*GPcW|Ic3MCkyiej6jvS0HOVBK?+Gb5q>_zb$I#E?#;sZ<}Ig|9C&Ts*_iYb{!+<4!{@^kQPn=mti)V}Z&I0y60l=N3h zbd2UE1Vi6Dhdz{1?Un$Rk!ksCX}#9MgycS5^GCkvfQZy7M$0cHh&MxdKB9(~7aOZtO!S?izxAIC4&$j3~^9=B$E3=28C z>A7R#Or^PRx*e|TbO%3$bdZijaLnIFf0KsoVhwsXk!gm}LNYR1rPXSN-zPny{7{tH zIuV}&J8BnsW8n*~z)2tYP+oKenY=+Nuc3)Z%OktK6@HfJz);JjY|Ypf-lnpWOGcEn zt;cpZ=X>8L%M7#mL9eQ?D+EH@E_-uYVt1I_B;=*ake7DP-5J2xUqSNHoIL*htcBSz9S{^^8d3kpTT0Byv!bCSgqQ$9-5I z6WK@Kj>gZ3JsOoj^8`WuMdYIq^MoHaT%K3h6A!5XTo*Zc)-fi z*;uMQpg#P=-$BCbtIBmK?;_F>4NLrZ@B0almhbJ=H9bp=nLVpdpR9ZQmbWp2 z&Xs~c>4ds57sfmP4Eg6kJc$(+3kBjFrJQIkM`C?hD*o_fFGZ<3DwJlx3}9+B-j%C(&Ss6Gv!W{m}BO z&(uFqzIQiAD7f+hf_W6_5tMN;QDWum)I%rlg5>+Hb9Yed6ga22hMy4qQ%IG1|qy#QWw;m-~3jX~XL` zZ@qtG_2OS8>W|g7+&vEo%5mtyMeW>wmK?^Z9qY&rA}`PS46G;S*Z;=U%TdLnomqbS z_%vlsrE)!Ozk!_YEcUe)S^~F$gI`!t4p&4~ zH0X^I%XB_wpzTbf5Qpz7-E-w+$(p3nz|p76UL$Ug&n~8PNHH@iu-FES$LR~mSopE?pX;JNyfAK7n(!EN#FBmew^RqtV0YlpdAMsAAq8&337Ml8}WFWy3g^5et|lXg{k zuMBwVJmOLA+Epo@x8GZ)#O}-fhk?@Mvx@_)bn2{Wk9_jJb)x++s8_3lLtAKGD)?Z7 z1lY?*B%Hm_nH|aw2hms`oIQ#2N<@y4@yK~0@pip7=CSylodv>5s@JY(Dz+F!9lu|p zFHwG?v|(7CfrFb{<(#Nh&fCIli9O6|ojFxhxd|uV$ZzqTK|NhQ^kRJ2SLxfp^Am%G zH^!S7yp+7X7ib<1`jv<>P3CrMoIK*~%s>%FN+d(#{HR_LQ=6iY|T@ z=2p`{Ne&FIhT2!CnrgO!zB{C=s92f#$C=O%h}O*1m`9(&-cl#s+nq-8sqXgEJ;Z;rsi^m+KD6_>)T=VUh<~AEZGxG4|=z z;@%gb&ToqYe^`>B{e)OlNnitQB(MR&UmF;$54qJ+L<~pWqk_WNYvMXC*#M9AD|3s} zA|pb@kYiBVP2=tk$t<$&VJcS;`O6dJ?;+vxc$*Wu$^68vBY4bk%_>%xv0|)CZl#F$9{Q;#7c8(Hgy5TMy-H)bySbTFp!N8)BX>%3;dm5IM6*C`l zHW&%i@(A6bbY%-M8fAd%pw7;D{;!9#$o+EYg{0pWVz2eZ)Md_Ww~d3HEIw0a^YOVv zT=C%)JJ@^eqhfzmG&W5aY*)v$?K(I~lhe_?h-TP$(#8XI-#*Kp6-{6m%{faw-%M^} zc!Qne`E#AyXZRcM>6`E-_1r&kdiG9eR7}jihkFmc9qZI(+)k}!qh}hZ_d@6#n-9*N z_@o!puuE~(tD$K<3goc1a+hHiapSOjXA~m1l3y|M60`0IlEq}49pUSWOXR&A7#fqe z66kLqV=-OSN`1@1z+8F?uTwmfH+GYxzu zlPXD!ddh_v?l@^G{!C(EZp3PYl$LU;9ZL)gY7?2rWaKbw{B%1_jK5@o3=wl0 z2K5PQd_>+Ph_^2pc#lxsr$e2j!ur%OukX6>tb`fmv#zi$#J;<*Xxh)8f-9ZCm##5f zVFC*zLNOvH_?AYI@$e`?I*fF_>U6uz6(an}9&!VwMc7dj=RdQ%t^<3uph4_DKd~@G zsQc~?FpS&nSKp)M)z^J$;>J#yS)P-s7Yo0_K4Jdn`bUhc4MAR%;~Pacbo z-t|8kI|`pbok=W(D;$AEl6Ir9eSx?Hvq1OWxl?s7&m8v^N|g!OM~p7xT-QAc-*Z^) zuKyNdRd9H&q4}yZ_tUP?PTr^-_DADdc$`M z@hUiuOTxGO)mA2>k=&CBThZ78C1md&q0o0gKD8 zE*z9#LoNTbwbf+32O(RC9mp`K;Oo3!7{G^lzI=DaAciczZpcc1&yWv+buj{zNw33$ zMVq}o>XVHUOc79EP-JsoYI`LC@t%i1p#o@yel6mRV`%oUWM>3jrNe@2?vTMJRT8uk zVb5De7qDLrO_XrWgF<(0gpg)*ai}U{3OpuvLve3V8?mYpg->_YcdA1BABA|`u#%+Sqi@Ef;uv zQxZ;pX>;$N0OkLG=aW+3L(0d)x(Dau&6ax==f^tY*^A#d#da9;w%jcJa;nMt?HK^I z``i4k;A_tQ#LU@jg;{{GT)<4j%%_FPV9-ww5YHi)iLNFfLU_nePW2Z$YPr(3M+80d zq;k69Zsk<57#|N`%uuuA;InU>O+Oxv58kRzjS{GLojvv5`Zcl-+ikvE@mRR8gG4P0 zO#yurSxvCwZVaxk1`u}cCKI4w`}qusy$E)c5wL?l?+*@*L7hAjLk{sFg`$ee$rM63 z%eqs|_KDPO_w)Smb>HIh`0?s)`=y0R$HnI(DpT+73xB=M4S{X2{>|(37O+^O?ORBF zakzE0`(u@H8V4%C?1sSaxHY+qz4K?~?%Ic<9w`8-Jmn>z3VZtB+{7>rk8#Ss@OV{K zpxnMdYG$yweWf-<|CTy~c+;a(ijDU!oKeQ(eHpta+Z-n;#Z{6k0vki}vl=aTCv&zv zUJh^`>v{fu^>rglqs*%7!;sYPk002)tqUI=zmy1U$+Q0UR;0*IV8#pkEEO=J8irIP zL`;CZpG9;23*il$<0GP?Xh*+f?Q(o8`fMnQH!mvru$yxA2k8vpx59%(Cv^%gl}dg6 zET@khOjb!%HZs~-KE%?|R8{UYI7z*~*=}H3bJ`_+j>W!YdHzDj;sKYfuR!IgxGn8u z1a`O{P;VxsGj1dP0qFATdu1P$qZuktLm+GiQvh8sr;sU)CHG5D(eIy_GaouzI!P_>cK9))CW- zg*LrK3U@9`>V5E7JC&`Q9aSCOS^w^t=j!(c#n))7jgYpW3!H*RdG=v@ZhG3P&dC|fXQ52y#B};mjjz`tJhX$+g zj;Hlcln+cT-CJ8*ttE3@;ulwTa0r(A*2K`h`Z>(&Xm`y6`r%nlp&(}z5#=UYC86*K zC7_9kas~>K-tqZ=3bWwC2{VuP4u58Uksna5A7JX0IsZ^dQZ0U>)VwYFQgc~-%7fLs zf&wj#hAAu0t4Gyue1EkgTkDn|%WE+qTL@!h+u4}#Fos0nV}+cYcnqb6E)@|`GQlV- z{*C1R%A*mZJpQpY;(8ksSGd&TJ!hH1EaQXU1>4gtdCP|u4pSS=jn=co8kl*QI+ohS zc28BQ!SjHEzZIB2HfUQGXP^)6AVHz6f4QwciyD0BsA{Jy<0FH_i!QVK&+CO}Wb7+n zn|d|#-1|<0Kefz($82|^^e#@`eCznuQf@G3jX{7j<&9dLU~^>gkAoXXAm z_lJ5Y0vlSH4iCQFof_TKbARUDB^EUg#ej$BlsyzHmd8hTpEmG%Ja;%V%USA9amecZ z$1JlQ(_)Al*(xoeKW`!w9|t=9HGOj-HtiO2ifwxT<`jO|7lArJpgWy>J5IL3HKZ?c z1a@x6>{*w9kLWP-`s&8Oq@SO{c;l^pUe&M>JV!Y+y=wP-#?o=k#I5O@)0ykKcd^Nb z+#=7fIYhs?@KUR;dZ8#pRG;#I0p`G(&8ny5yo}@9%-zjS`5~nxq5YbGP+VcV>qC5a zHmUh`JVx&yhcwtpNrWmS9+ z2ijGH(E7ihRa}QW?Bp_Fqx8?n{^7VR2MVLbgTu&k=Z`!`7_#JkN;cp*G=wt2*rzu? zGjt&OTTytbBcvCZh8gi&h-9EVflciA?{dt}sz}p(SM`CVN5y&~IxIw86%L^>J9ewR zeQ_=-CFNFZ!@{I{5x-mRJ`N6*Gxwi8I3%`{RAe@Bw8(vSf3{wAcGBf1nLIbq>gvo^ z0cY-h<|59cs9Knz5dOY=-8i2??TL^~!?24;9L*VqSfqfUTcO3^dzb99M|dbUNIIG~ zW{-?^Vke^@G1^}V80f`1p12f%MxMBVvkZjHvlda{&9WCyct3kmie1Rax^s6|#t~qF zGqaBOKk^!A#9oW#v3`z3yNUO)7nqKnQ@o>Je`m%#ipLmrj1Lg|P7#rBp{fo}Go?HgB5kg8YJJvJGOI~!SPsRi$ zjwBbwPH|raryVn=3nJSeu0`O&mC}=6FS6>Ui%o<>T>y(oM9A2w!yY3iAQNPE8)?xg z*HJjN^UCQF+(a-gggEgXU#UJyGDA`QydEam>&07~m#BW3kO3+is`|-P>WzgvcJEdJ z#_?b>hQIex@|}#(f*l+YyW=9$Q_*F-Li5GkMGntAvQ4t`mKXi$dij}^9tv%nLHpGn zsIkeBhiU??{xvqtp$+HAV#7zgOpbHj11~=y5xnX*5j^R9!MT%TN(z0InjfOlpY}$* zowBliR}`xs_{jN{rtpPUw08B-_c zhsu~ANl%|i*y@hLOQi}NEDHw!xq~7`Cv2uP7l6?tdA}97pD%Mt+2MNlrTWHBBA~E1 zbC&ho+$!%$&ed!d#E-Svd&*;OaYk%px)}|T=+Jk5 z9Hw@fChaoHk9C7(EwjPZ52sMznl(g(&>?yeNXtb>q$&vP6G?Av8$}Ht3eDeU!(sOE zu(voM-iD6hw11v;hQ)twgS)|gEdosOqI6CaeY(I4uS(9B?Kr+)kkjV6TC@R z@#X+hQo?X)nt#5***KGVebE0yR&&rL7VbYi+-phn%veY6ASmI9gfDWyeF7jThi6#5 zK33fb#Ve1I9P|@72-FW>_3gc9l<-5F1~`pt#)Wc^pb+;#$%mm@Oo;AkcKTj#lhF1u zEz#8&yL6{V;!F~+=xrU~@VbhJ%IZ}x`^rwqwPC*KY!p9^*IvV#rf5I73RyM9zb5mw zwma@HT}1D^^C~?b5v33T+l>-`9yq8Xaw>6!v#b16Wk!Z>Oyfs>?G8*Vq1<3hQ`R>( zRdnvT@aW|_v%w$Q-zs%Pcofin@|GD_E&)07J1jQ0ok(!Ah^v6YS4rKrq98)`BPAd4 z<7sYi`n15nR#rIuEexTA>-o!G#}q5hR@Uk0=vat;d9P%qlI%hGMpV&~0AcaEf z_l_?X&oK!Z27L5zdpe&El|SVe#ls2ps_TC{fWj$RJItoN}AeUHg2 zvYS_xJoWOb5J!di=-TX*KmALn*WoBHuBY~x0zm?;((u0cDQALzR17fzDL>6{qx5aE&);i zlZq%SBd$IG(OgEJP**`$5t7|!PL%rmM_29w1~_xwSH?(G%K&D&0$9tdy|{?gAoSXA9RsM>OO2P>L3Hj-+}ffhwJ)%j8cRfV8^Vk)4~zjDWMfh0a)+3NEVVzdO10wgiJqzFg%a4ldVMqdONtED^B zw)Ycj%-J^wp|FRxTF-*F*8Rk}+TKX73(IOVFHK6B3qEI`rHZN!uj=Sk%npE$WBabv z9Orb7;IF$fND*klyW7|y6!FvA?S2_|f0QZ z-#syX)bXZkSn@UsRdyerK!7@_+J!W3W?6TiqjU)54zEke<_}V08g=qu;T`X|7d4l2 zqv-O9DVA#nIY~S$mzSa|Lv<)OkYlyJG`fesy6NTGQs8!Gk62_!r+bpc)rM4eLd!;y zC-8;CwxelfWy<96+O2Jt&FF{m2R`#*Q?RJPCQ4)VQD4Vw(wU%Zu@A&VbHd!MpHM&g5}>}d?2x4gCIc6M2{mZ;U$`+9 zI`>jUGipd}w@U2X_O3$dX`ibiA#Y_rB#X5@3dlyZiKu7PBs^x)y?ZcUJS=K;#CT9u z{ThP8h=AQT&&ukD{gABr0R9OTtSo_}_#z5$#?Q7tEe>MDX1%_^y%%r7IOp3ULVdOtWnEm|GrSk5dZiS`&8WHv(#ahyGww5 z!k2FG-LlE#8qt2J&;GZ0(bz9a09qa`NfUVFmvm)D-n$S?oGcSGiE zT*jSDmDSedp&~75A z!WdLXa0CxM^{&;-|PMvmTy)Z}FVgB~%oA7IZ zX0=K`{9cE}>&Xa)kMf>uD$(bVmiw^wBe3=`j)ZV51C)m3olKhHZVvYPBLdz>tlK&+ ze?>Y@gpj*=WGcX|wnb%4nxG6MO$$i=E9ODVG8+9}JhH#vLh0&}#LB0yye8I->M?Fw zgFnOkn;rei%i^fsM_EghS~MHdjUnF%2e!~6kiN?Xs9Y3p&&sLB( z)l1?k3J4BT63&PhqJs$npZygaw8h)KSq^CpzqrXddB`=AG=(WYkCg{$%c9HJ>}OuJ zWZW%y>Cqx)R=K!o(Ds`KO-<(KKc19Pik8J==#p2$$~g%R!@bC2iFo8`w9 zM#rgc1RXn4v|o%`E%-oR7N}QdzV||6pw?8P4x${S?E(FtaQ2@@g>hk5$H*u16KKv( zV$O#b*q%RsK2yuUvifQKvF-yU^>v5A*hAA2Y1>Y?L;JDUDFCib_7%Yb@%YOE^>SRP zq&~yQE}>wBxQx{=m$}Pe?S~z+$%bAB`Yz_PH43j9f^8_KI}%&hVw7X$2Uh_IP?V;% zv4DykM*b6-yfq4=Yz!=?KLDRoBX<`Yy6rL|y{Fvkjh`n!kx0H*nGU6WRt;fGxU0A} z*U-$240+SlKDF$Qg2-$8?*?yp0Qn|6JBY&XNWsM@Zt<;!s?|QbJsIQxb?sI!cf(g; zlh#Ad-d`c-P3S>9#-&785!Tm5$85uY_`e3xqO zGt-LCoHxWr4y$AvsvJr>SThSnTv>&Y7yUvp_A6&<0) zW2W19jbN-o0&uw2cc-7aJ9?)dKK(k_53Yv5hck<0H#r?EWmmde;HcXE#>kM==!t(805-)rt0MG z`cQ4}g}yU9azrq0xtiY^ca5!Y4}W6j+SkeZMbL(QhqN~dk#3WHd!zj>ItjcY2cowF zn(G*Ww92m-p0urUr3l<&)+Ze>zu*=C4uyZyr9%(0us>lw@Z+KImyA}OTe2iKgwK|D z11a9{9Olgx++hWKwpWmuOYBA(|MdrsN0ss${GejsHd&%}2;1o={cp6gy7bal`0Tsw z)*Xe{rM^sDbfMHnmPeTW+vvq8iCL5LG-ztPT<(wh=ZzDHV?DbNL$0DCY`Gv@+I$Rp=>#K?0yHKtff?vB_sOS| zfhZthtt~gfd>drd#X#6YJm(WFAz{`2#r4wdGQMrYAF^!T+E#UIGcN4oD}WL}xrG*s zim)Fxl@_Ja8NIF~G?LXLBTfr8kfYS!P)G#3+MHrwMTQuT5{4Mi4+s!_dov7qerr6T zqg!^O=sgpEi&07YSV6qN50&ATMGYMu{U|C<$}h_>&2&*i1DTugIpxbzy_RZx*~?o+ zLnBUeHGZIs>M$XbgTM6Nq`%v2_;LUb)|N$>U*2@&jGr z*E**^B}_On?EjCFqCaA9&#r{|`FO`?1+$@g89Ysc$JKfSG^N+|i1`B3AA|taD2J)N zLKnOr+`AkC)QBs-Cpu6I&$#mk!d(2-2z3r6-#>$j*VW&36_-D9=oIR3EM6S8_-9*5 z{D6@-JGzTfGQnek9j%VlGEVc6&DK883AVv(d9D`+zNVVRSZ4?^p;6@sorDMfz@1l|6- zFX84b4r{y~bjg1obbEGPT>F^cB%}0^Pp@5Ma3$aS{{e_s&Ay+V`TVF<&ExG+_Y3c( z{#o%z-uyoR2{OOC#hHjI`bugN1&?rO9+6PYIinvPyteXTa^{U3ArNgLqTb8^r632E zh_r&HViL4X9qe}3B9L0EeM=M3X4yKw+VOjSRmT72y-0Xtad;2sjkna1ZjTcN{vW7f z^sB>6Kiyi)nCQ8t?$oum|D98eKEg+6bj{R=T)2Ba2npNpI6Q^aQp3s&97#3QD6pwo zCNcJ(ZTIzIbdgb=h7r#VYwjZZqps!A0oZ?@8*+!SA?}@s9Yf~;8TOO-l}i3&2<&Sl zt#3e-^zd9q?AKJU{}Fr2{Yp=)5kHOL3IzEtuC&BUvv;YGRa;n5mH39<; zBfpH0gr^+q4EP^N!Zf9y^8_2U)L~N-IRa0`C>!?Os#I*aG+-82F~7GdmqlHzjG1JU z`1}>GY6;YOdyH54El)PR z((ZG)qWCk9C?#Ru<8u4x%`X*i&UY#!O#B~w38)ECQL}p0!u&b3bRV?!F-($8!ap@t5y) zCL{J5E!wQO6x;L^m_|iKWxC$pmBP{;pQ;gsln`&ZP({n6I_Hc`zQz);ae}z`@v4sg zAYWX_i*xPcb3}#H4RHk1gW$Y}$YiZ>C$C@UG3ex*Ylt6$qRbLu9=FQyAp8`ps>ZAF zG{Wr47NRziYuCxid~35c_K0W*i7EAMA?Ee|VfvyY?b(=k!Bgy^l?2uZ(Oi9_=?;bm zhni;P5*LSdEV@8q>tMw+deNA=tvd^k1Tx=FlHrzRqj$?i#_hTK(RrNn!Izav2s(hj ztRefn5Pl!MzNJ3c5=1mh61XWk+9j!0GBm9E@g#fZ`8C#~TQ-6suEvGvX+mDKj!-(W zV0e|h>&SFOacenFLn6CWpFGw3M`6{<4>cXh``41(mP9~Q8JyEGqLLJY1$VrojtR1S za$h=#bO*4Q%9@e>>-2VjFl#1|0%T*h2njia!9 z^&;ExV&a1E#I0a2XJ4_+jry)YC8Y2;+Rr`;;5-dNAl&Qc0C0!R*jTh{zlMhC5R3J9L z1kn;pOF2_*P-etTm7yW1E#C8o^r5fuJZZzsqDZEDpq=nsib3x$YKE&R1cXQo!v+ml z*MeK6r%Wh^zExn(X$;HQEwL1NG;;)_L}g{~9I2xj(GcG5g}^pNYYz6G2cPKU?qlC2H^_q&;S*3Ibm*a)8wa3QTjHkLQoMC-W`x3H$2M zuP6`morvz7QFum8c2@unL6FMDTSpmwNfsn|9m#?Es(HOkr@Rv)mB?=Ck5Qt?4y_M|3M_fEZ z)eTehNP;iLxem9RVwUhhLfEk@f3S=mH@x_w%cNlY;)B_tkX)t8|EXmFi5spn1@S}w z_*+Um|A}|`ai`kK3^gieT>opQn|hMW;Wl6-X;)+EIA&Q|_W!Z=)?rn4+qOvG2 zC85Bg8>OYYrMsoOrAtt{kr1S$q>*k=>6UJgmhP@^E|tCCz0dDD-}%nZom${y`VY|oGuITUkcjPW1RiCbTaEM z5%AXU*^HIbrvEKefP;A!Z3;#{ZoU-W1P^Me!BM3^UVdS(4>wsb>(YN`qU&g?$8N7> zvCo}qN`H#(jQqq9#pJ{i15&x3A zDpPFVZA?T`Tow}0X-RYb{}R-2#C|pD&gO7cxBhnEnS#!1_M}vLSF` z*!VG1hUuh5^}*FYq0DN1QsRN*O4m;fg7^6g=dJ_fq5ldQ#UP{?#{fNvQGX0@7I#4J z=AUps`mOQb#6li`7ei7=|9oomlvsJyFOt2Dm!_wK#T5U)Km&=iCB3lkUAx^6*qMf( zxBhE;|ARC9uY}K=0F~oLtOH2H7yWyuJ^t~`&*z7XK(mc3ef743>ByGqKNvaGh87T` zEFi`@;}w&Dk}whYh-^6VAKVS@>CI`2765g7r^Y~I1L)TK8LN;WVJjD@$*^T<`dUcz zztHU8g$mQmgNf1q7|VhyVN2-6w-F#GRN&iWJSO1c`i+Zwm%#VD=l(yQ-$v4!1R}3V zs=|Hd&1@3?UlH$jE!hVqi3GSBKAfw00}_RvJ(tS#kFX~MC_zBY9K}Bzh3(ji7)(al z^(dr>O}7^OLr%KkEdOWb2PCKXCvI@f!xJ(!l~)`c9o_EG=S9S_&UTcJTz12gAsZ^- z5qiK3+k3zO5J3A8>5nGCm78UQ4G4&a2co9SgTp&y##;|fT@|sbU;l?n`Y{9+5Q!N1 zL??-U7^NWY-wE+81ShZ4nvfPF zxUJkmwBo3a91hl)xkxckEW&+5(Eq2L2#(_wyb;Td9E>>S1JcL$KXla~x^n#odzFLt zCtDr-gT3;ZLJbx<_sLl5bN?YJLtcPi)Eh)YwB-tg<7plI!F(Al|NW@o(P)7g=*iht zJmQBMTm9x!Cq%M%h}HW|E%2@~Lao%B@)X~zM)129k3pLlDd0DM+QbO{!zVJpc4R-X z`nOF{$;!(UvmKjR#MGU?$FhpedVI4}5nsTvKSlr{dN2_Dw^Vs>Y7$yz|AYlTF7SQx z{Xy0mKCoSvVixdgKjZkm6}ne%mMJUmgN84>yA$x40&uwAci;zO2snT8|0(Cs`r2Dp zVAmEess=w#DoMJ(zF{K>9;HAG+8l~2{0J}~a)AA~biRKBE-V#+=CNhuw($im&Esoo z4OS~ulV?ri1vQWIB$Dn8XDHQj4D4ld%yB_nH^DRr)ZyaaF-ZYtz3+<4l>J_=#0L#g zZOh2i?5~Cg7h=HkBO&>aawSm$8>fb&%TOk`KI`{sA&S51D&kzaTxpEEd#ypE!Dbn^ z>2g>8OWt!at%n{u@_89zX6nK@>fB0r%tcfy*PA#w%1m?zZ7sK*DWJYEv6zsT)ehge zwq?D{S98|yb(U-!iw#zc+pS(&JJ0a^E)PMP$#>RkV(ey5wK74QklpCwQt@W9@{M7? z5rrSV2~ZfNI1)gW&=`D7tS-j>`+)BxUrl#f?oD|NlCAhVl;}@x**NfI)EB6-x2WPS zKF75atSFWc8;&5jJADMl2oBrdM)LI0ZDmXaw%&ZoBe%&%;3E9{{>fq>)JCWOR#pMK zCxzG8T1g;LUxoBkz-c@Kr%}&9_t%EsG$JfZz`|$td}$L(MS>m#Uv9o^R+o_$kBSw+ zSzO}`H#Uq22(2G%B7@8;7G7K?gKn6PVr9fty?h8`!v+2r&;V)SkHCwjDz|amYHs(q zy-DRD78Eh;M%%iEP;cFQ(;wBgxEMG!gY6h5@Fr~FP4(<_H`0G40_x08eD~>g-#flK z!`aCM+(Po#Pu)vd`@w!eh_apzuP) zpOfAYO=X5eX|pI??Qe1wg#34D0W<~whxV6J@z*c-%DB?qb4w-H&uNNF=TN3o(Cs?GOn!GI!d-d{G#dvz z0x&)Zc$$lm1%PGohaK8}-JPA78q1`BGt=jD0#L3-fPuwE2yWC7uZRl#fFg zLf3-ycsz>aOix;Yji+EMNzbdj@?JRKNWKTu2D1M_Z9oU5%qUoDS1ksjEv{md9YCx{)ZoM_6h~yhN_?2I z@DByvm{*Xn)0;XZT)a^0VAzyWBmVG1S>6@WwiucrlwDiT6X9Vfh( zfrVBSI6^8|G;oAVMCWU0K11llxqm!iJrPFhG%RLtVCl%o>*2_&AHVy{;SswI*pCk^ zk{9U~9}FI_zB9@n+;jybLUv$nfeAGpX-6>8q>P3baPm(;!~p#e`6;)y34K_yhgO^b?%nZ@KX+Rb0QdUUV;rlX`CKrd)GJbix)yw?XVHqep?^ZqsKuYtEv?Gm$d zCMnEN?S{nHG~xljDF#y*AQ3o2+PNZ9)yFG8M$JT3`C|n8J}fu~@Ht?(Wf23g0XrIE^&d*;u7!8^9#B9f5y8*mp_M0*P2E%+O@ePFt{RA)ClNE*>O zVnIl1nn%tpB3)X3wi6s`DBaDW9;1H4Q_z~_4dJQ}-RPa&b=!D=b#zgk(R@ZnMWxn! z;)UgTuB568!=h1&<(#>uQhh4~?raKUdKW@Qi|n!>+e`YbHE|kuR7`2E za$01(-sB~HtuN$%vxn92J)F!LQy9I^PMx2o{vPaMn-r^b3X zpHc{JyO3>N{^@&%e}#=8-!`nB8kdtw^rpaC{a+10rceH!xFYfnOtjp_{m{W90wV=M zgAfeu2GpGL|3N;CpO=DPS`}B0QT49|`1dL-f^erUfy)QgoEf1!{!{>?j&_N7X~BD)AqoG9BO zrT_9T(BcXX*_ITN)|R+T3H_lAmQf+t<$Y6fB!afyXXijo>_xSEO~CdHJ}Sat`Pb+8 zptHON8K1?HI7|oX#KBvt5~v(PuM0J5gAUz9M1;i)66>5`^72unWG#@#IJ~E)!Xw+h zzGU*MinJ~+ca>ilY@Xq}dFe!zN-g(JJ{|KOy1Z<%{9GREqveLcdH<5(J8?R%CT$0m zn*h(nUm5_<2>^W>M)EmfxMK>CK@V&pIuq8DzrmRga@XesM)5AB&_V6^K6@d*a1|76 z+uOep2?O%|{65o3e>cSa^}4+1gyC@X2wk3}nORBkKwI)KPxm!z6XEi<(GE$U=57C*g8RPfAT=0j8dxaQEc{qrA6om z=`wmf!%Dy(UkZrggAyzXb=21B4`1?2yR`Mq#sQGYa3}e!0b&Pro2MM+&iK2~pUa97J z;drrnb*BcLzK^mfM2|AKE8dMI+$}3snx&NK!jz6rLaTSh%Os|EPk_~`H!dcxqN{9m zJw&!${nV`0Rp&E5<_z!DRBd21CgBT2J(RDO)_pN$xx*g#$apu-3Xik)0Jc`{!1ZI; z1O5ntHUsgQihtq8j|KjlWbLcgZC=8~DmPMB#o+I6pK^18`STE*TB5CT zBRONLj=rfZuNEGm_V5FXZk?UH?o-eAo{Op2-;GK)!}Dm52>rMhs#9xl75;I_cl2@BVxMx$L`dGG@Z4n+(=`sQ zfKa_$gzys)IOyFa(+#vMt!Jfc= z9=?4_h{B*KB{Ih^oqdn=O%jMBR9*qf^v28+{XOyk^Nyf zwvHC9!smiwA3`IDkl{{xot$JrqQzYSJhoiw%d@9fwS4W!BD_6(?HmhvrgbNQo#*~u z+Kwgp8drmaV(ZLiR9zqgx)W`Co%nIrx+ng;=kY^UV_YVKK39M7 z30$@VmrwrLM7jmRK%|Nb0B!4EWq_f0t_|MgdfAUaVERsINngh^1^a$MM^P9i%EuG)r zKfCHwXnQhx;#bnCdbr>>Y21lDIMUfFb?WWUe1}MjW0+NdR;!>W*kyg%kkR5qrFC=! zlX}xF8o0AZFGEzV>9lsA`lE#Q*_4mDLviyr7XLdzx1a;rdH2%_kcjtzr1fu`6r33T z{Pd>tK6@@ox~1}?Y7-me)v+sC^Fvg7HOKup+_UyBnuzj7x+W{0kQ|NAL5J6S71%ha z5sn=fglt`jE+4tI3b_gVDY@GN+k7o8;WRrJhsI|Lj554*0~9lL@3M)dDJ;UxYTKaT z!nQY}uONn{+uU8%v%4r{HCC$)Qu>-rnOc%T*(QOgudYnY^f>+CN_XwabyP>+bnWPV zQMd=}P{V-gF!RM<4~0SDQjA70OpJ@k-x5@#?BO2#{!bwrEXbKM6}ZKuzwSLwD;&@0 z*SuTLP2HW9;7iI3?@&-yp9=$!D5)z~T#g=as$cjpN*!dsbQylk<_T2wZmbda4hKT- zOV;N5OKf|dlwv`U24tcM77;tRUwRM$Bq&ow`xC`wPp@>pb>AMSF=S!a-@#m8fAs)a zQsBNxgD9>mKaIIz#3}C;wc0pFG=U(Xh*PiaNV=G)*o9l&%M^3yTK=-GTi(v#IL7pV zgp$N<0frxwK~;1&`eW-~9`RNGb_}ZB6j!u1H(tAg3LzCf=To!0d@~7EFI#0)$$=j| z_uMSI8s71~D*sZgE+*nCY<>vcr!nYV8&$1w;_OysH}LO1ajd`C%(6C^w$2Nv8aJjW z2Q0iTP;TfLzMy-5>S>pViuGR4RW1`)%2Q~s*=0&_#jvP&KwYRC>}#+E-MMTZ;Z(0-AiY6ERorG%k8-Z`M#Z9)GJHrc_e7lDm)XTgSfJ6B`?z@nvy<2)OpqjBA z$%DLO$kaRl5VXwf%|KIW&$sGR&ELxpy8Ci?y>A4tSxkb z@(Dt<@sy^^M$X+4YM9k!hO%^pGH$ik0mDG48@Ik;M2rZILBc@hWY;<;s$D0>{5E*1 zk6<1elw?56P}(L0YPGL#i`{g9_0p#{F9_XC`;$oxUFCgI2dKf{Eu1y{OI*ol>z4wfu`p&Tg&%Ma9O)~=W8`KsiJt6 zTJ+IGucjn5IFUs#9QQF?SsBwBF3e;(1e@)h*;9zE#||$QIK_3G#(AJQJ*sqku`;h@ z6_Xa0g)r;BQ-b+;Blak%Ml6q2)Wjj0m+pk$s4tO-3X4X3rD4U*)8dKBQv1NTj(F*j zRwft(gSS%5VNueKk#%%X*-a>=e|Ll09%&Ar`wzeZ#*^TTsUW@aJ+`*SQ{(N6*{O%6 zGxly2IUsVag{;Bam71Kde_m$~g85NM!q-BrQ;|4{4BeH6fhlLNHu!+r&losDfl&sP z(lAF5IwHYGQHwwGA|O{HLIX#&^2*rNrN$DoJSnq;3`OfV+&GHQg!>3bYa+QU=0Fn2Cr}IcOD8BZS19$t-&cJ68=Kn zHBnXuZ%8r@&^g121Ba5=YK7%4HM?KiE^=d!)L1gZcAuGy7EV%)bI&pnAS|`m3iYx| ziRZuspP7)!gsfBVdtD5hjfUTsUYNDm+_*JH!-x=U>_H_ge0QMCMUp+AU$7v|t*29m z)VPBfu3XWDU6sNIuYb|)v``QRL~2C5FCvCS{Su42$8Xd#17k9>if+^%X;sHHXzf1S z>z3s0SnTtu-4iY%I9##@A&lf&Q7~7fh%}t%F#Uk5q2cw0tmJ7BxTq05$pt>O&H;eC z-&T>G9Pv9`#v!2afz5p=JwW$v2md2*$bqkqP_OlI2bJ59Ax>{W!dSg?}?`u%4$2h7I`g^cP+o zJjQWakpdHTc=H3W_94@}r3=Z%XsdCD#S|x}NV8U!2~B*1-s6w?O10fZks6(LG#GVXxa=}npxJC-{9d@M(&qr;ET9;vC3J8HhyoTL2crVD7hAYu z4yM|gxjo>?dL6tUKa(+0=Dz+oz_evnUk2 z2{=_^*uBUYl6ZeG!g5qAdDT~4(&ZfR`b!G(eYQAk0^XTQC2)sgGt)%>R4h!4xh*Lj zr2>5YaqDLb=;AvbLUFSt15+nOsnyXHo9eNX&X@tdfKvj!&LO3dPCadZf$p8(3{E4i zW}x`;Q>)6fQn4}zlge|qx#5<*xy2O2xwL{2Hyox{pt@au$`2+=_+EU?Lru>e>!q%4Ai8fz zI!X+=)AltDS&$QEC#rFy+YiUC!UuM(KdD-q5_O^v_W6X7e4IP+J6pjmc6MXG%9ep& zO+ESP@fMaD(<5uTAfi;jC$^pZC?jc?#co-pJHD}7HsG|}O480Q^cY7YbhffXexY&t zB#4daK-W`Ct2Q4Gd70;@lgmsVMT=5Ll@#?Gp ztW_IC$K9Y}Zm>8qu((*T){*=)6a)w*ydCFVOxj)9~9BqJdazNd9j zz4uBucQ+!dUn=Q%P1#CON*=Xu>U_m|l1l@O1d@csqK#I*_qsA~c-Xl5(XP_T{tlS_ zGh0&&h6N-qbjta{L!R4$Qz}f%6nXjl0n@ww8bb$D^LLCjhNI=*arG7@_baef=TO&= z>jX$(C0!5vqpw^xt#!!WS9(+)9%u3{yG4f_NQ@BnoGquUj}+>aE7YqSic3jVAP|m> zj^cXJ(^6L`6EQSq8SO>Klng*>5^hIa7Q6=6kN)4S-kv35(s~U>=zdWOF7)u4zsiks zj;F?vY*#6a)7?}ahrD5~Fa4;`LvA%+xW<*QJK}jqanpo$vmn3#)hZSsTrMhKcY69d zh6!Bv*z<@Q?vcB2s8R{p1gx44oO%T*KeW;a%K?m&1p<#E%g4N_0q?m#odTX9oXg|)6x$n4nKG_VaFk%92aLe;S_gOsAAAz+u&~2#|r>9||Fx+{X$sf5a@}l|TdYPKgAp{6K zDFeK51-gFR-6;-@1$cUXJl)WaPNm6$=K=Md0mTUcyVv@cKqAh=oP;lC3m}i}Y;+K) zg2J20CIew&7WRGxARbeIwefr#r2U&wI1{HbLiFfAH4v?EnIj!Gsn;#5rRvQ>+t=ER zBx|Ye(DkYMz?K~wX>mv&tz}BSWi9H;9p>c1MJ`2yYX|-nL_V-j_#7OC@aDebd!wMt z>&5+C<@C8A;Ybi+2Ub47Fa^iE5d)Wd`@#9ww3pKtLGdMd0WY`(d|=W`WAF)_zY~6n zfXcyZb{1@)yI>g#3hBQqdR#tPxPRH|jxe7gGy~A0l2;?Qz|*oO%^WSB9AP7j*Hg=c zsXZSu;|1GzK=oNXPP#nPxG{XOG$)UHwRRlB5ADkqoP>g#Oi=LgM^)jj^>*C|Sh_ZQ z5x6R$8s7~LT7TwKBY=YY6|UfFfL_HxwPsI%>2MQ}`S7ofJ$H0jTtw42B|#&Z^=FcH z6%xTm)>ORT?|_#<_)T6PKh3)wZ>uLz;FTbpg6AJEFKm44b|&WQyIR^5zs`w(w!H7c zCSaLpcorxu%)e1B7X+jH@h2Gy$H!AN8w#26DJh@@>nSzGK|CoCE#yX!XLu>oGoORu z74Z0C0r$fTNuYM%FpqA5QQlL7EN}-Cz+a(bwB?gO2}wZ3n@*V6^n_`N(eA79Dk>cm z%d=ehUvJ?L$uvP=R-VG3{OYHfhkuEV!rv7Oal^-|}`KAG!uN`MBMw&xGDaEHTe zFd7Z&IcVgj^pO?kbht@n+IuQQW0CkSUiUnsj38 zHhm?cJCVI#n3gH`bPl9y*OXbQX#rLy;CgKF>K%VYM>DE&J7B5`j-W#|F+{oS2v~o? z?y^Y}oPpHaQa|$ffTe@mDAe1yfqWd~rV1YO0B8)7jSZm%%4%rMg6;|MMqN*UGT-5* z_y78&)W8v%!bP|HDhNCmSFk(k7nVEIWv)#S1td_i4gA=1oy=i5p^OEV703>TRhUPw{pJ?7!d;;me8pEdOE?z?>$&d3GZW@5p^$GOn4&b^wd)RjK}1sS`R4; z%Xlt7xSW8D6Yl;&L1`=6LwZXZEb~lpyBJLK+V7UNhHc-a_Vzty zJL&bw!Y(ggJo5ffo)Ef8KOAmO+2~oJ85^GL`Qv#&wFgjyGTbVg76WayG81-Zfx;nM z*x>26en%9}5;h;8BlcT~vBMq#3#noY$mEXzVv#&ceH!U!#fY41EfTh{1S(1UqifHv z^&=QXL#%mzQ?6Q^G<;?asJSpQ`Onf=pu2le9=;TKeke9&umP4%5AU)d0__saIh25c znSsBaZJSB`7w!-Rziz?;PFbk0>plkq4FneBRu?1>~!vnGD? zMGy|tL%qU>j2Erei$I{Q<%j@0b7`mqhaXDkAM^GBd=%~Y-WO&FToiNpId|%I=fghs z1+}%5rjeG@XaVnuneNsh`H=(&To1oF!sVOkv>G^dy5gDFsNS^}6_3+51Mx8_>UY!o zD17fk#EHNTz%TQ81Ty5_j;3V*SOwsltm|)XmO!k-vSEVAS2`xVyxw@do~P)COB8{v zt>yj$8sL&4wY5R+k77c$KC4D*p8SDExVknoBU_bvSSrrwnBbWy9crW@Nn=!~^|J}& z_a=~L+GvA!9J#nU!homHWIQ1!#y!3)%g~ z(?I2^V*3tGIA>6~i^|xOcrz@QDo$rgou09<9>_QmOS~%`A@S==`XnYCr=?0;EE}m& zr&!OmYKMvi(u{6p6r)*5F(^N0xI+`pUH{cJWv73#KEH7xPxtAqQe<$n5vibbiFkV) z)aL*9?fPGz-DZ0WBeAx4RyjNL&H2TCa3Yhz8h;~7)`9b+2T%J0kBjHOxW{>%nznJ) z9$JxvT5&5o7EBmjbWWZ-btq9w#Eh_H2uKVNUeObXGCh>fbdaLKlsCv1DCvi!=i_Ky zjn;qA!Ptjq?R{H^1_zh+21DGX3#Lb@lb~7_DnBWJ$X|x9jzZh~8}#c+_#-gR+zqf; z?_>du^RfMKF-Sx*zI+*j_-0xvg1Bo`@kXct6am;a&;uLuy{|D z#dIn=cZj9oER*>bqvv-t_J22(DuH&o zf8LA!uclI2x}VC><_neLVB_l+XPhYV>2r5VotGL<6h_0ZmfgjB^GUC}JcS=rZk$c? z4A(p*FG%KP$>OlGC}T1X?q1(_e3@C}lt+`|HP+?|8E%;5jH;}Eo^{zd82}S=5x4*| zJ|`uF5`5-){m2?+}Zje6?|i2d3&=L|vT#6?21G;lXjaxs$3l zbblN5K;N?^=~SW83X8@$N-v+w$d8+GfJVY>E!lD32@CgIc)7?AgO4v+8w=h(iT7A$PGO;@^mM_o{q?)LheBf=t zGC|Kuu+w~IzY>sc*nGGN7bhd~ik@B580zInf}xB|6Kg>z>BK@`|9v<@x-H0SLo+NS zGe1G?W5Pm0f<_(?8GT4s8_XT3Q)8iN)-7Dty~hrxszuQZO+@$4K&;lgjKMv7u7b_* zmSnk;czN^(EsGD~@@QYarXeCP>l2y?9RBxre0e)ZC;&g2N<{~F1T6x1k$a5 zvGAlI3KpPI8pHt_LT|201grxt3-TdOJ@CP_s2MxMuEa9uF}_5eaQ5n!^*`;pQ2&6g zKYsLmYP!U2+7ZwS=O6OYO|WIpn01vHd}OwkLx<;voccU3smGX`)y*38dR7*=7cZ^0 zm7t3W!S~uP#+jCO$a@w~1Fvl}xB02Th+dL@#t+;e_K?6U;!gmF88_!JD6vEke>a(XJfKfp%;g8G_K`b=}kSk4hrCCugixYo=Gs9 z?87-#Q*hyRVd&m>Sg6%R>G$tJwT-p~);%AUV_HhDiLd)+TyC){mFu2hO~^}(yLHUC zb;Q;q8Xyx>H+iR0ra_3)9`XxAzj@F1L1k}`3-ZOj99Qt$s5i#d+DX}-n#v&2Viq4< zB&283DNJ!y*ZGCj zbX6FJD60N=-K_1lRm9BI@*A1{<|j+_m8)M#8)}u_RdqO{x8~AWm^~6k7?OsNSXEC^HX0A3WuAD z4zHp-(Wq5EeQvBScyT(4%WPixooG`Y(H7DwB#IbW_N;#9`bF!vL{1L`?i6cpH-3Hy zLs?ZJw4N^_GaY9zZP>tcrr)Zt?pU%{Ca`p`=9rp6cD;gqq`1wzeQJ0z#=DUq6o z@ey>Q^ooVrPh{9!@7)bwpZTfYwcEh%4!T=WQKsrkKP;N7I6#d zh2IncNr*EoI2qn>2OrykDi9>rhxbfG9Pg#FtjTAmN2w!E{xJg zOc5GM=XNw5oo^6fXUI6G;GjK}p{tGmNGOOR2sXUV+`MBw@1#wJz0SL)pBO9-{y^37 zOLuj45#JtuPOX;B!4bFh<05Nuh|C;1#{0 z)CSkD>0W18Sjo9_5#MUn5v!fH3u|QK@u=i8Y}!vS2HT5C{EMxfE`%c1Rf=E=vH5|k zVdqhAnt+4Z;z)cT4oH;wi55ZOgtsx{^a$hH38G+hwNe$9_(T2`9%0>7HKn#oHDwTX z#~Z=xX`xqdo;|>pScxPKC`ut*E}Zs#!|ZK4aN%ylo3Hw!O+6ggNBdLtZ)n5;4}a|w zddfvIgxIf*b?)6Q-EC>x7S5fgL|feR-FL1ZWUBJm_v3NO8BV1l&D80gazRTY?$hM( zdaQA!9U5vLyU?F58nJNThUJmP7dh|fUkBdjgEMk1B^Ja-HEzE=V)>X-^P%_ZKwjCK zQ5&0CtKpdkQ`HU%qa6v{6g(fFk6XQl2ElCc@e8M=(VENa#-AWXya@&7^8`5v=57q^ zyNczuHIyGuneHvHf%KLqg0iJjPL0-D^pL~`G?C~lWT8+Zp6`2kFz`Plt ze?Q^tNLnW>$L{km-3tjsmwGqbmnS70C{ODG%^p3T=eKc25H)FZwL|A$3_ihqPyT9j zB(%zPmDt_gBT~=h@L8RXOZ)4CH;8UdmGx^^emLoYN!IBKGONIMukg=)ra+`b?)D zJSFoupdy=?raOTVt?i04fXOVma`^7M{Bb*&@r=8(NKdiyTkidwWD?>5-&(wqa)o#$E#DOElRlojV|l;Uygtol*xFSYFrukWl3 zkm0ZyF-s@EC>)$vY>&qf4#I57<97SBr=XBleLVUm}{; zcf@jXA^tI)zEmWWQ!g!TA{+KKK05-Mtldh-+ma>fpDl&cub;>XL#x{dv!q?PV_nuA z*Y(Xhopks~6E)bZUbXb>s;^-Kvn3#)F94{KSv8J} z6v2lGK-uCsrO!?QKLY8`5fBfn4)<)p#hwU%ega8<0<7@cwOjfAVb249UWIxr zDYmJ5Nrs4@x(hQ_B!5Z8vwPR>tNGDSiG0MEBVv$0etI1k@@r(>`epoF6=(GOU`UB$ zi(Uvm2b7=Msirk>`cVpGh7{oa4a~Iu;Eb$H=#nL?96PhYW7k@w(u4s{_*%L zMBXYw%a7sV&(2WsL;F*XM8#}u>gZ+TL)(*5d-8ByW+xq1y@BTXbm7G3En%wDim`*3 zT?f|n;0AB{FqWFG&jTg`43hCr6N8VQyHAmFp%LMUS`fFV`=c@(Y!;4v(d8z{ZDWWz z=D`UdC^`%&V^0GwJ1QS#F!=Em=a`Vu0+GXE3*GWO?e0FqV!C&gS6`Jmt69$BYy6Pw zD^V=nX5N9U_0giarmJoKR;U8n?WJ*J4c+VHBnj$0!4{Ft!|8@B2&3Duqx+{V%GnCj zBr5@dK?NXRQm|EhfQOsgY{C)cPkL!w^lT0DcvIgXUoRZT*cq{`leZ~SpB;EMp5h&jp-THDbrb%g&F@n(|88@icy0xkC+<1cY z@~+3)8|DuU1|FpGf`~y|1y6paJ($FY;smT{d*U0?@MNY*WV9Wct9-FNd_bGPt>wQL z8+`wcNJ!{A$H9phoQorxGnVnjX=HBMTz4`$a*OFN_qvuZQ6l*lxAaX(c$}y|;y07| zh`Ci-Pk#-(M$un8)^{LqX;jSFSqf(&(Nc{#lD=?)6ggQGwh_sP2vJjIfH#^a*v(Dh z(#A7k*y+CPbW8CJG%83b?PX#`GnmWQd2ZD#T4Pmhx74rILEy5ttc0y0pcEb2^x@g4D@ES`5N4bQ7(_{Vd3+JD2YHXs>leB;NsF$z9>|<$PI3DnJe_+KrKi(WZcib4lUFwP{rt#rA zp9(%3Gnpx5GGnuN5b3+ONb@VZl3)`5=H4A=@>@s(=HOoq1<3$#GL;gc~gBw z^pr8)c6WeVv(BB+xNmwmM?WNG{e|O2*up)G%uIp1gSib%pOjh1JTZITJRMgMT>L>B zf9de<3l&rNtIacH31y^`L`- zv7fZziKD(JZ_VjA*DpSs%A3uPxw6pSUlE84fDz01y+h1nIBUZz=u|VGm);~-M#N<{ z<7zlNxRb=Q)D_4iTdZDy^SRP>Tp$EzCpPFqB)*omTbJw1JOpiV$D8|CrjRC;T^Qv` zP;rdDD9U^}ij+f)6AzwuEWSllULsT2RYv0sdE~E|^X7oP$10KfRmaE$F#X8A&5*lm zTw?*+E~RXM2|fW~i}f)e*r&ZO99DT^3me}pU2A^J%%et~DZgLk zN%7EW%TMC9YB)6ykIbuf^Oon?8oJ>L*c1yhaLhkGvw8h*%qRINh9)E;Utp))oiYwF z9ZD)`YMct~YhsVf8JGco23ekgxo#SlbG?VUghaf8*A@ou%cbqVSO}vGJ-So5h z?}J_v5~bVl5bh zFm(KzP9UK@HodU7Po!{=q2%MaX&&n}Rg%zAJO zGB#yk+kKC-1O8sk>U3em$fSE-47Wl471Fo&1qJDEj#5G4^PwQvCXzzsP3&_s<*u-- zNBh45h=>gmc=^}Pf26lr(TFc52esR_QHQjz?~QwicaR(f37v?&Z-t5?)69{`a`#4Z z^92+5DlMYYd1S8;*LS|iXlN%SPVH8+kw>O7DvJu(bjyV>UT<^%nyDZny*nYA5-wVw z)!K5JEzGk$!ImBJk(zNRqR8{>EKOW1l~2A_1LR3Gj_Y!>T%ugg4#>sV*auvkdTc=^t`q&CCi48p! z24M;fPu_a5=C_8Lt3*=SD=R9j?$sQweJ1;b@^mHB+KqIE40r75_@LR?_Qel4jQP3JF~6_%Kj_SngZK%%{uR@^?g; z_Te+X`rDxFdenAXRn{x4_3X#*Pa}mhSC}M=dg)@ii&cs`%7oV=s3b>JCxfbXzi#3G z+ApyU19Qgr@k4uQG5P01`^m7Ve5w$cIEikfe-V5`9PsFYa73GPux1@WzVw@3{m$>D zV_pX+0!l-u)>OXxS>Gb7D>yIe3}+IJ2jI~7dSjgFZ#;~6vyb#b9TCl?R`@-|ZkLS1 z(A_v$d|ZQ}v3hz*jQw{t=3_FM?}}BvZ~GE$w7zZgp~iOidsO&N+7g-Q`47?Qxhj;d zYmVUisNV_m>OVNzIiVS>`<3I2of~prpo)6Fz1N4M(<(|gn>|E_?3t4Ftf5=2R8aIH zg7|deTAfSA|EH(@SBf>KPLuNlM$w^QvUQcqK$#g2EpWZKFo_x87be&9d5*Xq?28^^+~TNAdUcW3+7f`KW!R=H zG=H0>R4#*XymsXm#-(~(uqonTKDQCi^ow_g122#(u1#gQ$BEcej3eQZ2EF;|!g9f@L~bvcO3NbWTu6z{f+sxnIxB5( ze4BM*&@EKEKbubMTR)jjB7ge1wa%e-XDQ-}AqYk+@6L0gg*9hx8FD|mD9DHmjjA)- zL=P<(*tCH^6wAY6c;K$%WCVnK!7D!edkb-Jbl|E6N0ivBw=-*DlGwe%>uf3@e-lTd zOuu(nPU90`!LEcv+9-9!(^_U7RkDadHX!Djl-;66wVxIQ`$Qen`QzAa)x@S$#k$lD zg(7lxf=f$VH1J8f!5kAsxG)C4Py-Z6urqr*D@~%Orhl0fL9|UosoZ2JcTn;dlg)=h zdm!XVa4PV3wc63vaXORY@tP;*k!DO)dmvk`M~~Jmplj%vsR%*A?#iE8wmddx34$T1 zA+3yNLgw9DH-JX;l?NX0=s~>Op|5tKz~t@b3`K1t46!f5T(gd&7`i@fe;Yv7Ir!p9 zi2}cHe5gG7n2A7cUN-qRqPdY@ymfAL;yLt~4Au9lqbev&yoZM+nrirFLo*pSNnbI|fc z3yD4~mhYW!Z7|HJ(4iVy{HjU27W=jV0s89v;Yz~lQc@~?RWzjrk+vk==|tm6RZ7Df z3?;qWVpDITuNo65vR2a2YPT;>MhMzb2Qgy zP~h(GTlc4VHnYx6vRVJ)6kj5i6cB=%+P4Lcx;0(v+KYPF5SSF(7X?73G*3WN0KPzT0ZS|>@;5t&xa>ng`X zYBMF4vv|e@HpK#E?p6;@CzD_;PN!6p{xs*q^3n7_n3mhI!fMu8^ZE;*ncA>`LkS}x zAVee8v$pFclH*vUcrGiv8vy-AQtN6VvImV9%#aRT(=Eb56BIZk7iUjb=*y<;M(1x1 zp|v|ayF;?q-UHQCVq0w?^%Am}eJ>nwjj|=$sKSx+TJP#Z9w};|4_5gHxrSt`v6rIY z>Az_J^KUvkZk<>PcEISFr7VoYY8@5bBH_9om}#wEYY91Ia-^12#1E-!lw4EJ%cNORVo~xfqwipviME$PFYFZcQ^N-Z@)iuLMXxg< zInVR#_kEb1uTfPT3p{)F78X9r*B{9ula>^P7ojC=_LEGSqxULFCn)6BxPCnAQ}H!= zf9XDK9u+DwI_jY|QE`w&oT>ZfSA_N2oS;@8j*0|fI(NB0L7bWu&1t52(W5G-S?A5* zO38(K`qKsR&|xvyE?}ml$wV4|wfNiUHaZBsP=137J6#dPAfh|ezo1*_^d86BSUetc zNDge94o?;4CZ?;~@mtDsjYVsXkyW>zOXmrGMa3=0$Qwx)+pM%FTC3e~GJ>hTfgD`P8y z7o+9T|HQ!--iX;ZmY!>QEYmhoS$|0!R;?9B@awSQ@)y=}!^hD}-|(}8A2J^+JW;m2 z&J4?pnwpx160cfv^hIs1HcU0;u^kL%fa?CksZ_${Dca&yJ?tdw0iTTtq&Mdm;Yx2( zOaJwi0y$l7aD za@L(uEO}@2-#t&9#yu6Z#N2j%-nLur4s<%N$Cg6GeXd7~SNDS(Ja+&riLAuZ2)06;TNZN#^~%sL!wAl<2XQ(Bbp+fM2s~6u+!K1d*nt z1?6NDBhf7>l|?;VRag}xCXRfOS2cg3yPJqR5`2b^M(V(Ki({xLttI%Ij%RR9sD@BN zvO59yYz9Z6X3Z-pLX7tiVq%lh+?F!h{;L+1omRKE>7Rmda5vb9CZN^qbw;43j%vB$?8X(0sM>n<)b+r{9a?MfZ@plYU&b{)As zOKJRT)S?RO2kbh(3Y%lFwOIyAg=ra$aBHIj(E1aT7@y@reW`Lok z8zcmgZcs`jhMu88LRwn7L3#)&>6Va`?)<;A_iy`s=d5$S^c82p#Rj25!`Q>bgAHf$uGkcCqsgr5RZ58<+FLG)1F`t{^Z> zc%I43l1jFvZ1@oC*C6tN3b9I5o97i$JrH_yO#G8B@M1|8he``aiZxsoMr#^G$XT=$ zJe{U?4T3BMqG+9*>~`o%x7Ma1s<)3-r4(qvain+S>zOo-)nqa8K?+Ab3G{>^+cA>U z+ATS3`DPEO>ka23$7PNZy(_T~U_G?)Vg=@nn{j>GJ6TdSuGqLQl(%ng>h8ad`%Z-a zwn!2q63C4moD@?J{s7MRgbwl8;EK2~j?S=L*>1Oc!^O_3+1l<~X(H?>siNk%-?;6FC8gk;TIL6_w3G)!q8Lg$-u5Pk3*1 zTkb#Zj(q9V;fr)jaN+bE^H_=OO}(`VcPoSL2+lXza=$Hj2$Iq)xkwB(7_!pKf!_!n zInw!e0PVROtfO~iGrT35zG0W9Jz~K{s`A;pV!0}9{c;OG$G>kOgP2{z@*h5KlacHJ z`ff;}4B6w|5L^9Q)hCd4aMe>%Qh33b^|~#<Lc zVHmr~-ZL4Gle1W$x?8+%#tB=?t zb;FsKNh#TxP`&5I{84M4$W3vJB>)6=PS#TL9@=xy3IzH2<7f)!$X-Q0+G`$JE2;X#-SZ~>-J9GewUn**E}`@_-v%}Z?{mIlGX3?Kzqyv zNEwqlK-X+Jb${&0%){4UMT6s>^I4Wp=MkeJ%@BffC8dv0S1RD4=kJVY=9Ms>-v&C_ z0MLYx2SfJ}w`yM|Tq#3FX;npI!%eVhM$%~AVU+nSNb$-_lMrU`Nu{S9^KrIsK8tkP z)89|8KOx2YIpxJHsB^PTkDgqcpDrTxJ#q#avJA(3hJteUYM^vK#h4+B4}jA(kVx|W zLt{dS?*LKmR|>QQmCnvqpg9oAz$_1k&LF6lBWF-gDhvl{4;E;^r6|hwiP)<$lRo-m zXOMoi;V?)E0&T1aV|l)UqM*{o46%n2;5?mgeCv39ngi`cz{%7g!WSHI#zuBvL>M;V zPl-0~H5Ls_0gX5IbwU%33f!B973ugp!Nkm!4NZt0(1i4J3U~mxa|(=#-R)XT2w8S9 z2C*|sKRPt}40H5Oa4A!JeH2){UFWnVWULgwPb>kw@=!2*DRi(aI%k~It2wli^ovoq zoG7h7fm*kMjJD^~Xz9lvdCGzsm>VNyB5pPdL6&;LVWnLWQKvKFCrIz(Y5RE#N;5@V z3Lz)bOSj#Z!*bV|VKfUWQgP(2OLKfI(S9sI1K5$mHk2l+dxUrm{{%|F9Vp9uJDQj` z(vGsPNOTIy)_=-t7wscZJ<8$uU3jVUG7(CERF1!P=8yjTs+uJ|-Co!p$`*2#M5*0U zE|S}PJ6G}8zG+m3kJENva7ByBa62wzbJj9d{*dr^HdlY^g5P^7kpu>Xgydfd-zd;0 zC=ad4Db!Gnj{!MjFb&&jcgK+4N<$px@KrwSR0v=;EGQ4+j|(~1zuUn+iQc`@sgUX` z;|u{3R}xh&(197U{H(+k!C0$kTuvo$C``6S7-9~5IT7#nbiHa{2cgMx(|p~Q5Ry2T zSSQUJJuZAYF)vv$DluCs`S?OoOKMdXXv$2sKp*Yedo=(Ak>;qo15~+2qfH9XA148< z$;P2k4HKF8gio_KMk?>)UU%=q$;#9F14a)dB3YZi7}GzT=0$y2Qn_!smGSA#taDhL zmOQ;Aj|K+pM=vutC|b}Z09S4-vl5@1SV11i!8$CmvhvF$V4X&96iySQLk~Kx&kh5T zwNJ-OpTU@x;Phi*cKWh=Un}Vjf~2{S8k`5O(=>_7WFVX)&Fg!W(RN)2lZyA~4uZ+N zJBTDIbuvRMYs@=!y?DFMGFh~>d{Ydk5x2DnKLzyBGTFJw{HMPJSv18cA&}^2di@e4 z;nEQyz5r`66kbKmN!J}7Eakix#Jn1_#xD{Zc(h98x>Hh%pz{_j!9KWLp?2Zl1scRU zwI=Cv57|bVq4gd)-j79^9Mx}!OzLwQuWUq8L|hH>+>s5>=!`hHbQ6sSWC0up$PzC4 zTjIcZ?q%+`!M4gn>XRmwszA~#l84Oq8zUho0epW2C-xp1OucaU_oqDT=#7f>= zGE%#DY5MBc;dL6@lBS8KY%`YVxP63r-p|lOtoLAeHjkBY3zuEtk&#sM#T^ws8;exS zgkM#T5;@XgiPJ2iVAOG;cI;8Db}IXqQAg&SCBbOvX_t+k>C-;h z&#hiUu|inE(jy0`Iz)x~uc^lp*|$*(p2SZlip00pjJx#j2I;L?=Q>-B*JsI_90vM` z@PaxN@nZz6-L9GssI5C9RW6T5m%gS5^$M&k6NOM!cnworowV%I=HF&F-t5o_pB`9W z?4Nx1UH+KHzS;e;CDE^5NspoS)2$L|1eq9_)AqLJ43bGf>l)~O_^S%KVujKuclLFm zVHg_S-0$9kBCs-klJ0$%P&D+ytI^~)=YA~Tu`In3`e?In_=b3&U5htbRT4=n|4%H}zh%?dw@dd+G9Okooh|sHUTCrxAYKXt!c8tXBHh ztq`M_22B3YltSp-o~kd_*=66ty&d(H-BN&(+I;3T;HVujMEu0b{CO0Mf1>+)`KQ$0 zqEyGpqSj9$$UstHxdGiK%ILdBJ5;tO8mfl3#UG@G>womQoxTW+`T|DfR$rPy7atg< zvMjUlko?XaD-Mr6S;nk`DOsRCehZ6p%F(Dy#lj<&$W^)_qYK6#TcBk%sKy9<@Fb+` z=H&Ox7u}r9=Fi8gllDVPx>8*r5HtX>X6yl?#;3G%|86&1izg@Md^;~vY4ziNT%m9$ zoTlVLHu#!90O+&^zZ#8znV0-;T8m|J-|%>OMeqAo>AfLaeNoHnLcB?IW*@y6xms&= zZB^QJ1*e@hJd5`i4G2!egtS}In%$^~$QB5mF#K+l}g#0V@Qkb;s6*%fItEy?`IvId+3jgr?XdPqDfc4HC?ueDi zN=n)8;^0u`^+V*Du*L*_HfcUEr`F2U-(&O4R}YT_$zXkwa%LOo*#0|JpKrL@?wZJ{EDHIZOF!f1vU0tWB{z2+|r{`G3ev@|aV#YxnDM=OVK5b{WoaN2+BQ zG+0R9D5Yn1J~-~o$9@7;47>Lsn@}R!w4^6P1>LT~ z1H3_4%{Z}TK3^b`^5zN92QO{+x9o|hBhtA-?#R-`u*p%hS#WfrM9wK@cNi}Z#E9%B7SGkI?3Elgm~G^3*%^y>J!wJKL)!22sj1uzs1xVuRVXo|hme@(nT|VJPORr{FcGM%+L$I`8DT##S^ZT^7 z&#DkPN+uL>~+Ht~*8 z0A+zAsQD@vJ9=;zsLyoivN`~2ud)A#gVM;0SY+W6+sWq$P^;xXedW#h{uqyK63S}9 zOerV8n2)ur4oEs*K4elO`SQjsHx{z?)@gtQ5FHqkTt_@g;_9AEff9rEp^>&sPW>*L zsyizbzmlp`hwM>nmQKYpLYfaKbRp#75rJLqIOr;Tc%n5MLO8+-3w-d|T_)6AIB$MeI-S+4p>95Hfnl3~5 zASkP35cCK;frm5xh*eEn`4xmX9GkqnHCEt=SK%$`)F5-BPNsXJfACc4RXlr^xtAWR z>aDb*s#*2x&}a43bIr6L*EKleC!oBbJJ4)IA)n;XMc~+Y)@sv}hd;wa>Cbj?{^@M~ zM;Y=@ANo0(AnE+Jygq-kZoGyJq7qq@^SLFK{4WiG~tqV zzrkDAf}8hhBL%RKWM5HJ4T8GKA&J1V=b9yil9K+%(s0ifWmP_s>>=Y{efP4ufkc(y z)rW`Nl^naPwuEj@mTAx3VSd80g5hWI^KBvysL$;Tq4_|xk~;|C!`!(}H)qxQ=6pxd)@cK{?K8}jELV4>WdC(naa%hX_MJaghB zVpk>Pv!C_L4$$TIO`9KI9-G*o_ros^j)pQ>O;v)>vbq+mHxoYvMqhHtwfYA-{5rC_ z;&SDxw&UE%{=MI8&1mq&uikG(76i%Vqce6_K=Tp}tkLpz+o-qe7m^?fL8r&*QFCET z+_oE96f^qU#Ua?yV9f_-tIA>A#=GCf#3H}R<^(d;WQ+K_8A@IVdRAc*dhOt0gqlNp z7W9_twt}i2tHr)VfB-QQR`H4?H@`4YM6403-7D#TN~tG#evs^ z!Nrp-zZ$b-gt$9{sJt(>4)cL<`?s$mInf$B(FCiRx~K1a_i&o2M6tsxRAjSAY+adY zDga?l;)aRSO7BOqKHkkk1%bh$xz9|ZWZazOcpwMq4mPcVl+Y_e=Yo2;P$cznnP^LF zxyNCPUKg_5Wyk((^9OLRC`1?xf^8Fn+(dUSla-Ztj<(VfB9?a6=1=p*9LKqco@30}wm#=b=h>Ma*bWNc zF@aIVAF&stxme}CDGPyE%*4B~G8wxhlev!24GV(hDP#f&=v>3SrXasVJiy1RuIFm~ zihOj-TPk5~y6MH?y=b(^H9Vf$AYnZ76`Sw2>BK ze-tEg5`JKq+RLaqbXG;qD}f-*6$zuyof1lQwb=E)G#}j(xPRQ4w3P(AJ|aKH1t_Y= zR+q%b^zR0h*m_h&cee`&)`P2hMgGLT&;iR+xn~AcanJNn#eB3V- z`a42pCHWK!udVei7RPSXRDI}Gs;KigHKTsBWTrF$=wj z8@yoxVTR>0oI85=aGJkKqz*PVEXn%F-vAKovNkIpx-8fs5=r*j95v-$sa5pb~R#MjUpyvEB< zyUT&v3*o$OA)klK95pFHY=GdS@%EEWg%{|6nAt!5R>vyrGi45O(kasSG}E!qO68_3CFT{8zwk7(=RaNHvgRs?p5Ey=uH(rO&c79AG5eC;gx0YGAawICio9`T=+)$f zX2Dmd$NJU_2NVWVMf24udEd;FJ6m3rg8CN}5HhaF67{DY$qA>RznI5Ru?W=cNyWWLSsgS(%Ko)0jTIafHggK=SYuP$o6J>m-sg zPifADWb*bKzauwmt_Z|vK6h8oRw(Z3lEiopS;PgyKIZkV@6E8yllmvy);A!YH-P`h z``-dVBKqAu@ab;oLxB-9Q)vRL<&i+=#Qh&0+gFx!kijM>ZVyt3{q4AIz}ovGNq{wT z`zc=^wehyaP@ivueeC+`>Se756OT`|2>A>9tXrci?*n|Gc8A7gLa>!aw|+_ES4ha= zA8rjUm=2!!Iw;7|e_(d;AR|t0R6pfAGR%yo>e2gJE%1qERbCP$^Or-5uFg@Ec;2a`(Q5;}68P@mzhS(Rql#Qi=ER>Mky?kH+?RRhVrm6-FF zMIMfEZMk`&&($!xBPnvRmyB*9jy(Gip!J{jnNUZ`9PuQLC7{NLCGcqTau~Rf&@p}d zgu}8G$7a?^;6t&9kt;~Ts{(7$h64Agk zOH|~m=bW)%+hh$l2~>)n$qb?w0PT)GnCq9`JZvtin(yGGgxriY8_~Nye;lekeIQNkJ z7Lql6|K`@NF$?k(Wbk^n=@MV!uzFBd|E|DIQ1gO9`e8EtC&AlKXO|?c=H<6S*gJwhGAl ziy9ZYVPOEt(hG)Y-Y|PEz3K^W%cwuOu!If(vaUtT zKVksVzQdBDXt^2Fttj#1-dBQHCS#nyP!i{b529TtKw1+ujOkAM0fOeFJSQv6l>-l6 zbFt87b0oj$&w{iQ@xR}pI=OvM*`Voy5YtX|eH%*v)JslSrVHG@>y_+;b96tr16|A! z;kbu@2nWa_NSp{nhMf_`PT8Xx-c)z06l}HzAdB#VpqVU{#rhJm4`Lo}(zdpGtYv|i zzb7N*2Ur0L+u0{6U{@CZ#~2j;=2X(%yg!;aVIY0XYR!VN3~Kj^i_X?{>zYciWkkXI zly!l#@Q5OWK!R|l28O{dqW=V3Z=q)9vwvJu70VpGU66BF=5}tn;=|PvZ%lvu-5)oo z-!z^*xY0h2m|3ehKPxCwLrdsq(`R0 zHS(|Ms-CK%^}LOQS|i>3Pn@N!;v|O@bst;4)`AfL3KyKV&R*bj@qozDasS7%G(z5R z+-$;R8AAJw{ocD5{o&%iVZ|A3mWlaV;XKTQWE~!=Mttg>a99TYqp=_o7RXLeG%G|T z9O(937mWmtmOemWq}x-9(-EjWFk5kq|`xPC3O+X7^<_`W6)p8 zAt(>0XNH%RN;40G!$9;M6s1h%iKS25LTG*8Btb{|P_r7`t*!XOxm$X(E%rKx=}npx zca500ztzxw0)IFI)Psa#%0<$DXhLB$aaii=+!;u5n#?I1^AgA}g!19Xa^KF;U?!m~ zYVa{|&me+CvOudR)Gjq_6PuRL{@(J^>ZSany0ENnd$acVu+39S3iYUuJ3#{GFLSZW z^M10f?5N`i7%_$jy?_35UB3`==Xp6CTaI z0QFgCZ>RI|%hk(yU0>TDs$AfBpsy1$zh@Vvj5uOH3B@J>Xv#ar1w=g2y;7mRn}4xR znL?wL!?B|$n{#|ac)7B7t!sxP={=`@N7;#iMz_iiz4P2_iT z!{De-L`;GPP!MFi3v6@cxg)>AuEEnhrptZ@*k8zBB!$4WQ-1W_!>7toBob|H)U;nu zxB>!1N4f1zV;^W2jx;8A!qZHkQ-~PlvP9Qx{NrTk1S|s=Z+S%^CvLV zNI#TXLagaka^$>XbNy1!EL#pT>44p4X2Est5zbiWGMdUzaBgjBaQ5bUAHl$g#AU8* z!jN^^PDMF7q-f==Nr(kFH96nt$bhx9Pb!4Q6q3%F`I+?ksU*DLejqdE>{p(YmX@_| z(T6-1bEoyE$Oxpk7l5`x@ae|^9qT_L9astQR<#qobxV@K#KpucIYzX@(05%x7QFz= zN*UC7x2FSOK}(xeudam{85I@4;9%5YSi+7q z=ZeFNikg4506<5m%S|X67HN~OS)ZgZTrEumFh<$38&ky&SIfAy%}4xBExMdqAm|Em z(YadV=Ro#K=wUD#kq$EfGUmx!GA4n)tty|6=?BS;D6aL50h~KedHvyUPYsu#yr(Z@ zKMh2?G2m9)>gD~&HmLKs<9R^rXCR&sO$vel(v!o6e6=y9iwkF)xmp?7NL1W2YCX{j z>AZkXXJgo@RJnekT%1+|P7T5S*%P|i<^&)*$VEstRnMoE&&ryB^ki8FpV~4TZFWd( z#@}1o;}bj(=B`=ShRhJ=eW0W_W#=gj31hxc7!X!5y@)>Ee^)46>#HJdpz8-IM81lm27mEeO=T}JYeVB&e&5J|xa$e_DsAl{-46IPH=KZ=YH)B&f- zbO)|8a;y;0$p?evprMgergG2dB!h$}@{KhXz($EkiKAMGYu{se*5Re#y3$Z#uv#d+ zNO-t}EFI_+B6)<5RE3&yW+m&qCI}HX4G}cWjw{Q7b9US1mLWMCPdAjeC!OcsWzXs^ zJhHlqaPS3aU3tK=4CFp}1JbsCnBCfB;4QQtM>UB7<)>pQnKKU#aJd?i(V>%$nW6&d ztq;j$e@g@)fU6-@q-wRV1c{y_@K$@xC4Wk8mc4sE0*6tXm_+R@O7H{zNZvB$>`74t zyH4}wGnu#q|$_(;8;@AP_j5^W*8h{3VneTENGs# zgV6_lc6!E0L}_&Xw3W7t+9JIvf26GuNKseXFRXyLAVjmt}8lS4OGsbaK-M!sy?ZtQ$h_duD^h73AWC2z=^(EbXNAd63%7jy{tH2cKEs z!cXeCnf9+*lU&T~8x#(wYaLE_1YLdamNtvf=)ImgQR@>F)a%4*@BR!_w{m>=)?7H7;5*$zlYz8tMLdn{kmep%So z%~ndFiWXe`mPSb`c3@^u?|^syfVdUE<#`C_TX;;++W2=-H7CX0=f#?WDI$!z)fip3 zTnokBeXaCj=<;?U*|7t%$OKr%q}E8*fAG~${dd(?YB}P!@l#bUNJ(9gAVyH&M>67$ z@NwFpuS9Z`X1O7pnT|Tyj}FT`h!1pbxT(XgGQcj0rm`Ii7J{T3Lgm<*U}snXDVzHj z<8c_Z%qD4tJxI=FlRQ;frt5^D*{7NL$>-#lc$v>C@7mdz-T+!KR*cZ77pdXW%&M24 zRK+V5O1r!_dha%l*t1AV;@*!auxLHN853S@8uWxnp;!Jh(-HLt`0oP@He~*bfg19O zlYzg0uDc`%qRUQ=wVMIFna6q?LzdP473~Izf_YHJ_50=BIECVmu%r=LZ(}M8?=)_A zBQH+J`%bIh6I|}PW~J3!H9cs>r+T$KO{`PZfe;hD@Dkp9;XNK9)05$W0UT)B*U*%^ zI1m+J9X4CP%D}L*c3H*|3tZ*2mORT(bWQm0Ui22M;&9&!hf}E)l?N-|Gs_M~f@kQ} zf+9&XArDYn7DNQ}b~;?$I$1uXAU-N9GAYc5AfA3k8Vd*>o3qYHKkTkWC<#cWKb9l+ z5f~`}9fDaG(0k7WR6iV9J)>zh_2JaE?}7>(*eaYoiP+0kkkBv5Ux5%#0RY& z$_y;~NWvDLOSLgUEg?NWL>NrJ8LXjhn`EVH{%LgLa>G`prF;${6Aq&VCzB3K^jC5M zvG?>PAv|6pn|)&p&S5IUf#l)RgQ-gAm6gfxAtmIeNjKJT`V-wBv|Krkv|)JENgF9r zsSRAD-~&@L&@uPH=61}Vn5&77xuGss7e512&KwVZ=@CgZdL9e7yQAIQP`m4WSLY$t zuCBF8;s(GieD!LjaQ#@ozR7F#!LI3&)>WKbC6Rn>(E|OHDSrok$f7i+us)_h@UTJ@ zo#9(*3UXDE0nK9_(8~Nr2O=#ns?)laTrvkEf4E#y?-&)!A706xyF%-#$l0L?qN81@ z%+3g{G73PU>E!Z~DNGWyO`Y+((&N*02sdpc3Q> z*WhCEmgeFFyP$5mtic+j!!XEFaCQ`Olr`7IG}jaPySc!wc6vdP#Vp%f)zy^A3Nhah{@)vX%KoI8lDX zn{9QETnk?NbG{FUE@r?k%z8NT^ZW<2(|mwF26Duk06bg2Cr%WhKj@xjVJ{*3dgbVy z(NXOj7>C(1PgP-|S0*Kcb9CbRnjp zPtZ}OdR>ECkBD=6!peemSP0-x-C!#Ol+w^13X2B8h;SI#qTq?4?g$F{^q9m6zYiDo-P=B1-3DS0RTMA|sC&7q3HX^1jT<8}fb-V25B$7XQ3!Hj zR~)QvSKm-&R$)FyMO#Q;lMG8V;;}g}9!mPmR6iZ&0Y3m&W77t~GYlURzm`(#hgIUr z5z`Gy|Joa7G7RTo1;0xi7J?oiU=%Vz`$=tzZZ2Kbc7xO-Wh3p)NErLV2><7*#!%CMeajQ|3)Vi_jEFdOrsD z9Ae=c87N0!!WPQ_Pw=#HnMDH9LnNlKE@o2M21PUQH2@oGmy1L2O~>d1AO;*9zan}G zMtO&=3}x9dtbAXwe#`~|w1PJr*?34%8_58s093WUJVTx5E-e?<1&tE30uf$cvkXrZ z$|>mOM7|NLl>y`;2vjT;!XWq(5KX-q?uZ_c?t2>V!X|heh63wpaE=V1MD+-fw;Su! z)o*B`@niys*|K1bj}<7{GITQi6G4g)r=GdXpJyAV%Q}~XaWE|4mMwQsT-4!blY4{? z^uQ69WPfk|lUNLtKA&>8{QNc6P_h$$Jw=Ns6&Jj!s=hmg5HA8YZSODIJE!Qax*qSC zk%59bX0%cc>F*H2@qq{JXLJYx8#;i_O)_KFP=t0YcJ#BDDA!+vAyOStldlOD_X1yC z)t|?^wuGLmXQ^(8pIuHv@l%1XVu#_H^-=?P1G}d3w&QUSBY38Nof2#TVPg_*edy726pD^Q4N5QZ`Y`!|?1apzeojX!| zoK8!isutmjxB;a@(~GZ810F49N`x>XV5uQ(-Kl`q?Vs14P5Cx?Q~1^Uw;UgJj{Bq1 z4eom!H$SGJv)J7%Kni0iZ`hm6t_;UULzhPdvt)oXa7LTELH!@$G=$ zA8J#r!)Y>1qId40aWFB1bdGXau3wo1fkb_p~x%< z8>aC2qQ&@v3-e+lmQAg4G$Shjwt`3hUS|cL`$hN*!*KfgVB|?Bg155KMDAHuCxL=F zJ`e+H%zB@J<6*9H^jQ}}8*d;@5g<;e>_gQkdNsH}$!liZ{@w^}M+wIe9WU>+Z?P(U zS%yt1dxx(DNoy_=LO%|p4;2^z{GYhDXO5w-mDYA9;p=%o6!U#n#!L0#pet*XLQxke5^T5J8-aM^oUg_#(sjZTvH6;7bN?&C zPY5{7rO3iI&Oenhf9SU+p$yV_YaC_D=3ieJrUuLiP{|^=@vQa{;bhm;X7)Qv=-2c3 z@z%MdC(w^ClqQ_D0)+qm_Hn2(7o}~xeCL^?) zGMnV3%45mAqGbvT;%Ua#K*F*kG<>2DqywUeNPf1HMxkiA?z6#R50bD!lG!Cm7&0~y zuzXVu!zn7l3xZQAs-NR?9F+TJm#zBD_xf#L1fw>L`!jx_QXb6dt#)>ol1MXi>gvG0 zMWCtA<<6f&f8qg!F+UT zbwx&W{*Sg04}boY0p5q{(Y|C_pFKz%LW*ijtts2mSQ%v^`*C4=sh8T03D~?-nvVVoR#|AbJ?0nfG!9|hbz|}~5ebteG+nA--$ID1 z0c(%eSeat~lPwFe1A>Cg`g$KH9;}k|(vj)Zs705XJ9W<~h;cm7S+-j9L96pC(1c}k&uEMF0k{vxX7SD%xDnskv(t9_%;5Z zoo;RrG_bBNr(*H95p9Pz)KJ~p&g+eUZ27O#<9zcn?98=&7AWg;Y7>0iZ~ zth~HmP1zVCB5U_^sHZ_tDXcIoN}gD~z=0-BZA7-%DQW2QTZ@(6eqlgOj&-ue4_G8c zcQo4{r>^C@6Y|JubMM9Wf*X~rn{ijCv%Hp=_e>L3YQIbZ{rkVvkDc#6 zW5--xnW9M@p@$sN?#$v&nAK8K;1S1Sw$kE*3XG!I=E7lA&7#p<4EILP@}PbfatU2n zQ`|X{IU^gYS&9s!`H49Bnh!`x2=|D9R~CLvFM$8&OwR~wowx4ne5pjVo=Wa7`n>US z538ELm=bF>zSrbYc3FsL#a_n?-Y_1?Ih2aGxdTfWXRlNKxU4LRMz{o`4GbShu{{9! z1wW~3|FQi;86sy9=Mxw(BNE*qkxSd^QjPI@2EZdzeQ7`jc)#X*z9pNg_zu&?(x+8z z2Qg?ifqwo=;k&$726Oq~z#Y}=bYy1NkXk?1ujQxiQdNwmB*cxFp5>&fB57Z*()aaq zYB+t$5Pse0kX)wF7xG`Hhxpc5iUp47B|IM^2G;i^#Bucta&$(#lHXwiCp%K&_f+90i%`Fyvs|89jhe-kU^%$_HEfj^%Tf(* zW$E};zme-5?UFzmsdvV)EYT!^&R8_|C!;W=|G8zflWk+2eJIU*<3)5|jRHsTLma2MFj{cqB%vC)8H9sy|`P?n?70=y%|*AH0ZKZYibk%mTwdBu!t zQW!nK=rEw?8Gv2>X8CoafD`qAK|S@FYND9-U%B|~QRJ_=I&~*zn9c34o|MdbymFuR zX=WPwJ=J*TBTi=D-geHw3B0OY<6qlpe-`nF{h9Rx9?qwOiT43B6L{yPD=B|8Z(o6h zcKJOXbO5lG7N91Ci2@rpInF#4M)M;fRVpguJrIpJ#_3*S_*NFgJbo<77-*n-6*D-z z*@m>RttFhWyVpIv?2PMddhl!&DX1y`Br@F4lN(sb|Mg)0*KYkGBL$!z>1v)6T3p@= z4vm<8KRU}#Hi(w1o^Sn8^ZkY6K@L1KtvWLW9|uAWEZ4?5u1Ffeb~_LKIKj7k^U+}| zT%K4l48NYZZM87N!+!S8b$zMIgGcLnq*6vKZ5kY9jVj#Z`XBTqXzRO%jHHpYO3dL& zj*s%5&q{SD3W?~gwx8ZrkQ(U%fL#UJ4|q+gRsQ$^F4~;hnVlm`(C$SXJB5V<2}k?E z{=1ZEA_=Ns^3%VYcDv|xH%z2gJo}K1uH|LKrv70xYLDL%x3&>H$v)C9@BTUw#2VF>4@n01bp^NlMjW+AIpD_K269!|vm&j%e!qn?l=b*ciW zt2K`{UlJIfvY14uf#fiIvY-f0VA#RCFc~5V3%pXevXYaoyQkTTsA9_d-iyX}Q;L&k z&JnfAD{h1^9^iCBWKj42fIrw@z@Rw-gr6DOBOl3D16QBX8-nEdT_gRkM)Uu8s;tro z1aJXp!t}*+!}p&p)i~VADN>EuM?f$T#KazTN&6F~?wsVBr<=u`;r%gXd<_^KJfO~Q z_bnsFy{NSKrc7{C3zhOUQs)yUAq>c|7$3?6|J@~ESOcI22?)LijLZf6q1(Zn1+oYO z_KQO9hmStGp_(Xyj?#X4=nP@S(tC~&KS1k8sw5=F0oncqWQrmYyMgrfCf%9IfOBVCo@>WS>x4LzDufo;&)lEX&<8hF6 zj5r25|I%=1J^Qz8qq!plJbLdd&7E$v36VzH1Y%Oi0hU8&HEkdEKiZCNC`}8iNN_^% zcKN{4QfL<{e)!KhN#*Tknm4={Pu23$$Hh(WCCo?C6)5jxyOMwT&7vtnLg>H%n9M+S zU-h3_x-k%VZ+l&bE%2>ZN({Yz=JV@w8Pef8X z%l{Ai_-eLF5fB{oS@B$+QKK@^jNCOwE0R(m+`Ga3TlWM$@zW~z7*$772mv3kvyR;I zHn`~7tEg-A27kLmC%xtuYvFR=4F9$tD6nnJ^WOXaY5@ienxnkFYwKDLXC23!S-qTs zbw2?DT+`h6&PyjHl}`p0R!&M9EUBDoboSn!e=Q6Mnt0oK-J-LjZ=0a0Eg_5s_*fjw zuFZc?0Q&D&=#)l9^8d7l&>-X6i0?WL*U4#eU6sv~f=#>+Rv&yF00vvP%_FRg^x7LTeK!}(z zU#I-N)IMHA>BAaZE909ay@#6e7DExUjgNzZnt09fOzq+&=E6)TpGrR-$FYw2W(IiR z0qIcf!~Y6c(7yu~=Kn*$(!%sSTL-;$SqLb;wAZnW;eO9tbW?pl6u>PL+$u{=j#x+4 z7@imoHb&Pg&H)UqFw1LKQ0jfVnv=%UntH~Jm1Hx^-Hgq?rw%NPqxEbYuJYTeGY?nf zQ!(jYC(NU9OHDEVn!=wP`3Ufn6p1+7cWA^lU%Q!7(SQa;SHzkBj+yfNr_@o=R~-n( zj7HOb)m8Gpyi>lT}~ydd{5VMC7t=6{1f?L;i)T5-`~>Lfd(}#Xf#uR8opX#pQF#|IY{$Q#yuj?;f82QS7#%gQX~qA- z0|QZ9f@bOw4nG30NvyW;45t4ZBt-KJUAfL@Z#NwO9j9K$*rSJuoJtk;rM8`4h!l~v zu~Nt!NCswTci-_b@*pY2o1wJsRNV05w1Np#7Np))5eB(`DgvT98ZUr|rtbfHqJA~# zP5CYR*V-<67Au8x^zVOU){Yc?iF*I@R-FJ_wYvG8ppp9*jYTnk7+`S2kx;k>_DmEJLTEd|6Mxiuq8J$ z`}Y*`Q@pdYiwx7O6FDK$6J-n>;5{IBzEV{%0~9`H_uSt=It&eQmpa!*hdo{(11Mvr-5A<8uS_uG6a6-rad8@zq zYRxJkXS-QN?J=ml$-|=X%Aff)NE=#6X#eD=eZ%rD2DU{gb)? zM1ge&82*eVd`#(fk-#b0_a8k*V^9%w^y!R=CV5~=J)0TmAMX(V79%4o3I z<2NPz$2PRl8JM`QU#=bv*Pn=6Jb@s@frSxbZ*vx?V|qS%GaHD;_KoPC5xdx5{N98x zNsKgB|NdDQysQK&+4@mYexA&CDX{=)czzT0V_oEJ>3syB?AsK*Q5t2^c>|MgXHsXT z)2b}~eZDVb;*Wgh!vmb%9|NB;Yfj7m=nny4t^`1*awAc^`3Ur>WOXjSgng4l<4JsA zdj9`ZN)bx{L{gB2z3n)+(sDYX`#7J1sO%fU@S_~s22Sq{UF$)Kr^&Q5#6Q{~t!iKU z7}4MZ@rOjF`OtyR_#QzvA2883jj6C8i#}*H;0qWLe>&&;zkgE&-A4GK6?;hgH;)3h zEfxkyQn#Jwp_N8imKPn5zZD-Vff9S4om1pIr?QISyKU|DEm=2m21LMzzPwKR*prkv zlR!xuAp6HL|H6R)Vq-)HxA{W|4SG@h02zh;oO5f*zX5Ce?UWEce?#wE`_d$VA0tBa zAH*>NNU(7*CD*ax{zS+~8dR_YG0|7x>pL?28U62RU}|8NI^4^75HL?$ITVd}`510YZ8@0IG+4no!1TUlRhQk__cWpV*8eX|8pI0>IE`*0kfv%U#otQbwK|ZIt8*KObzWo*by(eg4sWWY>Lb ziI{^DbDF^qyRF9$c;H`mu*LtvNPXsqJ>nS@{?{FP;2(gmeA)+zW6Cu%z-fB8E$*X# zLzm7EJGv^goEkej`2S<=t>da%zkX3gR6=3VC9r4&0cnu#?rx-!ZfQl3?rv%6UNk5j z(%pijq>EhSnajP|@B6v;-QM3h_xv{%SZmBN#~9!5_&(!#rXWNtYSt09$eOEQBfr#a z(*7zmMhnAabnFp<`^<-`nX8E%s8e0MQzTKPJUGwegEZ@bPkp=X?P|F-#j=2nNny6( zvY7ZMY|*Iep2!4KnZ#Z)bA3vzNUqvmx-X7@n*{1bxGx&@LN%HX`vGua^clhGouCzP z_kEd2qETxEtPcR=->TK5C8O+S3? zG7NWzuBDSx=!AT;1R-JSUP)}(lHBQ{yCPoMyFze-zYBy3W^h&3xeq!?afGx%@(PfsFSC++P|73f6VL)W?om+F01P>MNkwV0scY?COUBkwKXY;RS0f$dD=`6*U>v44LL-LDs z^A{nRPl%Mq_hTEI%cRhF4!GU-YrCqP-E*EfeeZTWqB5T6lP4q9tg2Gt;5)ys1*wvP z;7^H^aryFazip2~lXLh!oe}>yBf~0l(ZW8w*=4>p9njyyBvs}ma8##6#9e@d?&UDjwU>U zeuuv$5dJZzC{;H`fDOto;th#GL4d)OzJ!3a=HH&cL!wF?@U#_j4ttSA~(S&5EZmXzXb9w3l7jRa-}(i$%#0e@#)A7KH0c zD4D%(2rbW&CY0o+MpYxB&U1@%S&up=(p@yA`NdHk=>a8;mxo1D&&quyN-^L&pI3#U z{L+dQCr2V!!{oV7Tl}NIl*inVr8$3S2))9@wp(6mLyh`l`-KoWgsMb)e6u z#@KYjU}@_hMH8u4*ChLl?~_P}&%xRFn)$Rs_3-KE!YFt2XOcQeXwhp~xqwG0#S$ET ze>;#uv{Zmqd8#(2DU^V(D7RTS5MKfQ%Qaq@JHjTH^t5nb`t5t#`=X$s`#`$s0dZjj zO~w-<@wR-w>vW+q8c}|+VFCL&+QH*|dgD6$f*bajNqm^Z_wZ%IN;Yv*jo3HVa;5}i z8Ud2h*T=Xm>+7j!`y)R59D9Zwd?qn3^rj3m1?<}m8_tUKc-U~!g}~1Nlcb_eb?II9h0_T?p=@y%xgv5sP?P{n;Yo7XiCSVaoqZJ3p*)u?Cty-oVgiXz(=Og zQbn7x8J6>LU~-vcamC&3atsT)TWs5$QH#T(G2gDL=KPkI#9t5-p30y4lYZArz&~+> zfPa*Wxh~~G0LLnu5a1yY!(qk2b?1_jy!RqzmH)Tvk$}JBLIr}^4e)kwU!p$}^mG@8 z1zPbqNAG~$^%L(^ATlw(@9kSdNZR2dUT$93QzaEWvT6PLoM*S&;XJ$>G<@|yE}gPU zQ7XsJ590|hUEysF96^2`)Ov}9u55B!agK#am6;jb749J=M&<~~UT z9cUY@;F*TJyuH3goCS7*qosfC&c|)oLbvP7^G(JL#(p&tIsA-jGlMJpQz2pbH%+<% zgR3guv+h-k(hrv!eH7FCj5miKy?bt0ygKG0(0ZIel3{=wjVuW8 z|3ajD?=gX7Ru=9uD-Om4z!{tAgUBZlz?ZN5OZCvn{Ay6~I7Q&-^$w_E?aV;MY77NF zK(^IHG%7NYy?-M!l`=GuV`kBgw_ZGdxz(;9H~hBYSPeFAb0B4`;w0*PyZC5;X?Rv# zJaU)9)Rb6YRYrrY-{2sHYPlKeQm8YD{j{d<5j%8u`84k7g@zk&q>R2c?PbP|$?+A; z;2Bw>x6M3SWX}hXWDM}VG0p@;cZMs&t14Z*S*8>gV0g;QA0nTw0mJ8pOIj2FcPHYX z{Wkm_Ig&YW16zzhqB6r`Foc{33a$=KDKwf%_ipAwUE@^HXLCC?6;q3@c0Uq0t{f~` zuzy4Wd+xI-+O}AyJ^86Kx&Q0H<4swb{a4f~6L;fcb50Uv0R3&Ut=T^1FB*S*yunnK zxDqHE6R*!mFjAnr)Zpa1tu|kY%Sx<|gf48z2R!`}8d}>AzaKk1S~CF*_WyDJeLDy! zyiX*=-wTofzk?lPHg8PkM>(8C01qXTaNvfg==y!YQ6zxv4yDr4h+2~)FN`BRRr6b$ zzF~eYV@xb4Ulws)s8R@2D2D{Qf1iax8=NxZyT#Q+R*Q?ObRoo}GN*(*k`XhWA_R4E z2HTT4M&S)hnRUt}Z{K7rcr6D)=fbFLja^?=DRRzsCZ1U@r_-#0P8*Sm~t&(ZUl$ zc+A@K#UF^3R4}-4FZCdmfyV0~Am|H!)04Q{8#9f<654|aWc}t6p&?k;j^jY?Y^iob z3IEo|2UaCd#_HVUalIF4op4KH)?G?t1)!O;9@YBLJrzh47CH$X&U*SdyRENt#54CL zr_sY7bvrZ)%M}s@r-L0J$rQk;WBvrB|3ncOh$0j|lehfnYt`1rqSU@k!7N9ks_zFbnE5Y{;K;57Ap#d?ghCJRYIV?N1$I(Tq<5^)8! zvm4lLpr7_!pg5b?^zr=a%2MwZud3?Ic%RaDY_IjOqWM>ZRj~1G(b7u z_+P-aPd?my7Xl`573DTN!ePziRMPt=zHw+)8zE(mHTD~PL-iUPKo9$rMHJhZ|`e9(~kRU zRimE>XPrB=x5rsEMqoQXQ`blAcxhrY((%HZBBky({0R9qRt?Gi%WyhF_7F|{V@~k z`sH*pnVk64NU_2}+SO)=o=G`z^(dohyc88|%5FJsd4Y|!s2-B$zTeH4YZuwSe{mM+ zPBsFsMtkjDgLlpo{3Hkb&$A~;*dGDsz2;&;K|}!vL~az@JP9fWrF-``I0FM)0Y+A- zE1f=ge+-n4U@NsMa!En^3kCgXf!oWLprC$mY}u?_w~gA2NmSX*v<0%VQUiV-E8%JSc=s$S;NLb7J1U(B_+Wbqcz{g6udG>p_(S}-V~8rf z&>5vH(7g(|+WD&asIcfoV&?Vm6f_)5Ja^M1HNN$F1%-RHd2>B}TSmL|Qa~Jm8xfgO zt=6P60>B0uc)#$M0nQn~*KQK9ARxv8KiIs7&;=9%N>~a&LjSEKgM@fPsbilwwx1cq z_%4wSfG;Nd0?}d((yB`V;7~iJxq<`=#FSq-hkVniq0`>^elzJfuHY7P?M9+{ykq_z zWC5Tl(k8NX8vA9Y=h=Er6xo_SZVe0kIGqv%)Fk6!+mVp{sf*j5Y64_-(8 z)9a1CZOdNlouEc5s$FZ)C3qBbC4%eL~gcedh~7!#&_(a1jHCC;&fcw>QB? z!iEDdnI(h|_kZrQqHHis5_EmeWVcmPV>y|UD~7TG-23=BPi$=}kU!42m9Jrv6G!|W z?8=9zpOkSy=;HLVF3n6?PR4jv<~&@2aZ# zaAQ^74R|3X6-}}$^D?hP?vrheMVo?~ubZ0#3T5ex=nDEHZ=S|CIKp5Wb@8nHZNbN% z3%4LA%*===K>L)dNJ;Sc&KhMnHuO)L9|TYW7m_Jq5B~=C9tFaO|DL-6NKoWWS2dC9 ztF1Xp$91`b-jK$rV4???8vV}$t;uP;&60qf@0pC;*D|s{d(tC^qf-yksm^%06;e{= zyrhe;5I2WB;v7e~nuF>*V$ z-hvQHf%LWq{|8+&3Wf>a(B5OG9h36$%sBLolDO{tDQEyczga53_?H=V*Jra57bj(L zX_gc!pRH#5#bFjVbPYEVXX}ZaLvbDy1tmTw2P)4uGuf0GxlBWanCbxu_pH5rt(WWSBgg)%)Rf#P{T*(Poq1Ib z*e1{>HO?=`CKfP6cMTAVZrbg<+Cfe2qcRVVX>Fn7VZ%cg`ZNP4XPyC?q<5XY6c!S> zWKuy%i7dywPxCXMAu1M=afWFt4HB)*lE7Cd#EBos`FX^)5C&d`DN7%9LFu1ch(`;{vnl{gdC>_4$w4 zC7(90v7}AMnUuib#?K*P*4(B$H?+IeiRd1Q#>UbopL5Y4eQ85WL&_rirkDQ36zt<$Wb8Ik{CLe|<&4g-HLc;m&1A>at{HlY>TM8ahFYDADAw;QWSy@GLpfXA4 zj##s*0T(e$c>i-bg3CU@DKdhau2X)mV6YR`wNs!9z0S0;7yA2ea1l^fY8G^7+#cmf0#X%(%;S`Z7K`7lYS(v_ zyVO<)(UQj5Hty0lf~x~JSF5*!Ya zEnluZ*X;b705kn3(enAns~v+|X=k)Ye>K5>$tGVeFloy_N6G9b2P0LreyK-C*n#sc zjQ4+5jQ_6d$7wq1DF_H|3l4!^XHCm;U!}*ZJ1@G;3au!;; zNIY35T%n_^bD8YT{BWXg>^XfZ74W7?A-2a?Jj3c(iFM>54D^TueM_8$n@!iZAC4W@Y@S}EW!sI*);o_@Z` z)w-JnxB~-{_a`_){q&AiC+FVlxuNBHA4tiOBv23n;LSdML>R(*VIUHpQw~CUfDg=I zW`#@Zy>N}FL@n-G5X=XZgjH=azue7*DrKZNcnccyf+zKkVuB;TG>S&)s@3k+++sMc zaWd-BbBcl@un|!Joj>>GGlGW*e}lM9WWc|(&j0tl{FnW;!Qe?gk5q`GLCgbre!KK$ zkkC|c5D~aSA24kS6^m2olMGPyC?kpfL=9pxoCc)H6k`yjg%DvAWjUtXF;tGd$#}_a z-?(cjcfRG{X`-4u?QAhx{CVv_}SXI=jwe;3JpqbgJaDo%!wQ9NG4y>>pOP>fDx77HVVMG zyh2#)!>EeAlp@E5+muDq)h&etA$2x3sp@EHkI9WOr^e~3u|afC#ijI?Z1Cl0TBcb3 z7Dtu}yZGIgMRi_#NrR>b%nwjmI6ep(x&Y2eL%!3v|4-Jjq~npGLlX3BDYu>qw!ViV z$)`(D`Ski=<43&|zG>if(^4!3LfQ7-T=UI=r*5rGw?5|-4d-D>&{C#|-3i^r>%$W_ zZ*al&VV-DW30uYgoy8QZ27%$Cx{I3^81HK1sU=Hx_Z*|##fX5Z(7tA=RbPK2bs;N*$?;Dm z6*9Z!%C;x_8k2A8J;u$+&FOkqO`o!?y}QgEts8*% zrC%RtA84Iv87z|@;g*JI9&hVCpPa-gouR#KY!ugOsFIpee`rJCv^`xHt-{|Fe7q9? zipekt?P^jMjan^zN`I#y{w{N4D)j2w3qVl`Y2q&_V}sWe1Gj%C$7-XYU?$mHO*F0@ zEv*`^1nhR`fLv%y)`ud~^7M;=q*4!=TYm26OiY|H!lAK3#{wG)jESr^#wqK2v-In$ zRsbXS-BQ4sv$k~H#By45GVo<=JV-N^=*8KzNzK5@s2lU;eW?@C_B~)LmNb)Fy4CGx zg4OPNU0pMUxxwk1W7uTdf?RhP33$+b&o!

OEca!~H5baxLRhAgXRzZz?}+yv-o5 z+3QH3#ahvZuAy>k6<+jtYYnOHI7%*D81S&_=?{gA&<>LyCVwwVQTn3&p|*+9`?1y5 z^wyPmsg$*@@6mQqyzq=An{+%b;D`wiM;x2Zm9ME`lYmOJ-ZRPrvC4~;wTF<&ZM346 zrO}Zx*emyKh*!qEfV&q1dwToS;6gHq0MngZ0*Ttbw?AZ%_q5vNCE8%eSyZ-L4b?Y>w z|6R!_j$ASw18)d6x#PHZ+hXkh;caCH=jZ4TuEb!Tuw5z~98-?%oY`JtdHI*^ehyDn zZxpvhVg*wMJ5mUZme1p&e6P+#Uw)(!#HEnH6Cf5zp~ z2l}0qTCy~nV$9Kde_?ZNsAofT;CepNEe4C9&pCX(%?L3{uk}2M?d|I|B6Ayh32)o_ zO-CL#*P2$#~vw4VLImWtLd6A9o6-6%tW>1=zKJb`oC>7*EUV8gD-hXJENF zmoQC9CeV>R%$l6jCi4#RlOBJv-7w7#(hJ2{&stxY=iKn6C*RonCqM z!-C?2m+>XXxa8QESaw(VJi)&4@VC2+F$n|`#q~{}d}HF5wM*Oh{B92dKC`s2g*U2a zjQL-xhm$ze@|)ST9OKnkPT%FA@V@F00&~Nmu<|LzA226G9+7*a9dAA1cIb^u%Frw8 zBx}~@Zt8bz?3}X)x?_PCNT%xYibAT@hyED>?} zts8n4Ivr;lLP#CD1E0uP)JMRD>z%)a-A4dCn0yMd&Y}e_u*C>85fQb4&QIz_5Gbhs zru&6RBf>gL5BfBiGL2$*S1E(beSJP#wh3ti5@Cv^YYp}$~Nz8wjWLI)e zIcrbmxJ9n$rGR&F5;&syOey{9Fw#y8+jX`qlh>((#3ti=svLbX7Gv5o@9A>4yoICr zMU!cpOWgHf-`5vCRXvFragA#72te~caC_~T=H+_!bV~EU(P_AIJR?pc|JC#S{6^uM zlREEQyG%Oz5n3J`QAcX;yuO-Vr5+0N?(u0d49XxH^dB!T|jA zJlm)O8|f`PVn`qU34MaVO!7M9O=-uPak5G(T8!qzkjf{^pXQ{AQy#6(#o{A>HAuP1 zs`6`5y~kW7Sq;7FqG$u+#Ji%U$tRhIfn6ZE;_aN3hUE-+KakaW^HTENHmG51N7 z+#GKgo<6IZ&&B5Us2hAhrp>oDbhlOHHv82{WLuRYn!uU6*11EPA#~E1BauGbEBe5~ zU(CQ^eBN;hr(DeQe3hAEoxUI4Nk4fL%ie|K>WzrWZbFOKSRibq?wy0UNE$Q?DrA9` zv#hC=Thi4JzL1R)(Jc~-RZYtDP*^My=f3SPtn$iJ7<#$dr&D)8)A4bl#32SQE}<^_ zDD8Xgill~Mlszt=l{+Qi{7fr|@87%6X zmv4ifwT(-I*ICl*v5u>nK2rYI?GL@;v{po@{K0Ce)W;g(TOix zDF;9po^zhfoU*t!qcmJ~Cqp-QY;9W@Z~AFrHNIbdmE&UDa(L@7aN62I z`lJ4*0wfe7kIRy&tAi74Xoq zZQXfbIX1<;G3Px^2CY7bjHino$%>JXL_oGNjB`7eB?x4TI`nQm&-$_5k^;tT?A|&% z+L-PeE#N0VIgwW#j20%`eH^4dLX&MR92SAEW}8 zCM4+aW3z!uyk=18)=?9B)S?`DP`(?YyGR!Ty;G8NB-nK(7uiNDdmBd|bM)YZ00(3( zEy+j|K8M!rRd)6>Z#kfH5EW*j)S`Qlm|W!?AoKNeX<-zREKfYsZj(|fP2*6|ljX*r zPhpD!%eIr$`3B3<4Tmy1eOd-Hs&9(sa9^UFl=p^QP&e!g91NIF4@aSIl!bj9REz6N zmat*e$Y|TsF1T2}G#dzB_GOL{d~{r#kXp8=;&E0Krp)_-2FIK&+O(E_LKwDD;L8Q; zSS&9&A#FLX25&9ckLy5t+GHceuX={N`$se9>J>HdX>tIsv1n^T9^N5fB2d4!l^0|a z;0uBTjEp)m4DgmyCh*@I>z}R|CRcrt14rdd5c;B*?Xjj(dyWT ztp&-hoE&-ZO;}>bva@I?1dju7t(rC} zik^y>-8`6w{NjQo*Y~r1PIIlAtZ`1P#c@M^{*<5O=j18Fh-mc)-tDiF!n1CPLM+>7 zO*ohs#->p~Ks^fWPq<^@TaJL!^di!bS%HZz%A5dGokIB7j~DC@9myi2-|@l`iI&!; zsGqm^S;B{&(-XhISk97nhOMZ;+*#`giP?$k%Tpc-|IceHF(PTZS$l@g&%75+L_sZd za-jq*Jx>`O&#;cxArc$nCPnlErWXKNtstwl;+sWHWbeIi;I6HocJYhwZ0o4!SxxlS z&*nW7!SW*c>-kDU_m(s_7!kDXY%oTxwO0D(9bG1`O9u%{{qo$VyQgb<82A3`ST9Ue z$^w$M0IzL-hTWSSb)IPPAEJafBFD0ML-Gnr;l z1LY~?b&Dsh#3}))4`b1OViS=J@dLrMJDo%<45wSbN^2A^Jh}*2MJ(adFX6AM2b|%2 zt5yFGjkzt35aY!-8|)Wp!R(~!djDE`PM}mR`e+3*j`%aALgEw!B`qyWv4|+d?BM`) zW+4+K218Y($}ztkMWc1ZOovfvMkTGUc@aUn*S-e>q2meS&K!#s>b7lO<^-%o2igi} z{c3WK)5b?@J8d3%X2Uv_-QH^ANVC>C+Ow|*_*oo!?pF=h3swD4Z<&6juP0L7eAtcY z?tWpEe7uX`{$nqX<@$P^+NA@T05%QGsI1``EUQQG8&VXqS<+cG>9ZR@d%H0X9raTi zWuQsIWijA)kSQ#3O^d4wsF-`HetKx*!bT;^l-fVm9iNGWIXS4qJJ&8Dpi@(?AMvsf ze4=jw+n$Cb9C(fP(&~aVfjM1J#G^al0Byk?I>c&%i1hd1V@M>t>ahdMCI2Rnx&V^V zuPX8Fwu6>Y>5u4TG1X{GBO%0e*fRqtgmfS3ol!0$<&Z3c*AVFgl1?c-9tx33*HuX2 z$sa4WWqpg-p?pNFBEY~(I_vpu(n2(F`Ra(z{d#YGwDBWaS^TnoMawhD=A+EF?Rd$~ zQC4=hf;V25o-BKdn$(s%Wa*v{C>)Lt(qr}c7Uy<;rkLJjKhiSP9-JT|Sc@%NAv%d- zjU;5eJ?NFoGbmTE6>yptA??R&J@T_T!7RHzn^R=uGOtlpKk})-9BwxfsXo4vQtoUGV-y1rU zi9>y8?GKJvKrrfi6=-eoCR$+eG{fs;?D=R*zhS}N<6cv|JrnJ%IEk1r9G;q|k@v@x z&DPM5{N<3C6QRQdw&D5LGEpMOPBioNt~?&>uugREbYBCVZ8FX!7L~G_qX`Q=;Kf&N zv&P@vx$FlM{id>(Q|WqtP1hlU6*Ykh7_i=FktYMV(b;NvC=@Q!Kx_XTe~vTm!vn;T zJ|-GtbrJz-w+&?CqAwjKOatQCCd5Cptp-B;M*X8UnmL%|`A2F(920j}=9B#?ffv+o zDG-mhXt;OgeXu|U)}C3%t-B#-Tbt@!4n`kfsy<$OIxL<(-lEc(0>8dzK?70U;t0q0 zP4yDX-14MgZ?EFT9Jim^^-;ub&Oe{?+^Ze{!=|27n6yK#^V}kJRC zA2HO~d!N3`f}V^^Xk|3?rzwaz?75U6{TLV2uE~qQ;Iozvg4v$XQ~GTw49KjfO_qT_ zY}EstSUD))&ujnuu}vy|O9Z#QaRV%-a%T>6IT1+EC`<<4`MdRqPjCi|5)%7WItg$Y zGG1mW-e1`JFC#A|I*7>(iOYN<7ZV$6gEG`5)wGM`ezM+n4c14n!0fKQS~&&SvHW%R z6r<2kMIUj>lbC5bYTjIC2QHYKU`{jPu&h*D+EvpS{9oFjWltSZR=%m&? z=hT1JaPqamahVlWTWG=KNFSPNXG?Q=!16ZT{>VGVJidV-G9 z+7GJmQ^?$$;4`xj7t( zv8^xLcgJgeM?2B!-<_+*N9|&mq&Uj)|FV1`v=KDh1Y!2zelBWI2hoMjcg(y>@r1?- z`}lNWH~eTLondywF@-_}P7`c6b|y1Q9qoeQAQCNHEqB*^VNwC`ORN8gi3|u!DphMp z3VhyKI zO=gq$NwjJb1`KFNaBLF_+|JPwaMVM9=4;1}DPE?`Q^vN{O}+R8E(V)tLgIHDc0l9W zJ$;OHu53ie-L<}z$JwVm>LE&Bsf}_NJRB2(eQ^DwuP)Z=e38pf_!DWzRyV5JgKkt? z$%k8C8npU+tsd3(J&sp$T(Q)_eJF#gqzlAYNHIytqdS`H3=lpk^F>V;_{EV9c#Smd1j%JPNM-npx`q*Y12 zWy`c-r?R2SF+SQzy-A+W)&H5#h+<*U*c6NS>C2d~etf!jpOIE)x}Y+7Dq*sk)ul4U!@|CWXcKSadfEztY}uXgJ+P?of^~`_rtA7vFyN8Y0Srr7fxk9O~6-IFOUsyL0fP=h53>Z*ch3* z7V=HDprCW(!syKNuFpjg$ZvZdW(6FYfx9}+YCS-R_2yUm z1QpaE))qRn8*jze*JQh_aJpz(v0G(hK=695#=23d^!T85zZ0bQYc((2YZjK%KHuIYW$i2J>>)aIA1O!Yh_MP_ ze~7pCLd9D*TLYyMuAULkwa?%(d)R@*p>OhbloIAVx~IOexLBuuF*Z}#?p!LkTG+g} z*4h+cU}|gZ_2H~Ah;R1Xycx@x3l`G7+lY6U;QxJx9@BzvF&oFkz!villQs1mmWQU@ zHH9qed41GMHPYQA_Nw`(-DXw4N1QLn|6MC?R7Gr9&39XCrq{2nE>=A(9Y%}$DLvmo z)u;-pheT774|8sv8qvM`3*Zbo!whwFa#B&67vI0!9qiMdp>Wg zdZkw8zC)=BbaQ%Iom|P1ycccby5=mQPk=Oug7jNy?8T$$Q-DSLc+;7tuC$mA$i2z4 zJ4jKl8!~8CUP@Il9}`dLt-=Z4A(Uo&Z?g5M)^Q`4!n7Ep1$fQ69ev&TS);2>Uv}p9 z5|NE`hz#&*cag3qm+9{6^F99F^SFG}4@F_GGP|h?HE~<>S>5H3RR4TOrWA^X9LWpH<)XYlJXx>}&2WlfRi0h8f z+hY7s7G`T`hxk;w`eE_jBVAiOv50S9MFdW%_(h&@Kwj*kI$w(l+7w zd0WaSZC;px3L;8p!qY`Dp;aS%h(eT-%<_*$5z!K3Fz28%9DM4%4h!_w2%)VSW&Cno z&Bbg_T&!^fUmS6ifhX%B%$11Qb#EMdkqZRKS(milWU4Y-EaiU4)nF(DOQmPlgahLZ zkdR9KyJ8R$4Y-L}J%BwAenD8=ol-3imkCk+MJ9xA9BGtAbl<4$Vp)mn$w@{hp4aKN zQMX!ttR$#H-|p#_6N{DYk3#XHo(;{-zON-)brM-5&M%=AGqAR%I3Yy+v;o# zjiNi=2kUff>Fdtp_HfA?GH1?nu&hK{wP9(0d5hO0R$k*`8E%~tl=w!tC?xq{m{UI1 z>h=|%$Irr@GmuSj$HTvO8~;63{=d5o8StuZF(Z~xMBAYltjE`UHrcAUf4zD538o9d z0!}D_keT9FFs6v#yYIf*FyV2Y8nLhtQvR+EX=HtQ#c7e{osnqpYkjMbARI312{Die zbUxjmsYK{Kv zyr)&oWm@W`Z(;z1FIx{uq_`h1X z$5FZ6`!bLbq%>tD$(dJ!2#U4llh4^u6R%cc*xS$5KP!IyN@Js$ z)m{+0)snR+7sVj_Gw6ZQzM>G7LO+tH!&pc|N5r1?##VOiWT?%Nk!je5x^N(WF)~>0 zB1~+R>gkztoHb@Aj-Dqz&o0^O25jENB0C62D6KP#Ts}%!*HIc|tnD>GOyjlXMi||EN;G%w@3`uC6rZj z7o~B=BB~2-$rdSU(np!&4De;zh7+FSULM981tmxcG4< zvrUn#yJZ!Ov{SWj=0U{IpWDgk2*iLOJNDXn=Nb&mhvxuWm*8N32mlfn%0GLhfS9Zr zM~>_p80Uvnqix5=vYzhPJ$y{#!-XSEj2!=1S2@70%Sa5NPILYv6{Y0c_hgvQg`46e z4G%4GE}91>4vq22vd5$d-=M>ZGM z=gLIM{pHX{<<4E%Zy2W?yO7BmJ4YJD0-1(mc^2wh#lp2bUvzLqiw58hj5+lw(D&IT z8uwHL)4hK`t>|}*(W-I32NLva&&8i zF@sI>h)P|NQUu=#Mlx&pkWbry>-AbP(dl9Cxl%tIkQ**`iSGbe7~TtFOLaeYL5Mv7 zm^lTxWMSrmQv-PS7z3PV`L9%+&H-cXmj-U1egPlG;M+=4vFm>_(mVH-tPSPCRi@^hu@ zX<`WGM$q}?1ZbdZceJ()*~&o*TpBCs{M2?YYfoXP22^)Czwf2N*hD8E;l7@E*?XFL zCOvG2tDb@cR5j5G7TP-*mI}TTy%S}~^`D>>3b;-x0N#uE19$~xla z7GvUU!xHh+#mop-;i-uawQ9iBuHUMcV=znS7^Ms%VHBbO21@R`ka{RoH)zmQLqkGH zHwflQx(oczM{wx#{b74^UT=c;m#Hf26Br?;5s5q{&9BckMbV~Ny6tOrj)JK(+$0s0 zNc!at?B2WyixF|&zangcsVXuTb1Zvvndd#b&XdTVi1O}!8uz$7c|@;`CaF#mK64>O zrumPU{d@7`C$#dM9KOXzw9D}M?@WymK>5S!fGBV}$H`z-pE+q1EOcitY#yyNnrU~A z<}K!FHJFpjGuvf8s^Xg$2BlYidjQT$FTcQPhHTL%Elf2LN-IJSAJe;A6ywbkQpqm_ z#R#{v>XRd920DXi61fH_Y8;UL{IR6lNz!yNO|V-Gx}Hpeo!jJJIh5NF5iSPa7-#e) zvX^{&9V6td8!uM!GOLi3PEoV40}1b9oaVjebFqV8!88}{l8;7DibQkHww6S82-9_X z&}{Uq`BWcOT2hyhkj-{3{zz`xtBtX>X1F?%$4B0CSXJkRb)g3{F_z}e?$&Azy}Gqb zhF%!)8~{5)pkMhiV^WGn9BKI4Of)T5;4X}yqWHZ{5#T(EjquE_JKb%*+fD~oL;_Gb z;L~}Z@gGK7FmZ%#9H(Ev#?TFFsx1Sf%Y8kfj?04Q^Zch?+60r7#t3Aeyc#9%#fRC5 zmmI&QdWu6(BNwW${W3F96@)|L7nUV52cgl|MM5SJ@<+1jPb6M-1|@Q2Ya~rW-uA&x znNLGCKhc(3q`zC$ZsA%X*AC40{T#P4-^Z3}jqbfS*H`b#4m0{l?WkGVQSesttH^xQ zniTnK?-dw$5wWiWT7_hk-#GP!Gl)USiZE4i_28sRYNkNu(tdfJuC_M3pR|lbNE=z; z2PNn%Y_UM$Ve%{QU@ur2O^#|*n*ob_1dn~r@s;cAyobQ17G?X~CrEcJ1{vt3pMTA+ zUKfS8B!2NiWFzoH9n#zD^wBB&O7N&{;YZ}$d(R8}=d;H^qum7jUgsJXme5b46w{e3 z^!}@dF0PR93$=cN%ab$K9`XPmkUyxFIL#1a?vwvCoeNh(hmTPnGL0l6L1!PD5VnJj z!fuPc_{%zpQls2&132m;_7MRPk;=?@b=r$UENQ>P6-+)|RIHY1NK&P6AkmlFWCy!a zL(HjdEZ%HqjCdv0lo1DO!k`e$N?IcoHt77|TP@0%7uo9UWpXkW)2oe;dROLz!g!Xn zuvP6Q3qr{qmyhOqTpZD&v4Uy3MtPWRw^6!AXB+b?{@3%K?CzrLMAzGSXgy>>jEpUv zwO<@;%n+Kqkg1yaPirLBThJ3`y^mk6jaPlCstZNw%;(}*9ZCVtDD2P+vLcqubgGo@+!Q_O4iO$(V2j6Md1cidX{+AkI zWoDyG()4J(z6Fx9n8oZWrZ8Kwh{{Xdro;_1c6p-}@?PAPS+KT+_D3A~lB{f}rZ^C> zPUa{FhftEeCwt6Co97g#Jc$sDIuyXYMM4_g0+r4m3Uh$ve~e4Q3##({T9UUvpWY&Uq?I` zJ0kiRj|=QAl@xMd!T$$009KtViaHEI1^T$$?~(){gmgGzvGm`028@KK2i5<^6_{AjkBpDK^14{4Do-b5Z7JdOuoIdHx zxZQlDbDIBxLQ>lhkl*(E=fApr5zc_RR^ySk} zEFZD>ya*-h4J1Y#^shOjn2k}->O4)4KO*GSJ z-N@`I7g^asg{cZg$X*LRdZo2!O4oeVS1J|uD|Fn@wZOcux&2!%-J6`T#ckEzZr81b zOSW+L3_djUxa)~ofb~2|EK?IKG5Fa=NFiS^!4>c=A#0I{f1oWG7$!G8CsoOosMSWM zIq8-KE47X@^-E=Z!3tNsiR2TYku$QDjywe}D?x!_yN6ha2-82i_%{7PEj$O_AdGLr zZ*|XP8}bb-{DSaAoL@}mcMY!3C2-9O3%DUaTUYP5U>>eLpJEa6vmbED4qhraoBtKo zjDd>hpc7wFaHwlhmwm8zqe?Owhou)u{r((6?-~euPVAG;F(?wN>}8c8DO)*!V&lxV z-nmB~hA}tDmDrW%_qh|JE*9A@)OG}!l#E++dB>ZvK{VNYNc~Y^%~{|@z)9Tmg9?G= zMw*%m2WU9yco4(#^)FQD;SbVT=8My!xb34~0fbabHUyD%x z1StyqFcUDofCI1%*N!&(vVk zn>IA&q)qO{jYs)x03O7Nr_cT~%GC#7UrAufNkju2JXXlgBZm%;Myo&UD3TUMuRvOC`x2 zd#C!#Qr*|uiT;=D1e7&FqY2bvct~QfPdxF)wuXl}%k2ecti9T<>qg7&@d;;ndlXmH_Fl7r_KF zT)Dl=eCHt*aG{v?Rw^p5O?EdXPhBi_#!icx)|Zx{SBhRj2TGnm*lCM zZO`)2YBt-m;_{R*7}%@tj3E6vaNP=mL-na7A;joxH&%{KEU%$UidSeUhzea}_6ito zxvId7v=PcFd|}H}MjR<)qEsi*m1GvLW&OX}d&{UQ+ihW35fnt}5F{4ejfix2NQZ=! zbS%1&k`4*!kVYEmRA3Q;q;yGlcfa@Yc@%uk-tM!<`2Kuj9DdznamT!7*EO$G@wf@c zPN|cNa?3HMJnGH`NWxKs`I{r_NULb*HvR~zCy#&56an!A?hHbc!7_B%h`jv5tB+K` zZi@)l_kSn?!eR0&8nLgAM=n(O@szRT$bt{~y)(6ur*$Fc=8akWRr7&E%%Ug+6a9)0 zt%w5vXG3UKy%`vXsZEVgpp!O4z9@$&Jh8;H(3It0B^1b*C0+jfeUl`1ygRCT;>f|s zlPWA`d*KG*AajN}1LT;(8TDi#$s=ojOd4W2z;Pl9A(7bJ-q1?)nbAk6w7k%BJb6d` zUP(G!xrtkcj=o$-LD&^BZhN5OON}$Z!@GcFC*E;&yruXWVBp z@2Y*|BOU;w%>I}tU2go{y@srIf{~0~kI=@7eJ~y#1&eRwe8Xb?V7pv1c|k2&)hT{I zzV!W(-#gYZFGyDSBYwe@z9EJa^XFake;{b7wSlKOo_R|p6_ybN7w&$z(E}+`l;Tkad^8SzQO{{+~Lj1zve#zRTXDKH_ ztfxe-wxH{6>+g~RhuXsZ$?(4{wk(kTE>=c3R3+(Efwdo3qF zzs$yOh=IDGr70L)%nKI1lac2@aD4c{mlQ$E))Ne~!;7;|?w4{^S0FC}2rZXA=dQ^&cS(-P^0uI9DVi)HVMy3#$m$uZZdB;HX zkkmCM<^HTZuZBw`DA-3R{7GBau4(DPP_P-M68RQ+8oqLu?W@@=iw}|2kIFRv88^04tvQ!y(to z+NAKHR|bHI!!|zYL69hJsa3a0GRe4uy#fkENz1C9sP_qb#M-m-=l50fdh81B&Ll=3 zR=)+t06ebT)MKv&SCz^_CyB~#aHzkdS0naIbb2erHT!KHJNj22WA6fh?i##j=&zvO zk_cjFh5V10XZKH%PwrL6~)sC*`%E?mVRfx1I3HWAnwrW*oRui-2z)@fBBuQBFJ?$#m>qAw@Srw}9M z@QTK&i`9YLACHF=d@YcR*~moYjhP}G`|bn#5c}-?9FAubS9XC?zL}12a2?o|U7C1j zy3N$e=B{{iN$=7mPZNida-XG!rY*n7#I{SXp|yxqi8#5|1pFTRN=x}>$y(o&V^-9A zpWLv?8XUJstOm|Bcl}<(XuXY{g+zj4mfb4GUIll$?|nEwOFl}UV>)T&HprH9OFyb> zhwjuh8;+U$nWX4_0>#}MmXG==0PYS=yO0L{nzi$1+?_A?3@rE!OO=zT#FxFX;bjps zp%HxX=qTpWyaU8f{rv4GG7le`b|RUE_AC1KM>9D1Dh&9NW@_| zSmOe1Q(GWk7w=^jL-!;+o3Zo?vM{ZsWL5!sUYGH@k4>GlP?czHH~RQz0I3Px`I;xj zB0B`=Nd5Yzb%qcCxe-OU|33El@RGRw%{^X_%~$P_wI@Kj_L+%mqu3PuuCM8xbQqC_ z?HN+9Z8fpYUVA2UGJn{W=5l=FNs}y%0nuRiw4T)?YF{53k2=Z{VprqM@?Ecrl9H9j zGP=cH-m(L|Q6ZoVA!0u#9+|!EUB4I{#ns}|08BdT2D)I=xY>wjiOXo}**8tc4Mtu8rrCN745bPQ25%`F`vv?pJbnYoAfeGI@^beQm-?_ zE08<;2~pYofCc1X0pS5o4O}5wPxhT=@jH3i{BPjtWCXl~j;lpr0Sr5-erGbZNLnUw3d2|n}ReOA?x~tZmt+hS{-aiRMrN5 zpg!*@y3{V~ej;HDduclpYCWctkPjw52Dt#7S*oI75BoFuHVkd2a$f9;m4^9eyG3~i z&Op|es2Fm|!qWeu-Qqs67vA<@wn0A&eZhNCrE1r?@1FAJ^5hz(Si|qg?uTqM?CZtU z&A{HN7Z4C?=zX8!7lm>(769Y)!m9uETXca^|Hyk9oN-nj;ZjZNO^;;A!5w(~d?heJ zRflBC;f&Vam;~{PMoj(QZz;ZM7O(A>dP_XoIk$J_td#!LyH&?JJNBie)H^d>SLmgF zGUA5rIa}f~DgtY=XG)KC@ouo`N3&$@_q$U zq?sc=Z+kgfB?#IYapBK;4x{qs;o{ zJp~u#!w?zjF_#HGr{#FN1R1A$zA;ol>=e=8RATnis|tipP?d}JhGamSO#_44`dNUE zUDA{OKQym!(0S1wSMk3g4KqnkuPW=O`U&KnlQ@sjpeF&_tq&*NCk<+|8UjIk@e24M@Wk7(ueVuXOCmJMYHz}9}!BqbZVxO&yZ zq*2TD9B~zXJH-AKRe%ezw}|lQv`$*O&t;wMMRwA0!MLG-fEbFhK)nBpFbO9504p8#D@{FA@Hcw&tc=5GJyfq zwEU_8FNXc2RTQ7+=Ch^+zLhKkO62eL=24?1G$j0G<(W(exqS|w*4#~iPcyd-t}Ahd z3Eb2i9|v~!1TeFywNz$;Bm7ZCyOQ_6U`wRgbGTpRQKV9qg)J6Dp!c|T<&Tp!xvum| zFZA$^5OFs;sT%tM`4e0C$H+gOgIk`;04CW{{)^dj&|yy>fRh?aqoscgX`k@TTlc@? zqSStc$JkpT-A4nDc{*196ioPLh=Ko${{Uy=_nE1-0^N0&y_`T~XJHursW{WYAu^TCtqYk$6Y27J62}zAIR}ob{FGGr@ZMnii^>feZWG-d$}O>NW)c98 z%<^ItKesyYRRUbRqI@ou3~i3ap(cOP0nH1{O9uR5t5+2K?tT=cbZJGl1>vE~QOwL8 znvG?!iJ$3CL`oHEwpG=9*!kAp0FN@ZP*c@=%-}2&*uG|S@kri@o^ZzZYyv14X1l(Y zrf3vi?A63Fw0*-RjA%nki^?ZWGr#2=KssTlf2*`(0il3Ua20BGn1>LYA zAF35h3`SMrf5fNUe~3^0gi)ez9dccWJFP|w+p|jFIT`aj#Re*!s1YFIYQZak=|CK! zgXSx{M(kU*iLN>=^$r1;1&s>tQw4CPP0^*l!Ox1Uo#|E!@>Z7mI*EAPMIg1HL6;X? zr!5%kUamjsQUBaj!2#A4A`Nl;{8{MrBXN=?blTwW;VG^&aEQb15VBW3hg9*n5eg*` zNlG?p!37kX6wD`eKJNuY8d`L;6AbtF&avo~t9qRj+j|e*%p)_X`~>pry{C#xabNbst5^|q$v?6rVc)aMSGl5stzMAh6`RHq3;kn zTID%Pd*f6P6N+A*x^vdCK)s=Ep0qI%e>rn#G`)7I=wCwYf1=mV8^3Xx=!!O!K3B_~ zlY#D0cyw|8VR-&hlsE7T^Mc3G+YOO@^*ym|adJS(>Zb*p{Twyw`Ll|0+681*JEW*a z#ohq7kZMc)k%z;zCs`G`8)pxUGHj4=X)jz(M*;`Cy-c~$BG_CJ-`2V8D)4GFy+Map z%<+f3-F|)6P3FR$3p#Dh@?-ZUkwMro7uM)`L_r!Wxque^K!C&F9lr&|A*h092TkCy zA*Y4Y?2BrnHH@R!ZVLte^}Qhvt2LA8ikTNxKClmHvK`-M0+WcyUD!(?dcpD{iJ-Y7 z1E2d8*{WO3mk*3d+3HC%!W{!L()!mM#b5L}zTpWFTnO_ovS`an@j2vZ7?ey_MN{wg z(H*IvpK*!A)f;b7T_Kmj4?ySDxGlIFVETCOWi8ti3-_SGBFX8mu9nq_?o$JDO7v%^ zY}S_uB;z?~ga)1f$6KnLyT({~XVV?6|u+J!XTKG=SVa-tM#GXKT-YWMof1OpDuLR7D4TXVGP~35K z#Q;}6@r*E15(DoJi5M2OM2oJF5ifcWkq-9`=4*l3iG83nupDXF<&bBW7df!B^!DC3J~gzrs8PO5xcgp@_^Y-k7silUI)HZYs_ z%%byBpMM-vhme^&f}6jfQ_JPx&mN|yz0u-lLog;Scu@x!d-8~5Sk#!28J+>jVYH#u zyJngy(kKDy+p5o6HaOv_Hp}NQVDTzthh^HtnY7S$b|s>o>mGtHktsTZifSr^9zV!= zceHgGrDi%#Ebr|8q@=$BKFSNe^y;{;)NBRq*?d=!{w!*?HOfy!zvlZ4C|L|Vsypv~ zZlj_%f#Nvk-wy2xFdZa9olnkQ>@e(cC&yh_);#-S-)xd^gd)$Xk$^4z?fDF`c8(DZ zYD)m(rpd)cJhRA}5As=yNzvc#&h;#^~TeqB8%00j@;Fv?GW( zDSdecq#Y46I=TT8Fzy9RiBhIB7;+7$$kO#S_W)W5F?E0jR*KLOdm4LL9=GPYk`$Mf zbd4i&`i|zW`05kO>^wv*r?{uu;Iqe1joc;tUD(Qs5avX4$r>>Dm*D}K(P~rH5j>JJ zK752gNfZEaO;$h^ij))JOyznjwDkP4f-ZP8CXiMRH&BB4ln2dhLX}<<(#W>fVAxN4 zvhc)G#BjScB{*^pd5n^~(N}fF83?u1EEOkyHa-9|$DrFCoBx}b7TQhBLF(0&ST8Vj zWo5wnrT2EUd~Pl>59ED@HIBwNvH7AZECwEMGn#b=R^Ni)leBM0(p%fwHTzN9^d1i! z1Rb*mt?ZW_&mAWQQ+C8bCs)af3^a{xGHXO6Opt>719vYFnsZH=dg#VETDNdrvMbh1 zIi`wPe4r$90FUJwV;qx8p;^=lOH8Ywl~{;biFnWcIhJnb8jyL@ua^Up{PfOIRB3Jt zp&;G+F9!jwhQmiB%YT#yMr}jqANOnV5B(g`#>WJ$K)s3`v5mSK6|6)ea9;r7 zt%_gh<_D0A0ZZZyJt~3amM1aP2XmGCch#x?L(%`|D2f7kt=BbIFq<9w&r|6CIIast zjN6lf;Jhe5$1+^no?ED5#8`LrsQE6?9kq}0s{*^9`?Vt>MoQIC?u&X?d3WuP1{S`j zK!529`L@(w$KL>rw^>k+R zRMg1ykl8$-!Z zJsU&@04oiU7_=C8)QsgY8blvHV?YN|ZJd5|`RU2u7XV?I=p!-s)TG0sdf$(5TK=TCvZ+CIvNhhJzj&IS*3U8-WRTVUHu%%Vg^WK0ajA_+lmNYUy^k}F+*V_==!cPad>4qck{1DUPuP~x3dXQh*z+zk*TtYO1{MGUHeABN@|(P(g_l1+ zszpbmG`h_n?nRKYhyeWWubVKUKSAzU5+E*ihkiUg3?d0#QBX9jJ*#-3+q-a)uGTpO zo+*ABxN3$Z`0J(6i%cRY<_!76`>U3cBKSVv2Qat3%qsKirqpFvSpGnZ3?!jnKS3{q zNkQ<$K(A`$$8;1*3jmtgT@O*D-imh2!*bD+wL|$%F&&_k?=PF?b^V*<457W=C|BFu)x5|17xwd^B10e z+_EdoheE1N{vP?pZ_t-%0?*;1^P^}J!NSj%1Ju(B6Set)-XD)iNbsR#WVCJ+U;hL= z_53C9dM^;1eWytb-wJ@9sLl1H#GiC|&DVgi&ug@&%5G_&I9RET2bM~4HD$&Kw>Gx%b2>_oHnMCK0sJb&q$_LT|pbO5WCHFIs!FK3_cV$sXgC2Ke0xQu1R(sS+{fiR-){Fxd_ew_jnjTQXc#;B?H2DVie;@om zl>YySX*}iOz1ABh7nuwX*GIOZ-22v2d2q&6uXW>VzGgryS@SDReiK~2RC=hsR`&wg zRomo~@uhwSR48tu2LBDM;LgW~(o(?xw_^EQd+n+K^7V?%3v}X=vKoBLGwLf=8=yRnG?1 zMl2ur9zS{OC)Bw#yN@C}-LI3&WkgUil!+1HQN-i{*%o&zzoA8sYXET0Jb(Z6d=Vh< zU(I0ocaL}mfr&0ufZD9Qed9YP!~i%9k-hhB{03m_xDa?QBmm@JgaQM*s}6jus4e~3 zHG;^n2r6A!+pu^q$d^=}@PK6Y86*VaEKClu*@crp~9C8;0 zRW?QSvxXOUDM$-$GFCZ4V&yP4ufw!n%EerN-qrK*U9VFxKnL8ISJ!j^sP^3jO04Iw z{H_6j;TVR=M1dW3tEJQJURNs_n4u8eLO)$R;9?cMrfw7*{fMErYK5)12HWzRk%A+4 zVPPV8dBr)~M>m%d1^7n*UBsu3k)%^m-~foNjkc2JB6kQ|hg=A-{4RSw3E)L0Ujq~6 z^Xa61IOxL%gPo|xTi?+LcW8fK(WBK&67XZ7F>(D z-n6co7UCmwUE0Fn&lhHZ#5T<~q+avEKneQnYF%M2K=hIzui&FxBGd5>Y*h3OKO>dR zvtw>L$W(TM6r&wqQ4xuYw%c zM&FivZcUo&zDLkeds%8MhC=$7dl(HA?g0IG^=bs-T*G@o-3284x#7yNFSR&E{@07} z^moucRhe+UEa}TBWlqN5bMJersH7y^L%){QV|UW7*h_Z6V?cOKD<}-l#bCUzmMC^+ zVwd#t%$-|8Dkl}h3Wmq>K!3TC!2h9NUXTTLWDINK(Cyog%b>~l&|ZE$r;-3dc zqU`Qk`N?UC?MgrU&WBpv`oi(08H}>u-ECNR)$bql9D;Eoc|r*ZF9(*#uXfYY&|s-P zfH@ujUOWnHZnAaQHfS>oI9reL|rJmYo;pFVr2 zSg!L0FuK7XsbS$+!})SyfwB=eA(qEn!mM(-Z)a}c9&30Z^9_E{r?&dc^SGrnQ!;HD z(_1&?P7n)eU#&`I>@z**eU2R2bq9$?DdT*So8kqSQKIcyx2J(Xzz1=P(LlXN;H!HPcC%F`NhuJTo=ngWtsv! zS*|PfWIGj)jfs<(&)~`EJ89s7#lEZem1~xIoWF6{El)f|F8j4lj@HWueQ8Q-$4fz$ z^Hu82mJIOy+l$nITnR!KO{-N$X}?}0r@s5NGAxh{pJVa);Lr_(e-r-xX5cUkVJjq{ zaMGpa`}kIFXC_>^{b7EOUKoMq0JpZ)R$iZOW(C|}Zme&Z@E{I`#MRB*s##II^Q?Sjo|;vccVecpO&YW?;%R-fhJL`|PirTT@?7lMj0hgg}EJM@QXY4ayYVUt=`1;%D`Hb%a>IVW?B56YR5j|Pq zwsH`HDR_xzU|;|qO($Hah@HH)e^3{Sj~kxLZYyM`{cDWqT&wi# z%J6iaAO4;tB7gXKLO>|M@B*pdyg=E69=3Iit1Cw3*0te5cSH{$&A%fonw;T$_Dgs? zec;?Z6nlYBy!865h~U?KLC&msr*jn5$^hbmQ+zHDf9VT!RgL{+rzQ zknA^Yy^dC;-1;cqLwN^UTGp-(c@=Z$x(+_{2qoO85uIVxZj;%axpJoW zcwFGu4a>iJyAKPxH0M z4-XgHx~ne(fMbWHGR;ovd|{LwVX#s!2v`I+=Q1sW@@1D{M6$K--+$xIa1R*SDJM5B zHvN}1B`jw^qAP4A(nESkPt*%^;BQO=0~>)&xd0L?ztkGH#7yZ)M5R-)z+ReW;W+VJ z{`L9Se5k)v>pYc3{Z8OhwzBNaoohh1><>s9ohUD#gRP?8Bh^-&E9X zm}gkA$5XLYGy8Y+oRpNz#_ZOr4mNe36~>+)3Id#gvpmSyfh=$j;Aj9X_xL}g!1pgv z+!Ik+<<*~I;L?(^h2or3QMEIc zH_Pz!f@nkj;>(v+6_wMQ;TANr14qwomKXcfRHV#!oSwj~g7p$q4rC`C62|}tYJWh$ zzlG01T3A0Dp<1Iae!BCGlh8?h-D%?LTW$HnYb6x*;nSd-eSk4~Yi3xZ&Jx{h=ouls zQs5T%QBf!_hZf!ea4@ku&r310k$PM0n7P*9(Bi2NXK_4u$plTXYRRDr61uVuX?is4 zKQ>8S^#VPFEdX4Vha@1N<90720DZ0{g#b?>+x6Y$(!-jKM{U|*(dGyInAhkKre-`G z6`f0_=?R7)E@sPC^?Vi;X}qn1v10s@bI7ySf-pro{t;#fwcd232R1h{J6r8T&EJ_8 zc9qhq**F(PY_*(mFhx7r#vRY4N!)JYy;Th0rEjj=%Dnz`1P|}!ik^9TF;P^v?|Q1O z+(@0}vem2*_Nw7i{f%rXA3khr;}ecI)3#vO-EPyBJlvcAuRS#P7se7QQ7RKtRcXgXOp6HNnXJdXy1tta&7b}C5z?<=S9wB64v zzEz3au9U0b^&Or1WMy2(fWUE_jtc=gJM&4ykg@AlILDPR6NbQ@4L4o+Bltv*>iqI2&lY>{j}2ET|mp&tvm1Ilzg2M6`IR( zC#r>Q)W?hasrA3VfSJ=G#MHaw=9+T0*Y8Stwvk6@-q@-Ro(P}-vgUYS^Fv`S&XVy- z2&#D9lm-^*(%U@SAX>bZNXVO4B2qrQ2kCJU2);JSxZq^ zGw-EZ=LoKO`-S|g?jGUBW4|O9yV8){-(iNM+iq28o(mYi3yBK5+8cbvwozj@;e1r= z#iLU3712wdX4x6Y%mA5b(mn74obxtEvt#d_j||W|sT?`h4`yi5 z(g|6~xc$Tzh;x!y-C>8OhLNdVi*$MhafG`sELl3UOziqN6fZ@>;=a+Heg0~rc5p^% zntOD|(!X;)nCAJ0i(!&+!B%{szd_bu!<32U8m(-74b|Sbv+yQ_!y?6E(M5L0`>Ba0 z&9}*%ZULOMq0GG+Tg_}YkK@Omj__(_I1St1%_qlwcr`XxdDyw@qD($n@X~P9&7;$* zw4AQ9?8tIUfp=QFv8WbvgEC?3bM>m8aKnr2!jm!X7qqx>uJ{Y9S_M-Mm+Ns%M|;M7 zrP8&kWiKsOmr4+IJ7#@LXb+<5J{U+gI=jt2-2`~c=%YmKh|vIjUnMY}!?~^8#I!HW zkg^zbkkPc)^Xy5o$7!zWyWOJ8s2G)&(@A^(Ne}y1`Sr$?4;)H^fAZfCzL8K%r9K#o zG2A4?>p`j|yYS;^I4@f(7Qs8%L!ZlTJESs5-XDeIm$<~b#g|$Iq)U{|k`*XqLjj}t zn1SmIFk@4-OfExRnB(nA*T(9;RH~f8+;XvV+lX$SMag*bSxac`rq)Xe$}W3`vq{U@ zz8Pdl6Wm@S2OqTZWIQ;iS0G&@vXty1JgkXC+10%Ad#Jyv^m3JAZg$Y)K@hT*8{5Hr z*pc2$-RSg4l_pCPThgr$v#R5sMG&)9;fE|r; zW}d;8r7#;yQ#wsasMLCP5EY}O+js8Nr!yH6X{u##ZA<{dw5z||72OiatH^7eh#SzG z%Ew{y=w2$Z+Faj{!yViI3 z!|U*Zvfxov<$#B&%w8a< zQ#HH@NozZ-*PSLLM8h9mg^YFqg?|t_ZkEw|qqi>YT#*OM_W_`@+ zSulj=V`Tw=78My+8iSbR6#)Uby}n?%0;?Sm5WI>)5_ruA)Y1IUt{to21naMSs;4{_ zkoaC$;pFrr#sIFG-gBVcMB8=N_3stq0OebKDFdS0Fuu^bF1$iN$sg~p28?1ybiNw` zikJ|fC{gW&ul<=DNc`ypx1$3H=ECt|gGb3B1TIg(W&cQc{N~gEP*4F-#M%rzxedb$ z05m)FkN;oGJaj3kQGk7sa60XlNreZl0zy5>_?}`I!tgc3oetIzb$5q?{${WYb@cngQr#cVejYdQD3a$exDk49i z@RABEQ+<)-xILIF_iojBKa&$naV!2hCizL1n}G9Gz${HXV@q~*aXvkgqR>(}+lspn zSi?=g8d_6t_nHpO&W}%pehJ)leDATbQjy4}XY)raz_S*Ax^mf1f3&+#Q6dl2Sq_0Z zi!wHBZge{gAh{ThC+W|?pX`c+g`L#uYWZ2VS@0y}_{~HMH>(@_?T`wcp9kyh^LjMB30XzDM=CAESP zSg;`tFDk+$ktW$!?7!W}%Kj@U@J2ARnPDl(H*uO6%eGms9;LpCLiU}ZO1l~i+`!xSiU@h9bwYwy5xn$U^nnzLI3k{P zbFAa0w_0DdUS8E)6kVi+sN0_fcwX^k{}Q6!v?oKRX>e_+3ahzdvK%+iGZ9Nm%m*^| zTuVMCEqt^i$13h-a#*Z(L)WA4*PH9|4N_!qBNfj>|xdHNi2_p_dAAvV3{xcR=mA-Ek$%GM&9Fdh`5=I_8yk|4F2WV3r=>Kb8$mN}gIO)HcK7G_SKxI>La> zWr+i7?d|tGLwX)#+F;S|1;)BQdPDFJiTjaOP<2i5w*<{3j&=RUdo?wNgHrYZCvUf^!VRS<# zm?S-8*1m_i4Pq$zzAGAlm(UM`&3mphaXjy1`?zhZPC2pWj6=LK<3BL_Ds6EaW>4FG zwWRI>R`kvg8TYE|#V`ZlIR*AWpjzCj{h{7$HS(*>@sZ3uYVd(9C&hmRw_WUebl5A% zs6%MTDB?R2CpEPPydO<%rMXc_6T(1ZY|e#bd>{tcLxO$vy33A4TZW{uCqa!#qudOq z{jk3y^q+ReUF>_9tSiRV*_N#C$*%vGz|v)hPtJXYZBI(?qQiE?_ud6kj^3ZDJuYM? zPRU-Et}eUw8`pYkz+AS@!>W1a1I}_l zbpu-@0jQWE!+5wDNF>_yc<9bVe6ZzAC>o{io-(XouCZTpHIhaCqr#7>`jq;1ZuWCu zMREwv36^kf+!hN;^qLa@W4;7naEFU z_aN+a1jqBWQ`6B56a|gid{jzzp;lYEk=^>GA+9exHQ*JmZXe#$x}>#mw|4DPt784| z&Ob3d22S(38SM^3?!p@GBYrj%=rYqFG0za=*np3GQ7<}o63Tw=0;tOaV3eUEwMAYUs zsgS<8r4}EYAl;o(hAGGblss!qA6#zTf6`0d>&9iHBb8W9$&;XTF+3al&Ka$JzdC5{1pG1G zZXnQTnj_Bg8|3@igFkWieYNiwRETMUt4D~OMN`CM+JVMcKK7g6XhDF41F1w!KvG+?~S iA7ul2Gthr_%)4AWcIl`ZBYg|_6Bm{dDinC>_5T3CQ$n=> literal 0 HcmV?d00001 diff --git a/use-cases/kubeflow/kubectl_kubeflow_admission_webhook.tf b/use-cases/kubeflow/kubectl_kubeflow_admission_webhook.tf new file mode 100644 index 00000000..197e58d7 --- /dev/null +++ b/use-cases/kubeflow/kubectl_kubeflow_admission_webhook.tf @@ -0,0 +1,2393 @@ +resource "kubectl_manifest" "kubeflow-admission-webhook-crd-poddefaults" { + yaml_body = <.`. For DNS01 challenges, this is + the base64 encoded SHA256 sum of the `.` text that must be set as the TXT + record content.' + type: string + solver: + description: Contains the domain solving configuration that should + be used to solve this challenge resource. + properties: + dns01: + description: Configures cert-manager to attempt to complete authorizations + by performing the DNS01 challenge flow. + properties: + acmeDNS: + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) + API to manage DNS01 challenge records. + properties: + accountSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + field. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + host: + type: string + required: + - accountSecretRef + - host + type: object + akamai: + description: Use the Akamai DNS zone management API to manage + DNS01 challenge records. + properties: + accessTokenSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + field. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + clientSecretSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + field. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + clientTokenSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + field. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + serviceConsumerDomain: + type: string + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + type: object + azureDNS: + description: Use the Microsoft Azure DNS API to manage DNS01 + challenge records. + properties: + clientID: + description: if both this and ClientSecret are left unset + MSI will be used + type: string + clientSecretSecretRef: + description: if both this and ClientID are left unset + MSI will be used + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + environment: + description: name of the Azure environment (default AzurePublicCloud) + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + type: string + hostedZoneName: + description: name of the DNS zone that should be used + type: string + managedIdentity: + description: managed identity configuration, can not be + used at the same time as clientID, clientSecretSecretRef + or tenantID + properties: + clientID: + description: client ID of the managed identity, can + not be used at the same time as resourceID + type: string + resourceID: + description: resource ID of the managed identity, + can not be used at the same time as clientID + type: string + type: object + resourceGroupName: + description: resource group the DNS zone is located in + type: string + subscriptionID: + description: ID of the Azure subscription + type: string + tenantID: + description: when specifying ClientID and ClientSecret + then this field is also needed + type: string + required: + - resourceGroupName + - subscriptionID + type: object + cloudDNS: + description: Use the Google Cloud DNS API to manage DNS01 + challenge records. + properties: + hostedZoneName: + description: HostedZoneName is an optional field that + tells cert-manager in which Cloud DNS zone the challenge + record has to be created. If left empty cert-manager + will automatically choose a zone. + type: string + project: + type: string + serviceAccountSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + field. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - project + type: object + cloudflare: + description: Use the Cloudflare API to manage DNS01 challenge + records. + properties: + apiKeySecretRef: + description: 'API key to use to authenticate with Cloudflare. + Note: using an API token to authenticate is now the + recommended method as it allows greater control of permissions.' + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + apiTokenSecretRef: + description: API token used to authenticate with Cloudflare. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + email: + description: Email of the account, only required when + using API key based authentication. + type: string + type: object + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + enum: + - None + - Follow + type: string + digitalocean: + description: Use the DigitalOcean DNS API to manage DNS01 + challenge records. + properties: + tokenSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + field. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - tokenSecretRef + type: object + rfc2136: + description: Use RFC2136 ("Dynamic Updates in the Domain Name + System") (https://datatracker.ietf.org/doc/rfc2136/) to + manage DNS01 challenge records. + properties: + nameserver: + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed in + square brackets (e.g [2001:db8::1]) ; port is optional. + This field is required. + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the DNS + supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values are + (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, + ``HMACSHA256`` or ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. + If ``tsigSecretSecretRef`` is defined, this field is + required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the TSIG + value. If ``tsigKeyName`` is defined, this field is + required. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - nameserver + type: object + route53: + description: Use the AWS Route53 API to manage DNS01 challenge + records. + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + Cannot be set when SecretAccessKeyID is set. If neither + the Access Key nor Key ID are set, we fall-back to using + env vars, shared credentials file or AWS Instance metadata, + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + accessKeyIDSecretRef: + description: 'The SecretAccessKey is used for authentication. + If set, pull the AWS access key ID from a key within + a Kubernetes Secret. Cannot be set when AccessKeyID + is set. If neither the Access Key nor Key ID are set, + we fall-back to using env vars, shared credentials file + or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + hostedZoneID: + description: If set, the provider will manage only this + zone in Route53 and will not do an lookup using the + route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 provider + will assume using either the explicit credentials AccessKeyID/SecretAccessKey + or the inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: 'The SecretAccessKey is used for authentication. + If neither the Access Key nor Key ID are set, we fall-back + to using env vars, shared credentials file or AWS Instance + metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - region + type: object + webhook: + description: Configure an external webhook based DNS01 challenge + solver to manage DNS01 challenge records. + properties: + config: + description: Additional configuration that should be passed + to the webhook apiserver when challenges are processed. + This can contain arbitrary JSON data. Secret values + should not be specified in this stanza. If secret values + are needed (e.g. credentials for a DNS service), you + should use a SecretKeySelector to reference a Secret + resource. For details on the schema of this field, consult + the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used when + POSTing ChallengePayload resources to the webhook apiserver. + This should be the same as the GroupName specified in + the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined + in the webhook provider implementation. This will typically + be the name of the provider, e.g. 'cloudflare'. + type: string + required: + - groupName + - solverName + type: object + type: object + http01: + description: Configures cert-manager to attempt to complete authorizations + by performing the HTTP01 challenge flow. It is not possible + to obtain certificates for wildcard domain names (e.g. `*.example.com`) + using the HTTP01 challenge mechanism. + properties: + gatewayHTTPRoute: + description: The Gateway API is a sig-network community API + that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). + The Gateway solver will create HTTPRoutes with the specified + labels in the same namespace as the challenge. This solver + is experimental, and fields / behaviour may change in the + future. + properties: + labels: + additionalProperties: + type: string + description: Custom labels that will be applied to HTTPRoutes + created by cert-manager while solving HTTP-01 challenges. + type: object + parentRefs: + description: 'When solving an HTTP-01 challenge, cert-manager + creates an HTTPRoute. cert-manager needs to know which + parentRefs should be used when creating the HTTPRoute. + Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways' + items: + description: "ParentReference identifies an API object + (usually a Gateway) that can be considered a parent + of this resource (usually a route). The only kind + of parent resource with \"Core\" support is Gateway. + This API may be extended in the future to support + additional kinds of parent resources, such as HTTPRoute. + \n The API object must be valid in the cluster; the + Group and Kind must be registered in the cluster for + this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. + \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: + Core (Gateway) \n Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. + \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the + referent. When unspecified (or empty string), + this refers to the local namespace of the Route. + \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route + targets. It can be interpreted differently based + on the type of parent resource. \n When the parent + resource is a Gateway, this targets all listeners + listening on the specified port that also support + this kind of Route(and select this Route). It's + not recommended to set `Port` unless the networking + behaviors specified in a Route must apply to a + specific port as opposed to a listener(s) whose + port(s) may be changed. When both Port and SectionName + are specified, the name and port of the selected + listener must match both specified values. \n + Implementations MAY choose to support other parent + resources. Implementations supporting other types + of parent resources MUST clearly document how/if + Port is interpreted. \n For the purpose of status, + an attachment is considered successful as long + as the parent resource accepts it partially. For + example, Gateway listeners can restrict which + Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept + attachment from the referencing Route, the Route + MUST be considered successfully attached. If no + Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from + the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section + within the target resource. In the following resources, + SectionName is interpreted as the following: \n + * Gateway: Listener Name. When both Port (experimental) + and SectionName are specified, the name and port + of the selected listener must match both specified + values. \n Implementations MAY choose to support + attaching Routes to other resources. If that is + the case, they MUST clearly document how SectionName + is interpreted. \n When unspecified (empty string), + this will reference the entire resource. For the + purpose of status, an attachment is considered + successful if at least one section in the parent + resource accepts it. For example, Gateway listeners + can restrict which Routes can attach to them by + Route kind, namespace, or hostname. If 1 of 2 + Gateway listeners accept attachment from the referencing + Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment + from this Route, the Route MUST be considered + detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + type: array + serviceType: + description: Optional service type for Kubernetes solver + service. Supported values are NodePort or ClusterIP. + If unset, defaults to NodePort. + type: string + type: object + ingress: + description: The ingress based HTTP01 challenge solver will + solve challenges by creating or modifying Ingress resources + in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + properties: + class: + description: The ingress class to use when creating Ingress + resources to solve ACME challenges that use this challenge + solver. Only one of 'class' or 'name' may be specified. + type: string + ingressTemplate: + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 challenges. + properties: + metadata: + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the 'labels' + and 'annotations' fields may be set. If labels or + annotations overlap with in-built values, the values + here will override the in-built values. + properties: + annotations: + additionalProperties: + type: string + description: Annotations that should be added + to the created ACME HTTP01 solver ingress. + type: object + labels: + additionalProperties: + type: string + description: Labels that should be added to the + created ACME HTTP01 solver ingress. + type: object + type: object + type: object + name: + description: The name of the ingress resource that should + have ACME challenge solving routes inserted into it + in order to solve HTTP01 challenges. This is typically + used in conjunction with ingress controllers like ingress-gce, + which maintains a 1:1 mapping between external IPs and + ingress resources. + type: string + podTemplate: + description: Optional pod template used to configure the + ACME challenge solver pods used for HTTP01 challenges. + properties: + metadata: + description: ObjectMeta overrides for the pod used + to solve HTTP01 challenges. Only the 'labels' and + 'annotations' fields may be set. If labels or annotations + overlap with in-built values, the values here will + override the in-built values. + properties: + annotations: + additionalProperties: + type: string + description: Annotations that should be added + to the create ACME HTTP01 solver pods. + type: object + labels: + additionalProperties: + type: string + description: Labels that should be added to the + created ACME HTTP01 solver pods. + type: object + type: object + spec: + description: PodSpec defines overrides for the HTTP01 + challenge solver pod. Only the 'priorityClassName', + 'nodeSelector', 'affinity', 'serviceAccountName' + and 'tolerations' fields are supported currently. + All other fields will be ignored. + properties: + affinity: + description: If specified, the pod's scheduling + constraints + properties: + nodeAffinity: + description: Describes node affinity scheduling + rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified by + this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node matches the corresponding + matchExpressions; the node(s) with the + highest sum are the most preferred. + items: + description: An empty preferred scheduling + term matches all objects with implicit + weight 0 (i.e. it's a no-op). A null + preferred scheduling term matches + no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, + associated with the corresponding + weight. + properties: + matchExpressions: + description: A list of node + selector requirements by node's + labels. + items: + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array + of string values. If + the operator is In or + NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the + values array must be + empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will + be interpreted as an + integer. This array + is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node + selector requirements by node's + fields. + items: + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array + of string values. If + the operator is In or + NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the + values array must be + empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will + be interpreted as an + integer. This array + is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with + matching the corresponding nodeSelectorTerm, + in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to an update), + the system may or may not try to eventually + evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node + selector terms. The terms are ORed. + items: + description: A null or empty node + selector term matches no objects. + The requirements of them are ANDed. + The TopologySelectorTerm type + implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node + selector requirements by node's + labels. + items: + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array + of string values. If + the operator is In or + NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the + values array must be + empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will + be interpreted as an + integer. This array + is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node + selector requirements by node's + fields. + items: + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array + of string values. If + the operator is In or + NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the + values array must be + empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will + be interpreted as an + integer. This array + is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the same + node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified by + this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node has pods which matches the + corresponding podAffinityTerm; the node(s) + with the highest sum are the most preferred. + items: + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over + the set of namespaces that + the term applies to. The term + is applied to the union of + the namespaces selected by + this field and the ones listed + in the namespaces field. null + selector and null or empty + namespaces list means "this + pod's namespace". An empty + selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies + a static list of namespace + names that the term applies + to. The term is applied to + the union of the namespaces + listed in this field and the + ones selected by namespaceSelector. + null or empty namespaces list + and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with + matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to a pod label + update), the system may or may not try + to eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value of + the label with key matches + that of any node on which a pod of + the set of pods is running + properties: + labelSelector: + description: A label query over + a set of resources, in this case + pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator + represents a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is + an array of string values. + If the operator is In + or NotIn, the values + array must be non-empty. + If the operator is Exists + or DoesNotExist, the + values array must be + empty. This array is + replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over + the set of namespaces that the + term applies to. The term is applied + to the union of the namespaces + selected by this field and the + ones listed in the namespaces + field. null selector and null + or empty namespaces list means + "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator + represents a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is + an array of string values. + If the operator is In + or NotIn, the values + array must be non-empty. + If the operator is Exists + or DoesNotExist, the + values array must be + empty. This array is + replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies + a static list of namespace names + that the term applies to. The + term is applied to the union of + the namespaces listed in this + field and the ones selected by + namespaceSelector. null or empty + namespaces list and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be + co-located (affinity) or not co-located + (anti-affinity) with the pods + matching the labelSelector in + the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the + same node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the anti-affinity expressions specified + by this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node has pods which matches the + corresponding podAffinityTerm; the node(s) + with the highest sum are the most preferred. + items: + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over + the set of namespaces that + the term applies to. The term + is applied to the union of + the namespaces selected by + this field and the ones listed + in the namespaces field. null + selector and null or empty + namespaces list means "this + pod's namespace". An empty + selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies + a static list of namespace + names that the term applies + to. The term is applied to + the union of the namespaces + listed in this field and the + ones selected by namespaceSelector. + null or empty namespaces list + and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with + matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the anti-affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to a pod label + update), the system may or may not try + to eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value of + the label with key matches + that of any node on which a pod of + the set of pods is running + properties: + labelSelector: + description: A label query over + a set of resources, in this case + pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator + represents a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is + an array of string values. + If the operator is In + or NotIn, the values + array must be non-empty. + If the operator is Exists + or DoesNotExist, the + values array must be + empty. This array is + replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over + the set of namespaces that the + term applies to. The term is applied + to the union of the namespaces + selected by this field and the + ones listed in the namespaces + field. null selector and null + or empty namespaces list means + "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator + represents a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is + an array of string values. + If the operator is In + or NotIn, the values + array must be non-empty. + If the operator is Exists + or DoesNotExist, the + values array must be + empty. This array is + replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies + a static list of namespace names + that the term applies to. The + term is applied to the union of + the namespaces listed in this + field and the ones selected by + namespaceSelector. null or empty + namespaces list and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be + co-located (affinity) or not co-located + (anti-affinity) with the pods + matching the labelSelector in + the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which + must be true for the pod to fit on a node. Selector + which must match a node''s labels for the pod + to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + priorityClassName: + description: If specified, the pod's priorityClassName. + type: string + serviceAccountName: + description: If specified, the pod's service account + type: string + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is attached + to tolerates any taint that matches the triple + using the matching operator + . + properties: + effect: + description: Effect indicates the taint + effect to match. Empty means match all + taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key that the + toleration applies to. Empty means match + all taint keys. If the key is empty, operator + must be Exists; this combination means + to match all values and all keys. + type: string + operator: + description: Operator represents a key's + relationship to the value. Valid operators + are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints + of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration (which + must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. + By default, it is not set, which means + tolerate the taint forever (do not evict). + Zero and negative values will be treated + as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the + toleration matches to. If the operator + is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + type: object + type: object + serviceType: + description: Optional service type for Kubernetes solver + service. Supported values are NodePort or ClusterIP. + If unset, defaults to NodePort. + type: string + type: object + type: object + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' + solver with the lowest priority, i.e. if any other solver has + a more specific match, it will be used instead. + properties: + dnsNames: + description: List of DNSNames that this solver will be used + to solve. If specified and a match is found, a dnsNames + selector will take precedence over a dnsZones selector. + If multiple solvers match with the same dnsNames value, + the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will be used + to solve. The most specific DNS zone match specified here + will take precedence over other DNS zone matches, so a solver + specifying sys.example.com will be selected over one specifying + example.com for the domain www.sys.example.com. If multiple + solvers match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier + in the list will be selected. + items: + type: string + type: array + matchLabels: + additionalProperties: + type: string + description: A label selector that is used to refine the set + of certificate's that this challenge solver will apply to. + type: object + type: object + type: object + token: + description: The ACME challenge token for this challenge. This is + the raw value returned from the ACME server. + type: string + type: + description: The type of ACME challenge this resource represents. + One of "HTTP-01" or "DNS-01". + enum: + - HTTP-01 + - DNS-01 + type: string + url: + description: The URL of the ACME Challenge resource for this challenge. + This can be used to lookup details about the status of this challenge. + type: string + wildcard: + description: wildcard will be true if this challenge is for a wildcard + identifier, for example '*.example.com'. + type: boolean + required: + - authorizationURL + - dnsName + - issuerRef + - key + - solver + - token + - type + - url + type: object + status: + properties: + presented: + description: presented will be set to true if the challenge values + for this challenge are currently 'presented'. This *does not* imply + the self check is passing. Only that the values have been 'submitted' + for the appropriate challenge mechanism (i.e. the DNS01 TXT record + has been presented, or the HTTP01 configuration has been configured). + type: boolean + processing: + description: Used to denote whether this challenge should be processed + or not. This field will only be set to true by the 'scheduling' + component. It will only be set to false by the 'challenges' controller, + after the challenge has reached a final state or timed out. If this + field is set to false, the challenge controller will not take any + more action. + type: boolean + reason: + description: Contains human readable information on why the Challenge + is in the current state. + type: string + state: + description: Contains the current 'state' of the challenge. If not + set, the state of the challenge is unknown. + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + type: string + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +YAML + +depends_on = [ovh_cloud_project_kube.ovh_kube_cluster, ovh_cloud_project_kube_nodepool.control_plane_pool] +} + +resource "kubectl_manifest" "kubeflow-cert-manager-crd-clusterissuers" { + yaml_body = <" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a + section within the target resource. In the + following resources, SectionName is interpreted + as the following: \n * Gateway: Listener + Name. When both Port (experimental) and + SectionName are specified, the name and + port of the selected listener must match + both specified values. \n Implementations + MAY choose to support attaching Routes to + other resources. If that is the case, they + MUST clearly document how SectionName is + interpreted. \n When unspecified (empty + string), this will reference the entire + resource. For the purpose of status, an + attachment is considered successful if at + least one section in the parent resource + accepts it. For example, Gateway listeners + can restrict which Routes can attach to + them by Route kind, namespace, or hostname. + If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST + be considered successfully attached. If + no Gateway listeners accept attachment from + this Route, the Route MUST be considered + detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + type: array + serviceType: + description: Optional service type for Kubernetes + solver service. Supported values are NodePort + or ClusterIP. If unset, defaults to NodePort. + type: string + type: object + ingress: + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by + cert-manager for each Challenge to be completed. + properties: + class: + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' + or 'name' may be specified. + type: string + ingressTemplate: + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 + challenges. + properties: + metadata: + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + in-built values. + properties: + annotations: + additionalProperties: + type: string + description: Annotations that should be + added to the created ACME HTTP01 solver + ingress. + type: object + labels: + additionalProperties: + type: string + description: Labels that should be added + to the created ACME HTTP01 solver ingress. + type: object + type: object + type: object + name: + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress + controllers like ingress-gce, which maintains + a 1:1 mapping between external IPs and ingress + resources. + type: string + podTemplate: + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 + challenges. + properties: + metadata: + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + in-built values. + properties: + annotations: + additionalProperties: + type: string + description: Annotations that should be + added to the create ACME HTTP01 solver + pods. + type: object + labels: + additionalProperties: + type: string + description: Labels that should be added + to the created ACME HTTP01 solver pods. + type: object + type: object + spec: + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'priorityClassName', + 'nodeSelector', 'affinity', 'serviceAccountName' + and 'tolerations' fields are supported currently. + All other fields will be ignored. + properties: + affinity: + description: If specified, the pod's scheduling + constraints + properties: + nodeAffinity: + description: Describes node affinity + scheduling rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches + the corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + items: + description: An empty preferred + scheduling term matches all + objects with implicit weight + 0 (i.e. it's a no-op). A null + preferred scheduling term matches + no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector + term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of + node selector requirements + by node's labels. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of + node selector requirements + by node's fields. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to an + update), the system may or may + not try to eventually evict the + pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list + of node selector terms. The + terms are ORed. + items: + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset + of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of + node selector requirements + by node's labels. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of + node selector requirements + by node's fields. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity + scheduling rules (e.g. co-locate this + pod in the same node, zone, etc. as + some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector + that contains + values, a key, + and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents + a key's relationship + to a set of + values. Valid + operators + are In, NotIn, + Exists and + DoesNotExist. + type: string + values: + description: values + is an array + of string + values. If + the operator + is In or NotIn, + the values + array must + be non-empty. + If the operator + is Exists + or DoesNotExist, + the values + array must + be empty. + This array + is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single + {key,value} in the + matchLabels map + is equivalent to + an element of matchExpressions, + whose key field + is "key", the operator + is "In", and the + values array contains + only "value". The + requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query + over the set of namespaces + that the term applies + to. The term is applied + to the union of the + namespaces selected + by this field and the + ones listed in the namespaces + field. null selector + and null or empty namespaces + list means "this pod's + namespace". An empty + selector ({}) matches + all namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector + that contains + values, a key, + and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents + a key's relationship + to a set of + values. Valid + operators + are In, NotIn, + Exists and + DoesNotExist. + type: string + values: + description: values + is an array + of string + values. If + the operator + is In or NotIn, + the values + array must + be non-empty. + If the operator + is Exists + or DoesNotExist, + the values + array must + be empty. + This array + is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single + {key,value} in the + matchLabels map + is equivalent to + an element of matchExpressions, + whose key field + is "key", the operator + is "In", and the + values array contains + only "value". The + requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces + specifies a static list + of namespace names that + the term applies to. + The term is applied + to the union of the + namespaces listed in + this field and the ones + selected by namespaceSelector. + null or empty namespaces + list and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod + should be co-located + (affinity) or not co-located + (anti-affinity) with + the pods matching the + labelSelector in the + specified namespaces, + where co-located is + defined as running on + a node whose value of + the label with key topologyKey + matches that of any + node on which any of + the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to a pod + label update), the system may + or may not try to eventually evict + the pod from its node. When there + are multiple elements, the lists + of nodes corresponding to each + podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key + matches that of any node on + which a pod of the set of pods + is running + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: key + is the label key + that the selector + applies to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values + is an array of + string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an + element of matchExpressions, + whose key field is "key", + the operator is "In", + and the values array + contains only "value". + The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query + over the set of namespaces + that the term applies to. + The term is applied to the + union of the namespaces + selected by this field and + the ones listed in the namespaces + field. null selector and + null or empty namespaces + list means "this pod's namespace". + An empty selector ({}) matches + all namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: key + is the label key + that the selector + applies to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values + is an array of + string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an + element of matchExpressions, + whose key field is "key", + the operator is "In", + and the values array + contains only "value". + The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies + a static list of namespace + names that the term applies + to. The term is applied + to the union of the namespaces + listed in this field and + the ones selected by namespaceSelector. + null or empty namespaces + list and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the anti-affinity + expressions specified by this + field, but it may choose a node + that violates one or more of the + expressions. The node that is + most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and + adding "weight" to the sum if + the node has pods which matches + the corresponding podAffinityTerm; + the node(s) with the highest sum + are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector + that contains + values, a key, + and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents + a key's relationship + to a set of + values. Valid + operators + are In, NotIn, + Exists and + DoesNotExist. + type: string + values: + description: values + is an array + of string + values. If + the operator + is In or NotIn, + the values + array must + be non-empty. + If the operator + is Exists + or DoesNotExist, + the values + array must + be empty. + This array + is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single + {key,value} in the + matchLabels map + is equivalent to + an element of matchExpressions, + whose key field + is "key", the operator + is "In", and the + values array contains + only "value". The + requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query + over the set of namespaces + that the term applies + to. The term is applied + to the union of the + namespaces selected + by this field and the + ones listed in the namespaces + field. null selector + and null or empty namespaces + list means "this pod's + namespace". An empty + selector ({}) matches + all namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector + that contains + values, a key, + and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents + a key's relationship + to a set of + values. Valid + operators + are In, NotIn, + Exists and + DoesNotExist. + type: string + values: + description: values + is an array + of string + values. If + the operator + is In or NotIn, + the values + array must + be non-empty. + If the operator + is Exists + or DoesNotExist, + the values + array must + be empty. + This array + is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single + {key,value} in the + matchLabels map + is equivalent to + an element of matchExpressions, + whose key field + is "key", the operator + is "In", and the + values array contains + only "value". The + requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces + specifies a static list + of namespace names that + the term applies to. + The term is applied + to the union of the + namespaces listed in + this field and the ones + selected by namespaceSelector. + null or empty namespaces + list and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod + should be co-located + (affinity) or not co-located + (anti-affinity) with + the pods matching the + labelSelector in the + specified namespaces, + where co-located is + defined as running on + a node whose value of + the label with key topologyKey + matches that of any + node on which any of + the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this + field are not met at scheduling + time, the pod will not be scheduled + onto the node. If the anti-affinity + requirements specified by this + field cease to be met at some + point during pod execution (e.g. + due to a pod label update), the + system may or may not try to eventually + evict the pod from its node. When + there are multiple elements, the + lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key + matches that of any node on + which a pod of the set of pods + is running + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: key + is the label key + that the selector + applies to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values + is an array of + string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an + element of matchExpressions, + whose key field is "key", + the operator is "In", + and the values array + contains only "value". + The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query + over the set of namespaces + that the term applies to. + The term is applied to the + union of the namespaces + selected by this field and + the ones listed in the namespaces + field. null selector and + null or empty namespaces + list means "this pod's namespace". + An empty selector ({}) matches + all namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: key + is the label key + that the selector + applies to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values + is an array of + string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an + element of matchExpressions, + whose key field is "key", + the operator is "In", + and the values array + contains only "value". + The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies + a static list of namespace + names that the term applies + to. The term is applied + to the union of the namespaces + listed in this field and + the ones selected by namespaceSelector. + null or empty namespaces + list and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector + which must be true for the pod to fit + on a node. Selector which must match a + node''s labels for the pod to be scheduled + on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + priorityClassName: + description: If specified, the pod's priorityClassName. + type: string + serviceAccountName: + description: If specified, the pod's service + account + type: string + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is + attached to tolerates any taint that + matches the triple + using the matching operator . + properties: + effect: + description: Effect indicates the + taint effect to match. Empty means + match all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key + that the toleration applies to. + Empty means match all taint keys. + If the key is empty, operator must + be Exists; this combination means + to match all values and all keys. + type: string + operator: + description: Operator represents a + key's relationship to the value. + Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent + to wildcard for value, so that a + pod can tolerate all taints of a + particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) + tolerates the taint. By default, + it is not set, which means tolerate + the taint forever (do not evict). + Zero and negative values will be + treated as 0 (evict immediately) + by the system. + format: int64 + type: integer + value: + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + string. + type: string + type: object + type: array + type: object + type: object + serviceType: + description: Optional service type for Kubernetes + solver service. Supported values are NodePort + or ClusterIP. If unset, defaults to NodePort. + type: string + type: object + type: object + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' + solver with the lowest priority, i.e. if any other solver + has a more specific match, it will be used instead. + properties: + dnsNames: + description: List of DNSNames that this solver will + be used to solve. If specified and a match is found, + a dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same + dnsNames value, the solver with the most matching + labels in matchLabels will be selected. If neither + has more matches, the solver defined earlier in the + list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will + be used to solve. The most specific DNS zone match + specified here will take precedence over other DNS + zone matches, so a solver specifying sys.example.com + will be selected over one specifying example.com for + the domain www.sys.example.com. If multiple solvers + match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier + in the list will be selected. + items: + type: string + type: array + matchLabels: + additionalProperties: + type: string + description: A label selector that is used to refine + the set of certificate's that this challenge solver + will apply to. + type: object + type: object + type: object + type: array + required: + - privateKeySecretRef + - server + type: object + ca: + description: CA configures this issuer to sign certificates using + a signing CA keypair stored in a Secret resource. This is used to + build internal PKIs that are managed by cert-manager. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set, + certificates will be issued without distribution points set. + items: + type: string + type: array + ocspServers: + description: The OCSP server list is an X.509 v3 extension that + defines a list of URLs of OCSP responders. The OCSP responders + can be queried for the revocation status of an issued certificate. + If not set, the certificate will be issued with no OCSP servers + set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". + items: + type: string + type: array + secretName: + description: SecretName is the name of the secret used to sign + Certificates issued by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + description: SelfSigned configures this issuer to 'self sign' certificates + using the private key used to create the CertificateRequest object. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + items: + type: string + type: array + type: object + vault: + description: Vault configures this issuer to sign certificates using + a HashiCorp Vault PKI backend. + properties: + auth: + description: Auth configures how cert-manager authenticates with + the Vault server. + properties: + appRole: + description: AppRole authenticates with Vault using the App + Role auth mechanism, with the role and secret stored in + a Kubernetes Secret resource. + properties: + path: + description: 'Path where the App Role authentication backend + is mounted in Vault, e.g: "approle"' + type: string + roleId: + description: RoleID configured in the App Role authentication + backend when setting up the authentication backend in + Vault. + type: string + secretRef: + description: Reference to a key in a Secret that contains + the App Role secret used to authenticate with Vault. + The `key` field must be specified and denotes which + entry within the Secret resource is used as the app + role secret. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - path + - roleId + - secretRef + type: object + kubernetes: + description: Kubernetes authenticates with Vault by passing + the ServiceAccount token stored in the named Secret resource + to the Vault server. + properties: + mountPath: + description: The Vault mountPath here is the mount path + to use when authenticating with Vault. For example, + setting a value to `/v1/auth/foo`, will use the path + `/v1/auth/foo/login` to authenticate with Vault. If + unspecified, the default value "/v1/auth/kubernetes" + will be used. + type: string + role: + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount + with a set of Vault policies. + type: string + secretRef: + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - role + - secretRef + type: object + tokenSecretRef: + description: TokenSecretRef authenticates with Vault by presenting + a token. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + type: object + caBundle: + description: PEM-encoded CA bundle (base64-encoded) used to validate + Vault server certificate. Only used if the Server URL is using + HTTPS protocol. This parameter is ignored for plain HTTP protocol + connection. If not set the system root certificates are used + to validate the TLS connection. Mutually exclusive with CABundleSecretRef. + If neither CABundle nor CABundleSecretRef are defined, the cert-manager + controller system root certificates are used to validate the + TLS connection. + format: byte + type: string + caBundleSecretRef: + description: CABundleSecretRef is a reference to a Secret which + contains the CABundle which will be used when connecting to + Vault when using HTTPS. Mutually exclusive with CABundle. If + neither CABundleSecretRef nor CABundle are defined, the cert-manager + controller system root certificates are used to validate the + TLS connection. If no key for the Secret is specified, cert-manager + will default to 'ca.crt'. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field may + be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + namespace: + description: 'Name of the vault namespace. Namespaces is a set + of features within Vault Enterprise that allows Vault environments + to support Secure Multi-tenancy. e.g: "ns1" More about namespaces + can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + type: string + path: + description: 'Path is the mount path of the Vault PKI backend''s + `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' + type: string + server: + description: 'Server is the connection address for the Vault server, + e.g: "https://vault.example.com:8200".' + type: string + required: + - auth + - path + - server + type: object + venafi: + description: Venafi configures this issuer to sign certificates using + a Venafi TPP or Venafi Cloud policy zone. + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + url: + description: URL is the base URL for Venafi Cloud. Defaults + to "https://api.venafi.cloud/v1". + type: string + required: + - apiTokenSecretRef + type: object + tpp: + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + properties: + caBundle: + description: CABundle is a PEM encoded TLS certificate to + use to verify connections to the TPP instance. If specified, + system roots will not be used and the issuing CA for the + TPP instance must be verifiable using the provided root. + If not specified, the connection will be verified using + the cert-manager system root certificates. + format: byte + type: string + credentialsRef: + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret + must contain two keys, 'username' and 'password'. + properties: + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + url: + description: 'URL is the base URL for the vedsdk endpoint + of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' + type: string + required: + - credentialsRef + - url + type: object + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted + by the named zone policy. This field is required. + type: string + required: + - zone + type: object + type: object + status: + description: Status of the ClusterIssuer. This is set and managed automatically. + properties: + acme: + description: ACME specific status options. This field should only + be set if the Issuer is configured to use an ACME server to issue + certificates. + properties: + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with + the latest registered ACME account, in order to track changes + made to registered account associated with the Issuer + type: string + uri: + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + type: string + type: object + conditions: + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready`. + items: + description: IssuerCondition contains condition information for + an Issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + observedGeneration: + description: If set, this represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.condition[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the Issuer. + format: int64 + type: integer + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, + `Unknown`). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are (`Ready`). + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +YAML + +depends_on = [ovh_cloud_project_kube.ovh_kube_cluster, ovh_cloud_project_kube_nodepool.control_plane_pool] +} + +resource "kubectl_manifest" "kubeflow-cert-manager-crd-issuers" { + yaml_body = <" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a + section within the target resource. In the + following resources, SectionName is interpreted + as the following: \n * Gateway: Listener + Name. When both Port (experimental) and + SectionName are specified, the name and + port of the selected listener must match + both specified values. \n Implementations + MAY choose to support attaching Routes to + other resources. If that is the case, they + MUST clearly document how SectionName is + interpreted. \n When unspecified (empty + string), this will reference the entire + resource. For the purpose of status, an + attachment is considered successful if at + least one section in the parent resource + accepts it. For example, Gateway listeners + can restrict which Routes can attach to + them by Route kind, namespace, or hostname. + If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST + be considered successfully attached. If + no Gateway listeners accept attachment from + this Route, the Route MUST be considered + detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + type: array + serviceType: + description: Optional service type for Kubernetes + solver service. Supported values are NodePort + or ClusterIP. If unset, defaults to NodePort. + type: string + type: object + ingress: + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by + cert-manager for each Challenge to be completed. + properties: + class: + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' + or 'name' may be specified. + type: string + ingressTemplate: + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 + challenges. + properties: + metadata: + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + in-built values. + properties: + annotations: + additionalProperties: + type: string + description: Annotations that should be + added to the created ACME HTTP01 solver + ingress. + type: object + labels: + additionalProperties: + type: string + description: Labels that should be added + to the created ACME HTTP01 solver ingress. + type: object + type: object + type: object + name: + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress + controllers like ingress-gce, which maintains + a 1:1 mapping between external IPs and ingress + resources. + type: string + podTemplate: + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 + challenges. + properties: + metadata: + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + in-built values. + properties: + annotations: + additionalProperties: + type: string + description: Annotations that should be + added to the create ACME HTTP01 solver + pods. + type: object + labels: + additionalProperties: + type: string + description: Labels that should be added + to the created ACME HTTP01 solver pods. + type: object + type: object + spec: + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'priorityClassName', + 'nodeSelector', 'affinity', 'serviceAccountName' + and 'tolerations' fields are supported currently. + All other fields will be ignored. + properties: + affinity: + description: If specified, the pod's scheduling + constraints + properties: + nodeAffinity: + description: Describes node affinity + scheduling rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches + the corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + items: + description: An empty preferred + scheduling term matches all + objects with implicit weight + 0 (i.e. it's a no-op). A null + preferred scheduling term matches + no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector + term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of + node selector requirements + by node's labels. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of + node selector requirements + by node's fields. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to an + update), the system may or may + not try to eventually evict the + pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list + of node selector terms. The + terms are ORed. + items: + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset + of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of + node selector requirements + by node's labels. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of + node selector requirements + by node's fields. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity + scheduling rules (e.g. co-locate this + pod in the same node, zone, etc. as + some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector + that contains + values, a key, + and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents + a key's relationship + to a set of + values. Valid + operators + are In, NotIn, + Exists and + DoesNotExist. + type: string + values: + description: values + is an array + of string + values. If + the operator + is In or NotIn, + the values + array must + be non-empty. + If the operator + is Exists + or DoesNotExist, + the values + array must + be empty. + This array + is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single + {key,value} in the + matchLabels map + is equivalent to + an element of matchExpressions, + whose key field + is "key", the operator + is "In", and the + values array contains + only "value". The + requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query + over the set of namespaces + that the term applies + to. The term is applied + to the union of the + namespaces selected + by this field and the + ones listed in the namespaces + field. null selector + and null or empty namespaces + list means "this pod's + namespace". An empty + selector ({}) matches + all namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector + that contains + values, a key, + and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents + a key's relationship + to a set of + values. Valid + operators + are In, NotIn, + Exists and + DoesNotExist. + type: string + values: + description: values + is an array + of string + values. If + the operator + is In or NotIn, + the values + array must + be non-empty. + If the operator + is Exists + or DoesNotExist, + the values + array must + be empty. + This array + is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single + {key,value} in the + matchLabels map + is equivalent to + an element of matchExpressions, + whose key field + is "key", the operator + is "In", and the + values array contains + only "value". The + requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces + specifies a static list + of namespace names that + the term applies to. + The term is applied + to the union of the + namespaces listed in + this field and the ones + selected by namespaceSelector. + null or empty namespaces + list and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod + should be co-located + (affinity) or not co-located + (anti-affinity) with + the pods matching the + labelSelector in the + specified namespaces, + where co-located is + defined as running on + a node whose value of + the label with key topologyKey + matches that of any + node on which any of + the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to a pod + label update), the system may + or may not try to eventually evict + the pod from its node. When there + are multiple elements, the lists + of nodes corresponding to each + podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key + matches that of any node on + which a pod of the set of pods + is running + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: key + is the label key + that the selector + applies to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values + is an array of + string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an + element of matchExpressions, + whose key field is "key", + the operator is "In", + and the values array + contains only "value". + The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query + over the set of namespaces + that the term applies to. + The term is applied to the + union of the namespaces + selected by this field and + the ones listed in the namespaces + field. null selector and + null or empty namespaces + list means "this pod's namespace". + An empty selector ({}) matches + all namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: key + is the label key + that the selector + applies to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values + is an array of + string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an + element of matchExpressions, + whose key field is "key", + the operator is "In", + and the values array + contains only "value". + The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies + a static list of namespace + names that the term applies + to. The term is applied + to the union of the namespaces + listed in this field and + the ones selected by namespaceSelector. + null or empty namespaces + list and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the anti-affinity + expressions specified by this + field, but it may choose a node + that violates one or more of the + expressions. The node that is + most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and + adding "weight" to the sum if + the node has pods which matches + the corresponding podAffinityTerm; + the node(s) with the highest sum + are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector + that contains + values, a key, + and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents + a key's relationship + to a set of + values. Valid + operators + are In, NotIn, + Exists and + DoesNotExist. + type: string + values: + description: values + is an array + of string + values. If + the operator + is In or NotIn, + the values + array must + be non-empty. + If the operator + is Exists + or DoesNotExist, + the values + array must + be empty. + This array + is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single + {key,value} in the + matchLabels map + is equivalent to + an element of matchExpressions, + whose key field + is "key", the operator + is "In", and the + values array contains + only "value". The + requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query + over the set of namespaces + that the term applies + to. The term is applied + to the union of the + namespaces selected + by this field and the + ones listed in the namespaces + field. null selector + and null or empty namespaces + list means "this pod's + namespace". An empty + selector ({}) matches + all namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector + that contains + values, a key, + and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents + a key's relationship + to a set of + values. Valid + operators + are In, NotIn, + Exists and + DoesNotExist. + type: string + values: + description: values + is an array + of string + values. If + the operator + is In or NotIn, + the values + array must + be non-empty. + If the operator + is Exists + or DoesNotExist, + the values + array must + be empty. + This array + is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single + {key,value} in the + matchLabels map + is equivalent to + an element of matchExpressions, + whose key field + is "key", the operator + is "In", and the + values array contains + only "value". The + requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces + specifies a static list + of namespace names that + the term applies to. + The term is applied + to the union of the + namespaces listed in + this field and the ones + selected by namespaceSelector. + null or empty namespaces + list and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod + should be co-located + (affinity) or not co-located + (anti-affinity) with + the pods matching the + labelSelector in the + specified namespaces, + where co-located is + defined as running on + a node whose value of + the label with key topologyKey + matches that of any + node on which any of + the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this + field are not met at scheduling + time, the pod will not be scheduled + onto the node. If the anti-affinity + requirements specified by this + field cease to be met at some + point during pod execution (e.g. + due to a pod label update), the + system may or may not try to eventually + evict the pod from its node. When + there are multiple elements, the + lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key + matches that of any node on + which a pod of the set of pods + is running + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: key + is the label key + that the selector + applies to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values + is an array of + string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an + element of matchExpressions, + whose key field is "key", + the operator is "In", + and the values array + contains only "value". + The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query + over the set of namespaces + that the term applies to. + The term is applied to the + union of the namespaces + selected by this field and + the ones listed in the namespaces + field. null selector and + null or empty namespaces + list means "this pod's namespace". + An empty selector ({}) matches + all namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: key + is the label key + that the selector + applies to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values + is an array of + string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an + element of matchExpressions, + whose key field is "key", + the operator is "In", + and the values array + contains only "value". + The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies + a static list of namespace + names that the term applies + to. The term is applied + to the union of the namespaces + listed in this field and + the ones selected by namespaceSelector. + null or empty namespaces + list and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector + which must be true for the pod to fit + on a node. Selector which must match a + node''s labels for the pod to be scheduled + on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + priorityClassName: + description: If specified, the pod's priorityClassName. + type: string + serviceAccountName: + description: If specified, the pod's service + account + type: string + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is + attached to tolerates any taint that + matches the triple + using the matching operator . + properties: + effect: + description: Effect indicates the + taint effect to match. Empty means + match all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key + that the toleration applies to. + Empty means match all taint keys. + If the key is empty, operator must + be Exists; this combination means + to match all values and all keys. + type: string + operator: + description: Operator represents a + key's relationship to the value. + Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent + to wildcard for value, so that a + pod can tolerate all taints of a + particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) + tolerates the taint. By default, + it is not set, which means tolerate + the taint forever (do not evict). + Zero and negative values will be + treated as 0 (evict immediately) + by the system. + format: int64 + type: integer + value: + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + string. + type: string + type: object + type: array + type: object + type: object + serviceType: + description: Optional service type for Kubernetes + solver service. Supported values are NodePort + or ClusterIP. If unset, defaults to NodePort. + type: string + type: object + type: object + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' + solver with the lowest priority, i.e. if any other solver + has a more specific match, it will be used instead. + properties: + dnsNames: + description: List of DNSNames that this solver will + be used to solve. If specified and a match is found, + a dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same + dnsNames value, the solver with the most matching + labels in matchLabels will be selected. If neither + has more matches, the solver defined earlier in the + list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will + be used to solve. The most specific DNS zone match + specified here will take precedence over other DNS + zone matches, so a solver specifying sys.example.com + will be selected over one specifying example.com for + the domain www.sys.example.com. If multiple solvers + match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier + in the list will be selected. + items: + type: string + type: array + matchLabels: + additionalProperties: + type: string + description: A label selector that is used to refine + the set of certificate's that this challenge solver + will apply to. + type: object + type: object + type: object + type: array + required: + - privateKeySecretRef + - server + type: object + ca: + description: CA configures this issuer to sign certificates using + a signing CA keypair stored in a Secret resource. This is used to + build internal PKIs that are managed by cert-manager. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set, + certificates will be issued without distribution points set. + items: + type: string + type: array + ocspServers: + description: The OCSP server list is an X.509 v3 extension that + defines a list of URLs of OCSP responders. The OCSP responders + can be queried for the revocation status of an issued certificate. + If not set, the certificate will be issued with no OCSP servers + set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". + items: + type: string + type: array + secretName: + description: SecretName is the name of the secret used to sign + Certificates issued by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + description: SelfSigned configures this issuer to 'self sign' certificates + using the private key used to create the CertificateRequest object. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + items: + type: string + type: array + type: object + vault: + description: Vault configures this issuer to sign certificates using + a HashiCorp Vault PKI backend. + properties: + auth: + description: Auth configures how cert-manager authenticates with + the Vault server. + properties: + appRole: + description: AppRole authenticates with Vault using the App + Role auth mechanism, with the role and secret stored in + a Kubernetes Secret resource. + properties: + path: + description: 'Path where the App Role authentication backend + is mounted in Vault, e.g: "approle"' + type: string + roleId: + description: RoleID configured in the App Role authentication + backend when setting up the authentication backend in + Vault. + type: string + secretRef: + description: Reference to a key in a Secret that contains + the App Role secret used to authenticate with Vault. + The `key` field must be specified and denotes which + entry within the Secret resource is used as the app + role secret. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - path + - roleId + - secretRef + type: object + kubernetes: + description: Kubernetes authenticates with Vault by passing + the ServiceAccount token stored in the named Secret resource + to the Vault server. + properties: + mountPath: + description: The Vault mountPath here is the mount path + to use when authenticating with Vault. For example, + setting a value to `/v1/auth/foo`, will use the path + `/v1/auth/foo/login` to authenticate with Vault. If + unspecified, the default value "/v1/auth/kubernetes" + will be used. + type: string + role: + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount + with a set of Vault policies. + type: string + secretRef: + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - role + - secretRef + type: object + tokenSecretRef: + description: TokenSecretRef authenticates with Vault by presenting + a token. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + type: object + caBundle: + description: PEM-encoded CA bundle (base64-encoded) used to validate + Vault server certificate. Only used if the Server URL is using + HTTPS protocol. This parameter is ignored for plain HTTP protocol + connection. If not set the system root certificates are used + to validate the TLS connection. Mutually exclusive with CABundleSecretRef. + If neither CABundle nor CABundleSecretRef are defined, the cert-manager + controller system root certificates are used to validate the + TLS connection. + format: byte + type: string + caBundleSecretRef: + description: CABundleSecretRef is a reference to a Secret which + contains the CABundle which will be used when connecting to + Vault when using HTTPS. Mutually exclusive with CABundle. If + neither CABundleSecretRef nor CABundle are defined, the cert-manager + controller system root certificates are used to validate the + TLS connection. If no key for the Secret is specified, cert-manager + will default to 'ca.crt'. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field may + be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + namespace: + description: 'Name of the vault namespace. Namespaces is a set + of features within Vault Enterprise that allows Vault environments + to support Secure Multi-tenancy. e.g: "ns1" More about namespaces + can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + type: string + path: + description: 'Path is the mount path of the Vault PKI backend''s + `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' + type: string + server: + description: 'Server is the connection address for the Vault server, + e.g: "https://vault.example.com:8200".' + type: string + required: + - auth + - path + - server + type: object + venafi: + description: Venafi configures this issuer to sign certificates using + a Venafi TPP or Venafi Cloud policy zone. + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + url: + description: URL is the base URL for Venafi Cloud. Defaults + to "https://api.venafi.cloud/v1". + type: string + required: + - apiTokenSecretRef + type: object + tpp: + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + properties: + caBundle: + description: CABundle is a PEM encoded TLS certificate to + use to verify connections to the TPP instance. If specified, + system roots will not be used and the issuing CA for the + TPP instance must be verifiable using the provided root. + If not specified, the connection will be verified using + the cert-manager system root certificates. + format: byte + type: string + credentialsRef: + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret + must contain two keys, 'username' and 'password'. + properties: + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + url: + description: 'URL is the base URL for the vedsdk endpoint + of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' + type: string + required: + - credentialsRef + - url + type: object + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted + by the named zone policy. This field is required. + type: string + required: + - zone + type: object + type: object + status: + description: Status of the Issuer. This is set and managed automatically. + properties: + acme: + description: ACME specific status options. This field should only + be set if the Issuer is configured to use an ACME server to issue + certificates. + properties: + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with + the latest registered ACME account, in order to track changes + made to registered account associated with the Issuer + type: string + uri: + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + type: string + type: object + conditions: + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready`. + items: + description: IssuerCondition contains condition information for + an Issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + observedGeneration: + description: If set, this represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.condition[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the Issuer. + format: int64 + type: integer + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, + `Unknown`). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are (`Ready`). + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +YAML + +depends_on = [ovh_cloud_project_kube.ovh_kube_cluster, ovh_cloud_project_kube_nodepool.control_plane_pool] +} + +resource "kubectl_manifest" "kubeflow-cert-manager-crd-orders" { + yaml_body = < /var/lib/grpc/data/bootstrap.json + containers: + {{- range $index, $container := .Spec.Containers }} + - name: {{ $container.Name }} + env: + - name: GRPC_XDS_BOOTSTRAP + value: /var/lib/grpc/data/bootstrap.json + - name: GRPC_GO_LOG_VERBOSITY_LEVEL + value: "99" + - name: GRPC_GO_LOG_SEVERITY_LEVEL + value: info + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + {{- end }} + volumes: + - name: grpc-io-proxyless-bootstrap + emptyDir: {} + grpc-agent: | + {{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} + {{- end }} + {{- $containers := list }} + {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} + metadata: + labels: + {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} + sidecar.istio.io/rewriteAppHTTPProbers: "false", + } + spec: + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15020 + protocol: TCP + name: mesh-metrics + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + - --url=http://localhost:15020/healthz/ready + env: + - name: ISTIO_META_GENERATOR + value: grpc + - name: OUTPUT_CERTS + value: /var/lib/istio/data + {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + # grpc uses xds:/// to resolve – no need to resolve VIP + - name: ISTIO_META_DNS_CAPTURE + value: "false" + - name: DISABLE_ENVOY + value: "true" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15020 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + {{- range $index, $container := .Spec.Containers }} + {{ if not (eq $container.Name "istio-proxy") }} + - name: {{ $container.Name }} + env: + - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" + value: "true" + - name: "GRPC_XDS_BOOTSTRAP" + value: "/etc/istio/proxy/grpc-bootstrap.json" + volumeMounts: + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- end }} + {{- end }} + volumes: + - emptyDir: + name: workload-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-xds + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }} + securityContext: + fsGroup: 1337 + {{- end }} + values: |- + { + "global": { + "autoscalingv2API": true, + "caAddress": "", + "caName": "", + "configCluster": false, + "configValidation": true, + "defaultNodeSelector": {}, + "defaultPodDisruptionBudget": { + "enabled": true + }, + "defaultResources": { + "requests": { + "cpu": "10m" + } + }, + "enabled": true, + "externalIstiod": false, + "hub": "docker.io/istio", + "imagePullPolicy": "", + "imagePullSecrets": [], + "istioNamespace": "istio-system", + "istiod": { + "enableAnalysis": false + }, + "jwtPolicy": "third-party-jwt", + "logAsJson": false, + "logging": { + "level": "default:info" + }, + "meshID": "", + "meshNetworks": {}, + "mountMtlsCerts": false, + "multiCluster": { + "clusterName": "", + "enabled": false + }, + "namespace": "istio-system", + "network": "", + "omitSidecarInjectorConfigMap": false, + "oneNamespace": false, + "operatorManageWebhooks": false, + "pilotCertProvider": "istiod", + "priorityClassName": "", + "proxy": { + "autoInject": "enabled", + "clusterDomain": "cluster.local", + "componentLogLevel": "misc:error", + "enableCoreDump": false, + "excludeIPRanges": "", + "excludeInboundPorts": "", + "excludeOutboundPorts": "", + "holdApplicationUntilProxyStarts": false, + "image": "proxyv2", + "includeIPRanges": "*", + "includeInboundPorts": "*", + "includeOutboundPorts": "", + "logLevel": "warning", + "privileged": false, + "readinessFailureThreshold": 30, + "readinessInitialDelaySeconds": 1, + "readinessPeriodSeconds": 2, + "resources": { + "limits": { + "cpu": "2000m", + "memory": "1024Mi" + }, + "requests": { + "cpu": "10m", + "memory": "40Mi" + } + }, + "statusPort": 15020, + "tracer": "zipkin" + }, + "proxy_init": { + "image": "proxyv2", + "resources": { + "limits": { + "cpu": "2000m", + "memory": "1024Mi" + }, + "requests": { + "cpu": "10m", + "memory": "10Mi" + } + } + }, + "remotePilotAddress": "", + "sds": { + "token": { + "aud": "istio-ca" + } + }, + "sts": { + "servicePort": 0 + }, + "tag": "1.16.0", + "tracer": { + "datadog": { + "address": "$(HOST_IP):8126" + }, + "lightstep": { + "accessToken": "", + "address": "" + }, + "stackdriver": { + "debug": false, + "maxNumberOfAnnotations": 200, + "maxNumberOfAttributes": 200, + "maxNumberOfMessageEvents": 200 + }, + "zipkin": { + "address": "" + } + }, + "useMCP": false, + "variant": "" + }, + "istio_cni": { + "enabled": false + }, + "revision": "", + "sidecarInjectorWebhook": { + "alwaysInjectSelector": [], + "defaultTemplates": [], + "enableNamespacesByDefault": false, + "injectedAnnotations": {}, + "neverInjectSelector": [], + "rewriteAppHTTPProbe": true, + "templates": {} + } + } +kind: ConfigMap +metadata: + labels: + install.operator.istio.io/owning-resource: unknown + istio.io/rev: default + operator.istio.io/component: Pilot + release: istio + name: istio-sidecar-injector + namespace: istio-system +YAML + +depends_on = [ovh_cloud_project_kube.ovh_kube_cluster, ovh_cloud_project_kube_nodepool.control_plane_pool, kubectl_manifest.kubeflow-istio-namespace] +} + +resource "kubectl_manifest" "kubeflow-istio-service-ingressgateway" { + yaml_body = < 0 and container-concurrency-target-percentage is + # 100% or 1.0, then activator will always be in the request path. + # -1 denotes unlimited target-burst-capacity and activator will always + # be in the request path. + # Other negative values are invalid. + target-burst-capacity: "211" + + # When operating in a stable mode, the autoscaler operates on the + # average concurrency over the stable window. + # Stable window must be in whole seconds. + stable-window: "60s" + + # When observed average concurrency during the panic window reaches + # panic-threshold-percentage the target concurrency, the autoscaler + # enters panic mode. When operating in panic mode, the autoscaler + # scales on the average concurrency over the panic window which is + # panic-window-percentage of the stable-window. + # Must be in the [1, 100] range. + # When computing the panic window it will be rounded to the closest + # whole second, at least 1s. + panic-window-percentage: "10.0" + + # The percentage of the container concurrency target at which to + # enter panic mode when reached within the panic window. + panic-threshold-percentage: "200.0" + + # Max scale up rate limits the rate at which the autoscaler will + # increase pod count. It is the maximum ratio of desired pods versus + # observed pods. + # Cannot be less or equal to 1. + # I.e with value of 2.0 the number of pods can at most go N to 2N + # over single Autoscaler period (2s), but at least N to + # N+1, if Autoscaler needs to scale up. + max-scale-up-rate: "1000.0" + + # Max scale down rate limits the rate at which the autoscaler will + # decrease pod count. It is the maximum ratio of observed pods versus + # desired pods. + # Cannot be less or equal to 1. + # I.e. with value of 2.0 the number of pods can at most go N to N/2 + # over single Autoscaler evaluation period (2s), but at + # least N to N-1, if Autoscaler needs to scale down. + max-scale-down-rate: "2.0" + + # Scale to zero feature flag. + enable-scale-to-zero: "true" + + # Scale to zero grace period is the time an inactive revision is left + # running before it is scaled to zero (must be positive, but recommended + # at least a few seconds if running with mesh networking). + # This is the upper limit and is provided not to enforce timeout after + # the revision stopped receiving requests for stable window, but to + # ensure network reprogramming to put activator in the path has completed. + # If the system determines that a shorter period is satisfactory, + # then the system will only wait that amount of time before scaling to 0. + # NOTE: this period might actually be 0, if activator has been + # in the request path sufficiently long. + # If there is necessity for the last pod to linger longer use + # scale-to-zero-pod-retention-period flag. + scale-to-zero-grace-period: "30s" + + # Scale to zero pod retention period defines the minimum amount + # of time the last pod will remain after Autoscaler has decided to + # scale to zero. + # This flag is for the situations where the pod startup is very expensive + # and the traffic is bursty (requiring smaller windows for fast action), + # but patchy. + # The larger of this flag and `scale-to-zero-grace-period` will effectively + # determine how the last pod will hang around. + scale-to-zero-pod-retention-period: "0s" + + # pod-autoscaler-class specifies the default pod autoscaler class + # that should be used if none is specified. If omitted, + # the Knative Pod Autoscaler (KPA) is used by default. + pod-autoscaler-class: "kpa.autoscaling.knative.dev" + + # The capacity of a single activator task. + # The `unit` is one concurrent request proxied by the activator. + # activator-capacity must be at least 1. + # This value is used for computation of the Activator subset size. + # See the algorithm here: http://bit.ly/38XiCZ3. + # TODO(vagababov): tune after actual benchmarking. + activator-capacity: "100.0" + + # initial-scale is the cluster-wide default value for the initial target + # scale of a revision after creation, unless overridden by the + # "autoscaling.knative.dev/initialScale" annotation. + # This value must be greater than 0 unless allow-zero-initial-scale is true. + initial-scale: "1" + + # allow-zero-initial-scale controls whether either the cluster-wide initial-scale flag, + # or the "autoscaling.knative.dev/initialScale" annotation, can be set to 0. + allow-zero-initial-scale: "false" + + # min-scale is the cluster-wide default value for the min scale of a revision, + # unless overridden by the "autoscaling.knative.dev/minScale" annotation. + min-scale: "0" + + # max-scale is the cluster-wide default value for the max scale of a revision, + # unless overridden by the "autoscaling.knative.dev/maxScale" annotation. + # If set to 0, the revision has no maximum scale. + max-scale: "0" + + # scale-down-delay is the amount of time that must pass at reduced + # concurrency before a scale down decision is applied. This can be useful, + # for example, to maintain replica count and avoid a cold start penalty if + # more requests come in within the scale down delay period. + # The default, 0s, imposes no delay at all. + scale-down-delay: "0s" + + # max-scale-limit sets the maximum permitted value for the max scale of a revision. + # When this is set to a positive value, a revision with a maxScale above that value + # (including a maxScale of "0" = unlimited) is disallowed. + # A value of zero (the default) allows any limit, including unlimited. + max-scale-limit: "0" +kind: ConfigMap +metadata: + annotations: + knative.dev/example-checksum: 47c2487f + labels: + app.kubernetes.io/component: autoscaler + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: 1.8.0 + name: config-autoscaler + namespace: knative-serving +YAML + +depends_on = [ovh_cloud_project_kube.ovh_kube_cluster, ovh_cloud_project_kube_nodepool.control_plane_pool, kubectl_manifest.kubeflow-knative-namespace] +} + +resource "kubectl_manifest" "kubeflow-knative-configmap-config-default" { + yaml_body = <`. +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/component: ml-pipeline + app.kubernetes.io/name: kubeflow-pipelines + application-crd-id: kubeflow-pipelines + name: pipeline-install-config + namespace: kubeflow +YAML + +depends_on = [ovh_cloud_project_kube.ovh_kube_cluster, ovh_cloud_project_kube_nodepool.control_plane_pool, kubectl_manifest.kubeflow-kubeflow-namespace, kubectl_manifest.kubeflow-istio-deployment-istiod, kubectl_manifest.kubeflow-istio-mutatingwebhookconfiguration-sidecar-injector] +} + +resource "kubectl_manifest" "kubeflow-kubeflow-configmap-workflow-controller-configmap" { + yaml_body = < + + + + + + + + group-one-logo.svg: |- + + + + + + + + + group-two-icon.svg: |- + + + + + + + + + group-two-logo.svg: |- + + + + + + + + + jupyter-icon.svg: | + + Created using Figma 0.90 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + jupyterlab-logo.svg: | + + + + + +kind: ConfigMap +metadata: + labels: + app: jupyter-web-app + kustomize.component: jupyter-web-app + name: jupyter-web-app-logos + namespace: kubeflow +YAML + +depends_on = [ovh_cloud_project_kube.ovh_kube_cluster, ovh_cloud_project_kube_nodepool.control_plane_pool, kubectl_manifest.kubeflow-kubeflow-namespace] +} + +resource "kubectl_manifest" "kubeflow-notebooks-configmap-jupyter-web-app-parameters" { + yaml_body = < matches + that of any node on which a pod of the set + of pods is running + properties: + labelSelector: + description: A label query over a set + of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set + of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this field + and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the same + node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the anti-affinity + expressions specified by this field, but it + may choose a node that violates one or more + of the expressions. The node that is most + preferred is the one with the greatest sum + of weights, i.e. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added + per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: A label query over a + set of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the + set of namespaces that the term + applies to. The term is applied + to the union of the namespaces selected + by this field and the ones listed + in the namespaces field. null selector + and null or empty namespaces list + means "this pod's namespace". An + empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies + a static list of namespace names + that the term applies to. The term + is applied to the union of the namespaces + listed in this field and the ones + selected by namespaceSelector. null + or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching + the corresponding podAffinityTerm, in + the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements + specified by this field are not met at scheduling + time, the pod will not be scheduled onto the + node. If the anti-affinity requirements specified + by this field cease to be met at some point + during pod execution (e.g. due to a pod label + update), the system may or may not try to + eventually evict the pod from its node. + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this pod + should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is + defined as running on a node whose value + of the label with key matches + that of any node on which a pod of the set + of pods is running + properties: + labelSelector: + description: A label query over a set + of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set + of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this field + and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + automountServiceAccountToken: + description: AutomountServiceAccountToken indicates + whether a service account token should be automatically + mounted. + type: boolean + containers: + description: List of containers belonging to the pod. + Containers cannot currently be added or removed. There + must be at least one container in a Pod. Cannot be + updated. + items: + description: A single application container that you + want to run within a pod. + properties: + args: + description: 'Arguments to the entrypoint. The + container image''s CMD is used if this is not + provided. Variable references $(VAR_NAME) are + expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The container image''s ENTRYPOINT is + used if this is not provided. Variable references + $(VAR_NAME) are expanded using the container''s + environment. If a variable cannot be resolved, + the reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + env: + description: List of environment variables to + set in the container. Cannot be updated. + items: + description: EnvVar represents an environment + variable present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined + environment variables in the container + and any service environment variables. + If a variable cannot be resolved, the + reference in the input string will be + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' + type: string + valueFrom: + description: Source for the environment + variable's value. Cannot be used if value + is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + ConfigMap or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the + pod: supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of + the container: only resources limits + and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env + vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret + in the pod's namespace + properties: + key: + description: The key of the secret + to select from. Must be a valid + secret key. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + Secret or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined + within a source must be a C_IDENTIFIER. All + invalid keys will be reported as an event when + the container is starting. When a key exists + in multiple sources, the value associated with + the last source will take precedence. Values + defined by an Env with a duplicate key will + take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source + of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be + a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level + config management to default or override container + images in workload controllers like Deployments + and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, + Never, IfNotPresent. Defaults to Always if :latest + tag is specified, or IfNotPresent otherwise. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system + should take in response to container lifecycle + events. Cannot be updated. + properties: + postStart: + description: 'PostStart is called immediately + after a container is created. If the handler + fails, the container is terminated and restarted + according to its restart policy. Other management + of the container blocks until the hook completes. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: PreStop is called immediately + before a container is terminated due to + an API request or management event such + as liveness/startup probe failure, preemption, + resource contention, etc. The handler is + not called if the container crashes or exits. + The Pod's termination grace period countdown + begins before the PreStop hook is executed. + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. + Container will be restarted if the probe fails. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as + a DNS_LABEL. Each container in a pod must have + a unique name (DNS_LABEL). Cannot be updated. + type: string + ports: + description: List of ports to expose from the + container. Not specifying a port here DOES NOT + prevent that port from being exposed. Any port + which is listening on the default "0.0.0.0" + address inside a container will be accessible + from the network. Modifying this array with + strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. + items: + description: ContainerPort represents a network + port in a single container. + properties: + containerPort: + description: Number of port to expose on + the pod's IP address. This must be a valid + port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on + the host. If specified, this must be a + valid port number, 0 < x < 65536. If HostNetwork + is specified, this must match ContainerPort. + Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be + an IANA_SVC_NAME and unique within the + pod. Each named port in a pod must have + a unique name. Name for the port that + can be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be + UDP, TCP, or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service + readiness. Container will be removed from service + endpoints if the probe fails. Cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: 'Compute Resources required by this + container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum + amount of compute resources allowed. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum + amount of compute resources required. If + Requests is omitted for a container, it + defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'SecurityContext defines the security + options the container should be run with. If + set, the fields of SecurityContext override + the equivalent fields of PodSecurityContext. + More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges + than its parent process. This bool directly + controls if the no_new_privs flag will be + set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop + when running containers. Defaults to the + default set of capabilities granted by the + container runtime. Note that this field + cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. + Processes in privileged containers are essentially + equivalent to root on the host. Defaults + to false. Note that this field cannot be + set when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of + proc mount to use for the containers. The + default is DefaultProcMount which uses the + container runtime defaults for readonly + paths and masked paths. This requires the + ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a + read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint + of the container process. Uses runtime default + if unset. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container + must run as a non-root user. If true, the + Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 + (root) and fail to start the container if + it does. If unset or false, no such validation + will be performed. May also be set in PodSecurityContext. + type: boolean + runAsUser: + description: The UID to run the entrypoint + of the container process. Defaults to user + specified in image metadata if unspecified. + May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied + to the container. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in + PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. + properties: + level: + description: Level is SELinux level label + that applies to the container. + type: string + role: + description: Role is a SELinux role label + that applies to the container. + type: string + type: + description: Type is a SELinux type label + that applies to the container. + type: string + user: + description: User is a SELinux user label + that applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by + this container. If seccomp options are provided + at both the pod & container level, the container + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates + a profile defined in a file on the node + should be used. The profile must be + preconfigured on the node to work. Must + be a descending path, relative to the + kubelet's configured seccomp profile + location. Must only be set if type is + "Localhost". + type: string + type: + description: "type indicates which kind + of seccomp profile will be applied. + Valid options are: \n Localhost - a + profile defined in a file on the node + should be used. RuntimeDefault - the + container runtime default profile should + be used. Unconfined - no profile should + be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings + applied to all containers. If unspecified, + the options from the PodSecurityContext + will be used. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where + the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName + field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is + the name of the GMSA credential spec + to use. + type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean + runAsUserName: + description: The UserName in Windows to + run the entrypoint of the container + process. Defaults to the user specified + in image metadata if unspecified. May + also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: StartupProbe indicates that the Pod + has successfully initialized. If specified, + no other probes are executed until this completes + successfully. If this probe fails, the Pod will + be restarted, just as if the livenessProbe failed. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. + If this is not set, reads from stdin in the + container will always result in EOF. Default + is false. + type: boolean + stdinOnce: + description: Whether the container runtime should + close the stdin channel after it has been opened + by a single attach. When stdin is true the stdin + stream will remain open across multiple attach + sessions. + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file + to which the container''s termination message + will be written is mounted into the container''s + filesystem. Message written is intended to be + brief final status, such as an assertion failure + message. Will be truncated by the node if greater + than 4096 bytes. The total message length across + all containers will be limited to 12kb. Defaults + to /dev/termination-log.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message + should be populated. File will use the contents + of terminationMessagePath to populate the container + status message on both success and failure. + FallbackToLogsOnError will use the last chunk + of container log output if the termination message + file is empty and the container exited with + an error. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be + true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block + devices to be used by the container. + items: + description: volumeDevice describes a mapping + of a raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside + of the container that the device will + be mapped to. + type: string + name: + description: name must match the name of + a persistentVolumeClaim in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Cannot be updated. + items: + description: VolumeMount describes a mounting + of a Volume within a container. + properties: + mountPath: + description: Path within the container at + which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines + how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is + used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of + a Volume. + type: string + readOnly: + description: Mounted read-only if true, + read-write otherwise (false or unspecified). + Defaults to false. + type: boolean + subPath: + description: Path within the volume from + which the container's volume should be + mounted. Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume + from which the container's volume should + be mounted. Behaves similarly to SubPath + but environment variable references $(VAR_NAME) + are expanded using the container's environment. + Defaults to "" (volume's root). SubPathExpr + and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If + not specified, the container runtime's default + will be used, which might be configured in the + container image. Cannot be updated. + type: string + required: + - name + type: object + type: array + dnsConfig: + description: Specifies the DNS parameters of a pod. + Parameters specified here will be merged to the generated + DNS configuration based on DNSPolicy. + properties: + nameservers: + description: A list of DNS name server IP addresses. + This will be appended to the base nameservers + generated from DNSPolicy. Duplicated nameservers + will be removed. + items: + type: string + type: array + options: + description: A list of DNS resolver options. This + will be merged with the base options generated + from DNSPolicy. Duplicated entries will be removed. + Resolution options given in Options will override + those that appear in the base DNSPolicy. + items: + description: PodDNSConfigOption defines DNS resolver + options of a pod. + properties: + name: + description: Required. + type: string + value: + type: string + type: object + type: array + searches: + description: A list of DNS search domains for host-name + lookup. This will be appended to the base search + paths generated from DNSPolicy. Duplicated search + paths will be removed. + items: + type: string + type: array + type: object + dnsPolicy: + description: Set DNS policy for the pod. Defaults to + "ClusterFirst". Valid values are 'ClusterFirstWithHostNet', + 'ClusterFirst', 'Default' or 'None'. DNS parameters + given in DNSConfig will be merged with the policy + selected with DNSPolicy. To have DNS options set along + with hostNetwork, you have to specify DNS policy explicitly + to 'ClusterFirstWithHostNet'. + type: string + enableServiceLinks: + description: 'EnableServiceLinks indicates whether information + about services should be injected into pod''s environment + variables, matching the syntax of Docker links. Optional: + Defaults to true.' + type: boolean + ephemeralContainers: + description: List of ephemeral containers run in this + pod. Ephemeral containers may be run in an existing + pod to perform user-initiated actions such as debugging. + This list cannot be specified when creating a pod, + and it cannot be modified by updating the pod spec. + In order to add an ephemeral container to an existing + pod, use the pod's ephemeralcontainers subresource. + items: + description: An EphemeralContainer is a temporary + container that you may add to an existing Pod for + user-initiated activities such as debugging. Ephemeral + containers have no resource or scheduling guarantees, + and they will not be restarted when they exit or + when a Pod is removed or restarted. The kubelet + may evict a Pod if an ephemeral container causes + the Pod to exceed its resource allocation. + properties: + args: + description: 'Arguments to the entrypoint. The + image''s CMD is used if this is not provided. + Variable references $(VAR_NAME) are expanded + using the container''s environment. If a variable + cannot be resolved, the reference in the input + string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + produce the string literal "$(VAR_NAME)".' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The image''s ENTRYPOINT is used if + this is not provided. Variable references $(VAR_NAME) + are expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + env: + description: List of environment variables to + set in the container. Cannot be updated. + items: + description: EnvVar represents an environment + variable present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined + environment variables in the container + and any service environment variables. + If a variable cannot be resolved, the + reference in the input string will be + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' + type: string + valueFrom: + description: Source for the environment + variable's value. Cannot be used if value + is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + ConfigMap or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the + pod: supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of + the container: only resources limits + and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env + vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret + in the pod's namespace + properties: + key: + description: The key of the secret + to select from. Must be a valid + secret key. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + Secret or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined + within a source must be a C_IDENTIFIER. All + invalid keys will be reported as an event when + the container is starting. When a key exists + in multiple sources, the value associated with + the last source will take precedence. Values + defined by an Env with a duplicate key will + take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source + of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be + a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, + Never, IfNotPresent. Defaults to Always if :latest + tag is specified, or IfNotPresent otherwise. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Lifecycle is not allowed for ephemeral + containers. + properties: + postStart: + description: 'PostStart is called immediately + after a container is created. If the handler + fails, the container is terminated and restarted + according to its restart policy. Other management + of the container blocks until the hook completes. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: PreStop is called immediately + before a container is terminated due to + an API request or management event such + as liveness/startup probe failure, preemption, + resource contention, etc. The handler is + not called if the container crashes or exits. + The Pod's termination grace period countdown + begins before the PreStop hook is executed. + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: Probes are not allowed for ephemeral + containers. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the ephemeral container specified + as a DNS_LABEL. This name must be unique among + all containers, init containers and ephemeral + containers. + type: string + ports: + description: Ports are not allowed for ephemeral + containers. + items: + description: ContainerPort represents a network + port in a single container. + properties: + containerPort: + description: Number of port to expose on + the pod's IP address. This must be a valid + port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on + the host. If specified, this must be a + valid port number, 0 < x < 65536. If HostNetwork + is specified, this must match ContainerPort. + Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be + an IANA_SVC_NAME and unique within the + pod. Each named port in a pod must have + a unique name. Name for the port that + can be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be + UDP, TCP, or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: Probes are not allowed for ephemeral + containers. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: Resources are not allowed for ephemeral + containers. Ephemeral containers use spare resources + already allocated to the pod. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum + amount of compute resources allowed. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum + amount of compute resources required. If + Requests is omitted for a container, it + defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'Optional: SecurityContext defines + the security options the ephemeral container + should be run with. If set, the fields of SecurityContext + override the equivalent fields of PodSecurityContext.' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges + than its parent process. This bool directly + controls if the no_new_privs flag will be + set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop + when running containers. Defaults to the + default set of capabilities granted by the + container runtime. Note that this field + cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. + Processes in privileged containers are essentially + equivalent to root on the host. Defaults + to false. Note that this field cannot be + set when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of + proc mount to use for the containers. The + default is DefaultProcMount which uses the + container runtime defaults for readonly + paths and masked paths. This requires the + ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a + read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint + of the container process. Uses runtime default + if unset. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container + must run as a non-root user. If true, the + Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 + (root) and fail to start the container if + it does. If unset or false, no such validation + will be performed. May also be set in PodSecurityContext. + type: boolean + runAsUser: + description: The UID to run the entrypoint + of the container process. Defaults to user + specified in image metadata if unspecified. + May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied + to the container. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in + PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. + properties: + level: + description: Level is SELinux level label + that applies to the container. + type: string + role: + description: Role is a SELinux role label + that applies to the container. + type: string + type: + description: Type is a SELinux type label + that applies to the container. + type: string + user: + description: User is a SELinux user label + that applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by + this container. If seccomp options are provided + at both the pod & container level, the container + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates + a profile defined in a file on the node + should be used. The profile must be + preconfigured on the node to work. Must + be a descending path, relative to the + kubelet's configured seccomp profile + location. Must only be set if type is + "Localhost". + type: string + type: + description: "type indicates which kind + of seccomp profile will be applied. + Valid options are: \n Localhost - a + profile defined in a file on the node + should be used. RuntimeDefault - the + container runtime default profile should + be used. Unconfined - no profile should + be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings + applied to all containers. If unspecified, + the options from the PodSecurityContext + will be used. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where + the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName + field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is + the name of the GMSA credential spec + to use. + type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean + runAsUserName: + description: The UserName in Windows to + run the entrypoint of the container + process. Defaults to the user specified + in image metadata if unspecified. May + also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: Probes are not allowed for ephemeral + containers. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. + If this is not set, reads from stdin in the + container will always result in EOF. Default + is false. + type: boolean + stdinOnce: + description: Whether the container runtime should + close the stdin channel after it has been opened + by a single attach. When stdin is true the stdin + stream will remain open across multiple attach + sessions. + type: boolean + targetContainerName: + description: "If set, the name of the container + from PodSpec that this ephemeral container targets. + The ephemeral container will be run in the namespaces + (IPC, PID, etc) of this container. If not set + then the ephemeral container uses the namespaces + configured in the Pod spec. \n The container + runtime must implement support for this feature." + type: string + terminationMessagePath: + description: 'Optional: Path at which the file + to which the container''s termination message + will be written is mounted into the container''s + filesystem. Message written is intended to be + brief final status, such as an assertion failure + message. Will be truncated by the node if greater + than 4096 bytes. The total message length across + all containers will be limited to 12kb. Defaults + to /dev/termination-log.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message + should be populated. File will use the contents + of terminationMessagePath to populate the container + status message on both success and failure. + FallbackToLogsOnError will use the last chunk + of container log output if the termination message + file is empty and the container exited with + an error. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be + true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block + devices to be used by the container. + items: + description: volumeDevice describes a mapping + of a raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside + of the container that the device will + be mapped to. + type: string + name: + description: name must match the name of + a persistentVolumeClaim in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Subpath mounts are not allowed for + ephemeral containers. Cannot be updated. + items: + description: VolumeMount describes a mounting + of a Volume within a container. + properties: + mountPath: + description: Path within the container at + which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines + how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is + used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of + a Volume. + type: string + readOnly: + description: Mounted read-only if true, + read-write otherwise (false or unspecified). + Defaults to false. + type: boolean + subPath: + description: Path within the volume from + which the container's volume should be + mounted. Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume + from which the container's volume should + be mounted. Behaves similarly to SubPath + but environment variable references $(VAR_NAME) + are expanded using the container's environment. + Defaults to "" (volume's root). SubPathExpr + and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If + not specified, the container runtime's default + will be used, which might be configured in the + container image. Cannot be updated. + type: string + required: + - name + type: object + type: array + hostAliases: + description: HostAliases is an optional list of hosts + and IPs that will be injected into the pod's hosts + file if specified. This is only valid for non-hostNetwork + pods. + items: + description: HostAlias holds the mapping between IP + and hostnames that will be injected as an entry + in the pod's hosts file. + properties: + hostnames: + description: Hostnames for the above IP address. + items: + type: string + type: array + ip: + description: IP address of the host file entry. + type: string + type: object + type: array + hostIPC: + description: 'Use the host''s ipc namespace. Optional: + Default to false.' + type: boolean + hostNetwork: + description: Host networking requested for this pod. + Use the host's network namespace. If this option is + set, the ports that will be used must be specified. + Default to false. + type: boolean + hostPID: + description: 'Use the host''s pid namespace. Optional: + Default to false.' + type: boolean + hostUsers: + description: 'Use the host''s user namespace. Optional: + Default to true. If set to true or not present, the + pod will be run in the host user namespace, useful + for when the pod needs a feature only available to + the host user namespace, such as loading a kernel + module with CAP_SYS_MODULE. When set to false, a new + userns is created for the pod.' + type: boolean + hostname: + description: Specifies the hostname of the Pod If not + specified, the pod's hostname will be set to a system-defined + value. + type: string + imagePullSecrets: + description: 'ImagePullSecrets is an optional list of + references to secrets in the same namespace to use + for pulling any of the images used by this PodSpec. + If specified, these secrets will be passed to individual + puller implementations for them to use. More info: + https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' + items: + description: LocalObjectReference contains enough + information to let you locate the referenced object + inside the same namespace. + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: array + initContainers: + description: List of initialization containers belonging + to the pod. Init containers are executed in order + prior to containers being started. If any init container + fails, the pod is considered to have failed and is + handled according to its restartPolicy. The name for + an init container or normal container must be unique + among all containers. + items: + description: A single application container that you + want to run within a pod. + properties: + args: + description: 'Arguments to the entrypoint. The + container image''s CMD is used if this is not + provided. Variable references $(VAR_NAME) are + expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The container image''s ENTRYPOINT is + used if this is not provided. Variable references + $(VAR_NAME) are expanded using the container''s + environment. If a variable cannot be resolved, + the reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + env: + description: List of environment variables to + set in the container. Cannot be updated. + items: + description: EnvVar represents an environment + variable present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined + environment variables in the container + and any service environment variables. + If a variable cannot be resolved, the + reference in the input string will be + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' + type: string + valueFrom: + description: Source for the environment + variable's value. Cannot be used if value + is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + ConfigMap or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the + pod: supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of + the container: only resources limits + and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env + vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret + in the pod's namespace + properties: + key: + description: The key of the secret + to select from. Must be a valid + secret key. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + Secret or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined + within a source must be a C_IDENTIFIER. All + invalid keys will be reported as an event when + the container is starting. When a key exists + in multiple sources, the value associated with + the last source will take precedence. Values + defined by an Env with a duplicate key will + take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source + of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be + a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level + config management to default or override container + images in workload controllers like Deployments + and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, + Never, IfNotPresent. Defaults to Always if :latest + tag is specified, or IfNotPresent otherwise. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system + should take in response to container lifecycle + events. Cannot be updated. + properties: + postStart: + description: 'PostStart is called immediately + after a container is created. If the handler + fails, the container is terminated and restarted + according to its restart policy. Other management + of the container blocks until the hook completes. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: PreStop is called immediately + before a container is terminated due to + an API request or management event such + as liveness/startup probe failure, preemption, + resource contention, etc. The handler is + not called if the container crashes or exits. + The Pod's termination grace period countdown + begins before the PreStop hook is executed. + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. + Container will be restarted if the probe fails. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as + a DNS_LABEL. Each container in a pod must have + a unique name (DNS_LABEL). Cannot be updated. + type: string + ports: + description: List of ports to expose from the + container. Not specifying a port here DOES NOT + prevent that port from being exposed. Any port + which is listening on the default "0.0.0.0" + address inside a container will be accessible + from the network. Modifying this array with + strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. + items: + description: ContainerPort represents a network + port in a single container. + properties: + containerPort: + description: Number of port to expose on + the pod's IP address. This must be a valid + port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on + the host. If specified, this must be a + valid port number, 0 < x < 65536. If HostNetwork + is specified, this must match ContainerPort. + Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be + an IANA_SVC_NAME and unique within the + pod. Each named port in a pod must have + a unique name. Name for the port that + can be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be + UDP, TCP, or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service + readiness. Container will be removed from service + endpoints if the probe fails. Cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: 'Compute Resources required by this + container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum + amount of compute resources allowed. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum + amount of compute resources required. If + Requests is omitted for a container, it + defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'SecurityContext defines the security + options the container should be run with. If + set, the fields of SecurityContext override + the equivalent fields of PodSecurityContext. + More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges + than its parent process. This bool directly + controls if the no_new_privs flag will be + set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop + when running containers. Defaults to the + default set of capabilities granted by the + container runtime. Note that this field + cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. + Processes in privileged containers are essentially + equivalent to root on the host. Defaults + to false. Note that this field cannot be + set when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of + proc mount to use for the containers. The + default is DefaultProcMount which uses the + container runtime defaults for readonly + paths and masked paths. This requires the + ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a + read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint + of the container process. Uses runtime default + if unset. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container + must run as a non-root user. If true, the + Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 + (root) and fail to start the container if + it does. If unset or false, no such validation + will be performed. May also be set in PodSecurityContext. + type: boolean + runAsUser: + description: The UID to run the entrypoint + of the container process. Defaults to user + specified in image metadata if unspecified. + May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied + to the container. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in + PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. + properties: + level: + description: Level is SELinux level label + that applies to the container. + type: string + role: + description: Role is a SELinux role label + that applies to the container. + type: string + type: + description: Type is a SELinux type label + that applies to the container. + type: string + user: + description: User is a SELinux user label + that applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by + this container. If seccomp options are provided + at both the pod & container level, the container + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates + a profile defined in a file on the node + should be used. The profile must be + preconfigured on the node to work. Must + be a descending path, relative to the + kubelet's configured seccomp profile + location. Must only be set if type is + "Localhost". + type: string + type: + description: "type indicates which kind + of seccomp profile will be applied. + Valid options are: \n Localhost - a + profile defined in a file on the node + should be used. RuntimeDefault - the + container runtime default profile should + be used. Unconfined - no profile should + be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings + applied to all containers. If unspecified, + the options from the PodSecurityContext + will be used. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where + the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName + field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is + the name of the GMSA credential spec + to use. + type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean + runAsUserName: + description: The UserName in Windows to + run the entrypoint of the container + process. Defaults to the user specified + in image metadata if unspecified. May + also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: StartupProbe indicates that the Pod + has successfully initialized. If specified, + no other probes are executed until this completes + successfully. If this probe fails, the Pod will + be restarted, just as if the livenessProbe failed. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. + If this is not set, reads from stdin in the + container will always result in EOF. Default + is false. + type: boolean + stdinOnce: + description: Whether the container runtime should + close the stdin channel after it has been opened + by a single attach. When stdin is true the stdin + stream will remain open across multiple attach + sessions. + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file + to which the container''s termination message + will be written is mounted into the container''s + filesystem. Message written is intended to be + brief final status, such as an assertion failure + message. Will be truncated by the node if greater + than 4096 bytes. The total message length across + all containers will be limited to 12kb. Defaults + to /dev/termination-log.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message + should be populated. File will use the contents + of terminationMessagePath to populate the container + status message on both success and failure. + FallbackToLogsOnError will use the last chunk + of container log output if the termination message + file is empty and the container exited with + an error. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be + true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block + devices to be used by the container. + items: + description: volumeDevice describes a mapping + of a raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside + of the container that the device will + be mapped to. + type: string + name: + description: name must match the name of + a persistentVolumeClaim in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Cannot be updated. + items: + description: VolumeMount describes a mounting + of a Volume within a container. + properties: + mountPath: + description: Path within the container at + which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines + how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is + used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of + a Volume. + type: string + readOnly: + description: Mounted read-only if true, + read-write otherwise (false or unspecified). + Defaults to false. + type: boolean + subPath: + description: Path within the volume from + which the container's volume should be + mounted. Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume + from which the container's volume should + be mounted. Behaves similarly to SubPath + but environment variable references $(VAR_NAME) + are expanded using the container's environment. + Defaults to "" (volume's root). SubPathExpr + and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If + not specified, the container runtime's default + will be used, which might be configured in the + container image. Cannot be updated. + type: string + required: + - name + type: object + type: array + nodeName: + description: NodeName is a request to schedule this + pod onto a specific node. If it is non-empty, the + scheduler simply schedules this pod onto that node, + assuming that it fits resource requirements. + type: string + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must + be true for the pod to fit on a node. Selector which + must match a node''s labels for the pod to be scheduled + on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + x-kubernetes-map-type: atomic + os: + description: "Specifies the OS of the containers in + the pod. Some pod and container fields are restricted + if this is set. \n If the OS field is set to linux, + the following fields must be unset: -securityContext.windowsOptions + \n If the OS field is set to windows, following fields + must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers + - spec.securityContext.seLinuxOptions - spec.securityContext." + properties: + name: + description: 'Name is the name of the operating + system. The currently supported values are linux + and windows. Additional value may be defined in + future and can be one of: https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration + Clients should expect to handle additional values + and treat unrecognized values in this field as + os: null' + type: string + required: + - name + type: object + overhead: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Overhead represents the resource overhead + associated with running a pod for a given RuntimeClass. + This field will be autopopulated at admission time + by the RuntimeClass admission controller. If the RuntimeClass + admission controller is enabled, overhead must not + be set in Pod create requests. The RuntimeClass admission + controller will reject Pod create requests which have + the overhead already set. + type: object + preemptionPolicy: + description: PreemptionPolicy is the Policy for preempting + pods with lower priority. One of Never, PreemptLowerPriority. + Defaults to PreemptLowerPriority if unset. + type: string + priority: + description: The priority value. Various system components + use this field to find the priority of the pod. When + Priority Admission Controller is enabled, it prevents + users from setting this field. The admission controller + populates this field from PriorityClassName. The higher + the value, the higher the priority. + format: int32 + type: integer + priorityClassName: + description: If specified, indicates the pod's priority. + "system-node-critical" and "system-cluster-critical" + are two special keywords which indicate the highest + priorities with the former being the highest priority. + Any other name must be defined by creating a PriorityClass + object with that name. If not specified, the pod priority + will be default or zero if there is no default. + type: string + readinessGates: + description: 'If specified, all readiness gates will + be evaluated for pod readiness. A pod is ready when + all its containers are ready AND all conditions specified + in the readiness gates have status equal to "True" + More info: https://git.k8s.io/enhancements/keps/sig-network/580-pod-readiness-gates' + items: + description: PodReadinessGate contains the reference + to a pod condition + properties: + conditionType: + description: ConditionType refers to a condition + in the pod's condition list with matching type. + type: string + required: + - conditionType + type: object + type: array + restartPolicy: + description: 'Restart policy for all containers within + the pod. One of Always, OnFailure, Never. Default + to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy' + type: string + runtimeClassName: + description: 'RuntimeClassName refers to a RuntimeClass + object in the node.k8s.io group, which should be used + to run this pod. If no RuntimeClass resource matches + the named class, the pod will not be run. If unset + or empty, the "legacy" RuntimeClass will be used, + which is an implicit class with an empty definition + that uses the default runtime handler. More info: + https://git.k8s.' + type: string + schedulerName: + description: If specified, the pod will be dispatched + by specified scheduler. If not specified, the pod + will be dispatched by default scheduler. + type: string + securityContext: + description: 'SecurityContext holds pod-level security + attributes and common container settings. Optional: + Defaults to empty. See type description for default + values of each field.' + properties: + fsGroup: + description: "A special supplemental group that + applies to all containers in a pod. Some volume + types allow the Kubelet to change the ownership + of that volume to be owned by the pod: \n 1. The + owning GID will be the FSGroup 2. The setgid bit + is set (new files created in the volume will be + owned by FSGroup) 3." + format: int64 + type: integer + fsGroupChangePolicy: + description: 'fsGroupChangePolicy defines behavior + of changing ownership and permission of the volume + before being exposed inside Pod. This field will + only apply to volume types which support fsGroup + based ownership(and permissions). It will have + no effect on ephemeral volume types such as: secret, + configmaps and emptydir. Valid values are "OnRootMismatch" + and "Always". If not specified, "Always" is used.' + type: string + runAsGroup: + description: The GID to run the entrypoint of the + container process. Uses runtime default if unset. + May also be set in SecurityContext. If set in + both SecurityContext and PodSecurityContext, the + value specified in SecurityContext takes precedence + for that container. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run + as a non-root user. If true, the Kubelet will + validate the image at runtime to ensure that it + does not run as UID 0 (root) and fail to start + the container if it does. If unset or false, no + such validation will be performed. May also be + set in SecurityContext. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the + container process. Defaults to user specified + in image metadata if unspecified. May also be + set in SecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in + SecurityContext takes precedence for that container. + Note that this field cannot be set when spec.os.name + is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to + all containers. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in SecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence + for that container. Note that this field cannot + be set when spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that + applies to the container. + type: string + role: + description: Role is a SELinux role label that + applies to the container. + type: string + type: + description: Type is a SELinux type label that + applies to the container. + type: string + user: + description: User is a SELinux user label that + applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by the containers + in this pod. Note that this field cannot be set + when spec.os.name is windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile + defined in a file on the node should be used. + The profile must be preconfigured on the node + to work. Must be a descending path, relative + to the kubelet's configured seccomp profile + location. Must only be set if type is "Localhost". + type: string + type: + description: "type indicates which kind of seccomp + profile will be applied. Valid options are: + \n Localhost - a profile defined in a file + on the node should be used. RuntimeDefault + - the container runtime default profile should + be used. Unconfined - no profile should be + applied." + type: string + required: + - type + type: object + supplementalGroups: + description: A list of groups applied to the first + process run in each container, in addition to + the container's primary GID. If unspecified, + no groups will be added to any container. Note + that this field cannot be set when spec.os.name + is windows. + items: + format: int64 + type: integer + type: array + sysctls: + description: Sysctls hold a list of namespaced sysctls + used for the pod. Pods with unsupported sysctls + (by the container runtime) might fail to launch. + Note that this field cannot be set when spec.os.name + is windows. + items: + description: Sysctl defines a kernel parameter + to be set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + windowsOptions: + description: The Windows specific settings applied + to all containers. If unspecified, the options + within a container's SecurityContext will be used. + If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the + GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name + of the GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container + should be run as a 'Host Process' container. + This field is alpha-level and will only be + honored by components that enable the WindowsHostProcessContainers + feature flag. Setting this field without the + feature flag will result in errors when validating + the Pod. + type: boolean + runAsUserName: + description: The UserName in Windows to run + the entrypoint of the container process. Defaults + to the user specified in image metadata if + unspecified. May also be set in PodSecurityContext. + If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. + type: string + type: object + type: object + serviceAccount: + description: 'DeprecatedServiceAccount is a depreciated + alias for ServiceAccountName. Deprecated: Use serviceAccountName + instead.' + type: string + serviceAccountName: + description: 'ServiceAccountName is the name of the + ServiceAccount to use to run this pod. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' + type: string + setHostnameAsFQDN: + description: If true the pod's hostname will be configured + as the pod's FQDN, rather than the leaf name (the + default). In Linux containers, this means setting + the FQDN in the hostname field of the kernel (the + nodename field of struct utsname). + type: boolean + shareProcessNamespace: + description: 'Share a single process namespace between + all of the containers in a pod. When this is set containers + will be able to view and signal processes from other + containers in the same pod, and the first process + in each container will not be assigned PID 1. HostPID + and ShareProcessNamespace cannot both be set. Optional: + Default to false.' + type: boolean + subdomain: + description: If specified, the fully qualified Pod hostname + will be "...svc.". If not specified, the pod will not have + a domainname at all. + type: string + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully. May be decreased in delete + request. Value must be non-negative integer. The value + zero indicates stop immediately via the kill signal + (no opportunity to shut down). If this value is nil, + the default grace period will be used instead. + format: int64 + type: integer + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is attached to + tolerates any taint that matches the triple + using the matching operator . + properties: + effect: + description: Effect indicates the taint effect + to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, + PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration + applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; + this combination means to match all values and + all keys. + type: string + operator: + description: Operator represents a key's relationship + to the value. Valid operators are Exists and + Equal. Defaults to Equal. Exists is equivalent + to wildcard for value, so that a pod can tolerate + all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the + period of time the toleration (which must be + of effect NoExecute, otherwise this field is + ignored) tolerates the taint. By default, it + is not set, which means tolerate the taint forever + (do not evict). Zero and negative values will + be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration + matches to. If the operator is Exists, the value + should be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: TopologySpreadConstraints describes how + a group of pods ought to spread across topology domains. + Scheduler will schedule pods in a way which abides + by the constraints. All topologySpreadConstraints + are ANDed. + items: + description: TopologySpreadConstraint specifies how + to spread matching pods among the given topology. + properties: + labelSelector: + description: LabelSelector is used to find matching + pods. Pods that match this label selector are + counted to determine the number of pods in their + corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label + keys to select the pods over which spreading + will be calculated. The keys are used to lookup + values from the incoming pod labels, those key-value + labels are ANDed with labelSelector to select + the group of existing pods over which spreading + will be calculated for the incoming pod. Keys + that don't exist in the incoming pod labels + will be ignored. + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: MaxSkew describes the degree to which + pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference between + the number of matching pods in the target topology + and the global minimum. The global minimum is + the minimum number of matching pods in an eligible + domain or zero if the number of eligible domains + is less than MinDomains. + format: int32 + type: integer + minDomains: + description: MinDomains indicates a minimum number + of eligible domains. When the number of eligible + domains with matching topology keys is less + than minDomains, Pod Topology Spread treats + "global minimum" as 0, and then the calculation + of Skew is performed. And when the number of + eligible domains with matching topology keys + equals or greater than minDomains, this value + has no effect on scheduling. + format: int32 + type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how + we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options + are: - Honor: only nodes matching nodeAffinity/nodeSelector + are included in the calculations. - Ignore: + nodeAffinity/nodeSelector are ignored. All nodes + are included in the calculations. \n If this + value is nil, the behavior is equivalent to + the Honor policy." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how we + will treat node taints when calculating pod + topology spread skew. Options are: - Honor: + nodes without taints, along with tainted nodes + for which the incoming pod has a toleration, + are included. - Ignore: node taints are ignored. + All nodes are included. \n If this value is + nil, the behavior is equivalent to the Ignore + policy." + type: string + topologyKey: + description: TopologyKey is the key of node labels. + Nodes that have a label with this key and identical + values are considered to be in the same topology. + We consider each as a "bucket", + and try to put balanced number of pods into + each bucket. We define a domain as a particular + instance of a topology. + type: string + whenUnsatisfiable: + description: WhenUnsatisfiable indicates how to + deal with a pod if it doesn't satisfy the spread + constraint. - DoNotSchedule (default) tells + the scheduler not to schedule it. - ScheduleAnyway + tells the scheduler to schedule the pod in any + location, but giving higher precedence to topologies + that would help reduce the skew. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + x-kubernetes-list-map-keys: + - topologyKey + - whenUnsatisfiable + x-kubernetes-list-type: map + volumes: + description: 'List of volumes that can be mounted by + containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes' + items: + description: Volume represents a named volume in a + pod that may be accessed by any container in the + pod. + properties: + awsElasticBlockStore: + description: 'awsElasticBlockStore represents + an AWS Disk resource that is attached to a kubelet''s + host machine and then exposed to the pod. More + info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + properties: + fsType: + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + partition: + description: 'partition is the partition in + the volume that you want to mount. If omitted, + the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify + the partition as "1". Similarly, the volume + partition for /dev/sda is "0" (or you can + leave the property empty).' + format: int32 + type: integer + readOnly: + description: 'readOnly value true will force + the readOnly setting in VolumeMounts. More + info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + type: boolean + volumeID: + description: 'volumeID is unique ID of the + persistent disk resource in AWS (Amazon + EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + type: string + required: + - volumeID + type: object + azureDisk: + description: azureDisk represents an Azure Data + Disk mount on the host and bind mount to the + pod. + properties: + cachingMode: + description: 'cachingMode is the Host Caching + mode: None, Read Only, Read Write.' + type: string + diskName: + description: diskName is the Name of the data + disk in the blob storage + type: string + diskURI: + description: diskURI is the URI of data disk + in the blob storage + type: string + fsType: + description: fsType is Filesystem type to + mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. + type: string + kind: + description: 'kind expected values are Shared: + multiple blob disks per storage account Dedicated: + single blob disk per storage account Managed: + azure managed data disk (only in managed + availability set). defaults to shared' + type: string + readOnly: + description: readOnly Defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + description: azureFile represents an Azure File + Service mount on the host and bind mount to + the pod. + properties: + readOnly: + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + secretName: + description: secretName is the name of secret + that contains Azure Storage Account Name + and Key + type: string + shareName: + description: shareName is the azure share + Name + type: string + required: + - secretName + - shareName + type: object + cephfs: + description: cephFS represents a Ceph FS mount + on the host that shares a pod's lifetime + properties: + monitors: + description: 'monitors is Required: Monitors + is a collection of Ceph monitors More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + items: + type: string + type: array + path: + description: 'path is Optional: Used as the + mounted root, rather than the full Ceph + tree, default is /' + type: string + readOnly: + description: 'readOnly is Optional: Defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: boolean + secretFile: + description: 'secretFile is Optional: SecretFile + is the path to key ring for User, default + is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: string + secretRef: + description: 'secretRef is Optional: SecretRef + is reference to the authentication secret + for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: 'user is optional: User is the + rados user name, default is admin More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: string + required: + - monitors + type: object + cinder: + description: 'cinder represents a cinder volume + attached and mounted on kubelets host machine. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + properties: + fsType: + description: 'fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://examples.k8s.io/mysql-cinder-pd/README.md' + type: string + readOnly: + description: 'readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + type: boolean + secretRef: + description: 'secretRef is optional: points + to a secret object containing parameters + used to connect to OpenStack.' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + description: 'volumeID used to identify the + volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + type: string + required: + - volumeID + type: object + configMap: + description: configMap represents a configMap + that should populate this volume + properties: + defaultMode: + description: 'defaultMode is optional: mode + bits used to set permissions on created + files by default. Must be an octal value + between 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. + Directories within the path are not affected + by this setting.' + format: int32 + type: integer + items: + description: items if unspecified, each key-value + pair in the Data field of the referenced + ConfigMap will be projected into the volume + as a file whose name is the key and content + is the value. If specified, the listed keys + will be projected into the specified paths, + and unlisted keys will not be present. + items: + description: Maps a string key to a path + within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode + bits used to set permissions on this + file. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal + and decimal values, JSON requires + decimal values for mode bits. If not + specified, the volume defaultMode + will be used.' + format: int32 + type: integer + path: + description: path is the relative path + of the file to map the key to. May + not be an absolute path. May not contain + the path element '..'. May not start + with the string '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: optional specify whether the + ConfigMap or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + description: csi (Container Storage Interface) + represents ephemeral storage that is handled + by certain external CSI drivers (Beta feature). + properties: + driver: + description: driver is the name of the CSI + driver that handles this volume. Consult + with your admin for the correct name as + registered in the cluster. + type: string + fsType: + description: fsType to mount. Ex. "ext4", + "xfs", "ntfs". If not provided, the empty + value is passed to the associated CSI driver + which will determine the default filesystem + to apply. + type: string + nodePublishSecretRef: + description: nodePublishSecretRef is a reference + to the secret object containing sensitive + information to pass to the CSI driver to + complete the CSI NodePublishVolume and NodeUnpublishVolume + calls. This field is optional, and may + be empty if no secret is required. If the + secret object contains more than one secret, + all secret references are passed. + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + description: readOnly specifies a read-only + configuration for the volume. Defaults to + false (read/write). + type: boolean + volumeAttributes: + additionalProperties: + type: string + description: volumeAttributes stores driver-specific + properties that are passed to the CSI driver. + Consult your driver's documentation for + supported values. + type: object + required: + - driver + type: object + downwardAPI: + description: downwardAPI represents downward API + about the pod that should populate this volume + properties: + defaultMode: + description: 'Optional: mode bits to use on + created files by default. Must be a Optional: + mode bits used to set permissions on created + files by default. Must be an octal value + between 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. + Directories within the path are not affected + by this setting.' + format: int32 + type: integer + items: + description: Items is a list of downward API + volume file + items: + description: DownwardAPIVolumeFile represents + information to create the file containing + the pod field + properties: + fieldRef: + description: 'Required: Selects a field + of the pod: only annotations, labels, + name and namespace are supported.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: 'Optional: mode bits used + to set permissions on this file, must + be an octal value between 0000 and + 0777 or a decimal value between 0 + and 511. YAML accepts both octal and + decimal values, JSON requires decimal + values for mode bits. If not specified, + the volume defaultMode will be used.' + format: int32 + type: integer + path: + description: 'Required: Path is the + relative path name of the file to + be created. Must not be absolute or + contain the ''..'' path. Must be utf-8 + encoded. The first item of the relative + path must not start with ''..''' + type: string + resourceFieldRef: + description: 'Selects a resource of + the container: only resources limits + and requests (limits.cpu, limits.memory, + requests.cpu and requests.memory) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env + vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + type: object + emptyDir: + description: 'emptyDir represents a temporary + directory that shares a pod''s lifetime. More + info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + properties: + medium: + description: 'medium represents what type + of storage medium should back this directory. + The default is "" which means to use the + node''s default medium. Must be an empty + string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + description: 'sizeLimit is the total amount + of local storage required for this EmptyDir + volume. The size limit is also applicable + for memory medium. The maximum usage on + memory medium EmptyDir would be the minimum + value between the SizeLimit specified here + and the sum of memory limits of all containers + in a pod. The default is nil which means + that the limit is undefined. More info: + http://kubernetes.' + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + description: ephemeral represents a volume that + is handled by a cluster storage driver. The + volume's lifecycle is tied to the pod that defines + it - it will be created before the pod starts, + and deleted when the pod is removed. + properties: + volumeClaimTemplate: + description: Will be used to create a stand-alone + PVC to provision the volume. The pod in + which this EphemeralVolumeSource is embedded + will be the owner of the PVC, i.e. the PVC + will be deleted together with the pod. The + name of the PVC will be `-` where `` is the name + from the `PodSpec.Volumes` array entry. + properties: + metadata: + description: May contain labels and annotations + that will be copied into the PVC when + creating it. No other fields are allowed + and will be rejected during validation. + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + description: The specification for the + PersistentVolumeClaim. The entire content + is copied unchanged into the PVC that + gets created from this template. The + same fields as in a PersistentVolumeClaim + are also valid here. + properties: + accessModes: + description: 'accessModes contains + the desired access modes the volume + should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' + items: + type: string + type: array + dataSource: + description: 'dataSource field can + be used to specify either: * An + existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external + controller can support the specified + data source, it will create a new + volume based on the contents of + the specified data source.' + properties: + apiGroup: + description: APIGroup is the group + for the resource being referenced. + If APIGroup is not specified, + the specified Kind must be in + the core API group. For any + other third-party types, APIGroup + is required. + type: string + kind: + description: Kind is the type + of resource being referenced + type: string + name: + description: Name is the name + of resource being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: dataSourceRef specifies + the object from which to populate + the volume with data, if a non-empty + volume is desired. This may be any + local object from a non-empty API + group (non core object) or a PersistentVolumeClaim + object. When this field is specified, + volume binding will only succeed + if the type of the specified object + matches some installed volume populator + or dynamic provisioner. + properties: + apiGroup: + description: APIGroup is the group + for the resource being referenced. + If APIGroup is not specified, + the specified Kind must be in + the core API group. For any + other third-party types, APIGroup + is required. + type: string + kind: + description: Kind is the type + of resource being referenced + type: string + name: + description: Name is the name + of resource being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + resources: + description: 'resources represents + the minimum resources the volume + should have. If RecoverVolumeExpansionFailure + feature is enabled users are allowed + to specify resource requirements + that are lower than previous value + but must still be higher than capacity + recorded in the status field of + the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes + the maximum amount of compute + resources allowed. More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes + the minimum amount of compute + resources required. If Requests + is omitted for a container, + it defaults to Limits if that + is explicitly specified, otherwise + to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + selector: + description: selector is a label query + over volumes to consider for binding. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: 'storageClassName is + the name of the StorageClass required + by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' + type: string + volumeMode: + description: volumeMode defines what + type of volume is required by the + claim. Value of Filesystem is implied + when not included in claim spec. + type: string + volumeName: + description: volumeName is the binding + reference to the PersistentVolume + backing this claim. + type: string + type: object + required: + - spec + type: object + type: object + fc: + description: fc represents a Fibre Channel resource + that is attached to a kubelet's host machine + and then exposed to the pod. + properties: + fsType: + description: 'fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. TODO: how do we prevent + errors in the filesystem from compromising + the machine' + type: string + lun: + description: 'lun is Optional: FC target lun + number' + format: int32 + type: integer + readOnly: + description: 'readOnly is Optional: Defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts.' + type: boolean + targetWWNs: + description: 'targetWWNs is Optional: FC target + worldwide names (WWNs)' + items: + type: string + type: array + wwids: + description: 'wwids Optional: FC volume world + wide identifiers (wwids) Either wwids or + combination of targetWWNs and lun must be + set, but not both simultaneously.' + items: + type: string + type: array + type: object + flexVolume: + description: flexVolume represents a generic volume + resource that is provisioned/attached using + an exec based plugin. + properties: + driver: + description: driver is the name of the driver + to use for this volume. + type: string + fsType: + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". The default filesystem depends + on FlexVolume script. + type: string + options: + additionalProperties: + type: string + description: 'options is Optional: this field + holds extra command options if any.' + type: object + readOnly: + description: 'readOnly is Optional: defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts.' + type: boolean + secretRef: + description: 'secretRef is Optional: secretRef + is reference to the secret object containing + sensitive information to pass to the plugin + scripts. This may be empty if no secret + object is specified. If the secret object + contains more than one secret, all secrets + are passed to the plugin scripts.' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + description: flocker represents a Flocker volume + attached to a kubelet's host machine. This depends + on the Flocker control service being running + properties: + datasetName: + description: datasetName is Name of the dataset + stored as metadata -> name on the dataset + for Flocker should be considered as deprecated + type: string + datasetUUID: + description: datasetUUID is the UUID of the + dataset. This is unique identifier of a + Flocker dataset + type: string + type: object + gcePersistentDisk: + description: 'gcePersistentDisk represents a GCE + Disk resource that is attached to a kubelet''s + host machine and then exposed to the pod. More + info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + properties: + fsType: + description: 'fsType is filesystem type of + the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + partition: + description: 'partition is the partition in + the volume that you want to mount. If omitted, + the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify + the partition as "1". Similarly, the volume + partition for /dev/sda is "0" (or you can + leave the property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + format: int32 + type: integer + pdName: + description: 'pdName is unique name of the + PD resource in GCE. Used to identify the + disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + type: string + readOnly: + description: 'readOnly here will force the + ReadOnly setting in VolumeMounts. Defaults + to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + type: boolean + required: + - pdName + type: object + gitRepo: + description: 'gitRepo represents a git repository + at a particular revision. DEPRECATED: GitRepo + is deprecated. To provision a container with + a git repo, mount an EmptyDir into an InitContainer + that clones the repo using git, then mount the + EmptyDir into the Pod''s container.' + properties: + directory: + description: directory is the target directory + name. Must not contain or start with '..'. If + '.' is supplied, the volume directory will + be the git repository. Otherwise, if specified, + the volume will contain the git repository + in the subdirectory with the given name. + type: string + repository: + description: repository is the URL + type: string + revision: + description: revision is the commit hash for + the specified revision. + type: string + required: + - repository + type: object + glusterfs: + description: 'glusterfs represents a Glusterfs + mount on the host that shares a pod''s lifetime. + More info: https://examples.k8s.io/volumes/glusterfs/README.md' + properties: + endpoints: + description: 'endpoints is the endpoint name + that details Glusterfs topology. More info: + https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: string + path: + description: 'path is the Glusterfs volume + path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: string + readOnly: + description: 'readOnly here will force the + Glusterfs volume to be mounted with read-only + permissions. Defaults to false. More info: + https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: boolean + required: + - endpoints + - path + type: object + hostPath: + description: 'hostPath represents a pre-existing + file or directory on the host machine that is + directly exposed to the container. This is generally + used for system agents or other privileged things + that are allowed to see the host machine. Most + containers will NOT need this. More info: https://kubernetes.' + properties: + path: + description: 'path of the directory on the + host. If the path is a symlink, it will + follow the link to the real path. More info: + https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + type: string + type: + description: 'type for HostPath Volume Defaults + to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + type: string + required: + - path + type: object + iscsi: + description: 'iscsi represents an ISCSI Disk resource + that is attached to a kubelet''s host machine + and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' + properties: + chapAuthDiscovery: + description: chapAuthDiscovery defines whether + support iSCSI Discovery CHAP authentication + type: boolean + chapAuthSession: + description: chapAuthSession defines whether + support iSCSI Session CHAP authentication + type: boolean + fsType: + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#iscsi + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + initiatorName: + description: initiatorName is the custom iSCSI + Initiator Name. If initiatorName is specified + with iscsiInterface simultaneously, new + iSCSI interface : will be created for the connection. + type: string + iqn: + description: iqn is the target iSCSI Qualified + Name. + type: string + iscsiInterface: + description: iscsiInterface is the interface + Name that uses an iSCSI transport. Defaults + to 'default' (tcp). + type: string + lun: + description: lun represents iSCSI Target Lun + number. + format: int32 + type: integer + portals: + description: portals is the iSCSI Target Portal + List. The portal is either an IP or ip_addr:port + if the port is other than default (typically + TCP ports 860 and 3260). + items: + type: string + type: array + readOnly: + description: readOnly here will force the + ReadOnly setting in VolumeMounts. Defaults + to false. + type: boolean + secretRef: + description: secretRef is the CHAP Secret + for iSCSI target and initiator authentication + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + description: targetPortal is iSCSI Target + Portal. The Portal is either an IP or ip_addr:port + if the port is other than default (typically + TCP ports 860 and 3260). + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + description: 'name of the volume. Must be a DNS_LABEL + and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + nfs: + description: 'nfs represents an NFS mount on the + host that shares a pod''s lifetime More info: + https://kubernetes.io/docs/concepts/storage/volumes#nfs' + properties: + path: + description: 'path that is exported by the + NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: string + readOnly: + description: 'readOnly here will force the + NFS export to be mounted with read-only + permissions. Defaults to false. More info: + https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: boolean + server: + description: 'server is the hostname or IP + address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + description: 'persistentVolumeClaimVolumeSource + represents a reference to a PersistentVolumeClaim + in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + properties: + claimName: + description: 'claimName is the name of a PersistentVolumeClaim + in the same namespace as the pod using this + volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + type: string + readOnly: + description: readOnly Will force the ReadOnly + setting in VolumeMounts. Default false. + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + description: photonPersistentDisk represents a + PhotonController persistent disk attached and + mounted on kubelets host machine + properties: + fsType: + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. + type: string + pdID: + description: pdID is the ID that identifies + Photon Controller persistent disk + type: string + required: + - pdID + type: object + portworxVolume: + description: portworxVolume represents a portworx + volume attached and mounted on kubelets host + machine + properties: + fsType: + description: fSType represents the filesystem + type to mount Must be a filesystem type + supported by the host operating system. + Ex. "ext4", "xfs". Implicitly inferred to + be "ext4" if unspecified. + type: string + readOnly: + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + volumeID: + description: volumeID uniquely identifies + a Portworx volume + type: string + required: + - volumeID + type: object + projected: + description: projected items for all in one resources + secrets, configmaps, and downward API + properties: + defaultMode: + description: defaultMode are the mode bits + used to set permissions on created files + by default. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. Directories within the path are + not affected by this setting. + format: int32 + type: integer + sources: + description: sources is the list of volume + projections + items: + description: Projection that may be projected + along with other supported volume types + properties: + configMap: + description: configMap information about + the configMap data to project + properties: + items: + description: items if unspecified, + each key-value pair in the Data + field of the referenced ConfigMap + will be projected into the volume + as a file whose name is the key + and content is the value. If specified, + the listed keys will be projected + into the specified paths, and + unlisted keys will not be present. + items: + description: Maps a string key + to a path within a volume. + properties: + key: + description: key is the key + to project. + type: string + mode: + description: 'mode is Optional: + mode bits used to set permissions + on this file. Must be an + octal value between 0000 + and 0777 or a decimal value + between 0 and 511. YAML + accepts both octal and decimal + values, JSON requires decimal + values for mode bits. If + not specified, the volume + defaultMode will be used.' + format: int32 + type: integer + path: + description: path is the relative + path of the file to map + the key to. May not be an + absolute path. May not contain + the path element '..'. May + not start with the string + '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: optional specify whether + the ConfigMap or its keys must + be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + description: downwardAPI information + about the downwardAPI data to project + properties: + items: + description: Items is a list of + DownwardAPIVolume file + items: + description: DownwardAPIVolumeFile + represents information to create + the file containing the pod + field + properties: + fieldRef: + description: 'Required: Selects + a field of the pod: only + annotations, labels, name + and namespace are supported.' + properties: + apiVersion: + description: Version of + the schema the FieldPath + is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the + field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: 'Optional: mode + bits used to set permissions + on this file, must be an + octal value between 0000 + and 0777 or a decimal value + between 0 and 511. YAML + accepts both octal and decimal + values, JSON requires decimal + values for mode bits. If + not specified, the volume + defaultMode will be used.' + format: int32 + type: integer + path: + description: 'Required: Path + is the relative path name + of the file to be created. + Must not be absolute or + contain the ''..'' path. + Must be utf-8 encoded. The + first item of the relative + path must not start with + ''..''' + type: string + resourceFieldRef: + description: 'Selects a resource + of the container: only resources + limits and requests (limits.cpu, + limits.memory, requests.cpu + and requests.memory) are + currently supported.' + properties: + containerName: + description: 'Container + name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies + the output format of + the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: + resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + type: object + secret: + description: secret information about + the secret data to project + properties: + items: + description: items if unspecified, + each key-value pair in the Data + field of the referenced Secret + will be projected into the volume + as a file whose name is the key + and content is the value. If specified, + the listed keys will be projected + into the specified paths, and + unlisted keys will not be present. + items: + description: Maps a string key + to a path within a volume. + properties: + key: + description: key is the key + to project. + type: string + mode: + description: 'mode is Optional: + mode bits used to set permissions + on this file. Must be an + octal value between 0000 + and 0777 or a decimal value + between 0 and 511. YAML + accepts both octal and decimal + values, JSON requires decimal + values for mode bits. If + not specified, the volume + defaultMode will be used.' + format: int32 + type: integer + path: + description: path is the relative + path of the file to map + the key to. May not be an + absolute path. May not contain + the path element '..'. May + not start with the string + '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: optional field specify + whether the Secret or its key + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + description: serviceAccountToken is + information about the serviceAccountToken + data to project + properties: + audience: + description: audience is the intended + audience of the token. A recipient + of a token must identify itself + with an identifier specified in + the audience of the token, and + otherwise should reject the token. + The audience defaults to the identifier + of the apiserver. + type: string + expirationSeconds: + description: expirationSeconds is + the requested duration of validity + of the service account token. + As the token approaches expiration, + the kubelet volume plugin will + proactively rotate the service + account token. The kubelet will + start trying to rotate the token + if the token is older than 80 + percent of its time to live or + if the token is older than 24 + hours.Defaults to 1 hour and must + be at least 10 minutes. + format: int64 + type: integer + path: + description: path is the path relative + to the mount point of the file + to project the token into. + type: string + required: + - path + type: object + type: object + type: array + type: object + quobyte: + description: quobyte represents a Quobyte mount + on the host that shares a pod's lifetime + properties: + group: + description: group to map volume access to + Default is no group + type: string + readOnly: + description: readOnly here will force the + Quobyte volume to be mounted with read-only + permissions. Defaults to false. + type: boolean + registry: + description: registry represents a single + or multiple Quobyte Registry services specified + as a string as host:port pair (multiple + entries are separated with commas) which + acts as the central registry for volumes + type: string + tenant: + description: tenant owning the given Quobyte + volume in the Backend Used with dynamically + provisioned Quobyte volumes, value is set + by the plugin + type: string + user: + description: user to map volume access to + Defaults to serivceaccount user + type: string + volume: + description: volume is a string that references + an already created Quobyte volume by name. + type: string + required: + - registry + - volume + type: object + rbd: + description: 'rbd represents a Rados Block Device + mount on the host that shares a pod''s lifetime. + More info: https://examples.k8s.io/volumes/rbd/README.md' + properties: + fsType: + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#rbd + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + image: + description: 'image is the rados image name. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + keyring: + description: 'keyring is the path to key ring + for RBDUser. Default is /etc/ceph/keyring. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + monitors: + description: 'monitors is a collection of + Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + items: + type: string + type: array + pool: + description: 'pool is the rados pool name. + Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + readOnly: + description: 'readOnly here will force the + ReadOnly setting in VolumeMounts. Defaults + to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: boolean + secretRef: + description: 'secretRef is name of the authentication + secret for RBDUser. If provided overrides + keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: 'user is the rados user name. + Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + required: + - image + - monitors + type: object + scaleIO: + description: scaleIO represents a ScaleIO persistent + volume attached and mounted on Kubernetes nodes. + properties: + fsType: + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Default is "xfs". + type: string + gateway: + description: gateway is the host address of + the ScaleIO API Gateway. + type: string + protectionDomain: + description: protectionDomain is the name + of the ScaleIO Protection Domain for the + configured storage. + type: string + readOnly: + description: readOnly Defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + secretRef: + description: secretRef references to the secret + for ScaleIO user and other sensitive information. + If this is not provided, Login operation + will fail. + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + description: sslEnabled Flag enable/disable + SSL communication with Gateway, default + false + type: boolean + storageMode: + description: storageMode indicates whether + the storage for a volume should be ThickProvisioned + or ThinProvisioned. Default is ThinProvisioned. + type: string + storagePool: + description: storagePool is the ScaleIO Storage + Pool associated with the protection domain. + type: string + system: + description: system is the name of the storage + system as configured in ScaleIO. + type: string + volumeName: + description: volumeName is the name of a volume + already created in the ScaleIO system that + is associated with this volume source. + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + description: 'secret represents a secret that + should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + properties: + defaultMode: + description: 'defaultMode is Optional: mode + bits used to set permissions on created + files by default. Must be an octal value + between 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. + Directories within the path are not affected + by this setting.' + format: int32 + type: integer + items: + description: items If unspecified, each key-value + pair in the Data field of the referenced + Secret will be projected into the volume + as a file whose name is the key and content + is the value. If specified, the listed keys + will be projected into the specified paths, + and unlisted keys will not be present. + items: + description: Maps a string key to a path + within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode + bits used to set permissions on this + file. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal + and decimal values, JSON requires + decimal values for mode bits. If not + specified, the volume defaultMode + will be used.' + format: int32 + type: integer + path: + description: path is the relative path + of the file to map the key to. May + not be an absolute path. May not contain + the path element '..'. May not start + with the string '..'. + type: string + required: + - key + - path + type: object + type: array + optional: + description: optional field specify whether + the Secret or its keys must be defined + type: boolean + secretName: + description: 'secretName is the name of the + secret in the pod''s namespace to use. More + info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + type: string + type: object + storageos: + description: storageOS represents a StorageOS + volume attached and mounted on Kubernetes nodes. + properties: + fsType: + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. + type: string + readOnly: + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + secretRef: + description: secretRef specifies the secret + to use for obtaining the StorageOS API credentials. If + not specified, default values will be attempted. + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + description: volumeName is the human-readable + name of the StorageOS volume. Volume names + are only unique within a namespace. + type: string + volumeNamespace: + description: volumeNamespace specifies the + scope of the volume within StorageOS. If + no namespace is specified then the Pod's + namespace will be used. This allows the + Kubernetes name scoping to be mirrored within + StorageOS for tighter integration. Set VolumeName + to any name to override the default behaviour. + Set to "default" if you are not using namespaces + within StorageOS. + type: string + type: object + vsphereVolume: + description: vsphereVolume represents a vSphere + volume attached and mounted on kubelets host + machine + properties: + fsType: + description: fsType is filesystem type to + mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. + type: string + storagePolicyID: + description: storagePolicyID is the storage + Policy Based Management (SPBM) profile ID + associated with the StoragePolicyName. + type: string + storagePolicyName: + description: storagePolicyName is the storage + Policy Based Management (SPBM) profile name. + type: string + volumePath: + description: volumePath is the path that identifies + vSphere volume vmdk + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + required: + - containers + type: object + type: object + type: object + description: '`MPIReplicaSpecs` contains maps from `MPIReplicaType` + to `ReplicaSpec` that specify the MPI replicas to run.' + type: object + runPolicy: + description: '`RunPolicy` encapsulates various runtime policies of + the distributed training job, for example how to clean up resources + and how long the job can stay active.' + properties: + activeDeadlineSeconds: + description: Specifies the duration in seconds relative to the + startTime that the job may be active before the system tries + to terminate it; value must be positive integer. + format: int64 + type: integer + backoffLimit: + description: Optional number of retries before marking this job + failed. + format: int32 + type: integer + cleanPodPolicy: + description: CleanPodPolicy defines the policy to kill pods after + the job completes. Default to Running. + type: string + schedulingPolicy: + description: SchedulingPolicy defines the policy related to scheduling, + e.g. gang-scheduling + properties: + minAvailable: + format: int32 + type: integer + minResources: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: ResourceList is a set of (resource name, quantity) + pairs. + type: object + priorityClass: + type: string + queue: + type: string + scheduleTimeoutSeconds: + format: int32 + type: integer + type: object + ttlSecondsAfterFinished: + description: TTLSecondsAfterFinished is the TTL to clean up jobs. + It may take extra ReconcilePeriod seconds for the cleanup, since + reconcile gets called periodically. Default to infinite. + format: int32 + type: integer + type: object + slotsPerWorker: + description: Specifies the number of slots per worker used in hostfile. + Defaults to 1. + format: int32 + type: integer + required: + - mpiReplicaSpecs + type: object + status: + description: JobStatus represents the current observed state of the training + Job. + properties: + completionTime: + description: Represents time when the job was completed. It is not + guaranteed to be set in happens-before order across separate operations. + It is represented in RFC3339 form and is in UTC. + format: date-time + type: string + conditions: + description: Conditions is an array of current observed job conditions. + items: + description: JobCondition describes the state of the job at a certain + point. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + lastUpdateTime: + description: The last time this condition was updated. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of job condition. + type: string + required: + - status + - type + type: object + type: array + lastReconcileTime: + description: Represents last time when the job was reconciled. It + is not guaranteed to be set in happens-before order across separate + operations. It is represented in RFC3339 form and is in UTC. + format: date-time + type: string + replicaStatuses: + additionalProperties: + description: ReplicaStatus represents the current observed state + of the replica. + properties: + active: + description: The number of actively running pods. + format: int32 + type: integer + failed: + description: The number of pods which reached phase Failed. + format: int32 + type: integer + labelSelector: + description: 'Deprecated: Use Selector instead' + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. This + array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + selector: + description: A Selector is a label query over a set of resources. + The result of matchLabels and matchExpressions are ANDed. + An empty Selector matches all objects. A null Selector matches + no objects. + type: string + succeeded: + description: The number of pods which reached phase Succeeded. + format: int32 + type: integer + type: object + description: ReplicaStatuses is map of ReplicaType and ReplicaStatus, + specifies the status of each replica. + type: object + startTime: + description: Represents time when the job was acknowledged by the + job controller. It is not guaranteed to be set in happens-before + order across separate operations. It is represented in RFC3339 form + and is in UTC. + format: date-time + type: string + required: + - conditions + - replicaStatuses + type: object + type: object + served: true + storage: true + subresources: + status: {} +YAML + +depends_on = [ovh_cloud_project_kube.ovh_kube_cluster, ovh_cloud_project_kube_nodepool.control_plane_pool] +} + +resource "kubectl_manifest" "kubeflow-training-operator-cdr-mxjobs" { + yaml_body = < matches + that of any node on which a pod of the set + of pods is running + properties: + labelSelector: + description: A label query over a set + of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set + of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this field + and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the same + node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the anti-affinity + expressions specified by this field, but it + may choose a node that violates one or more + of the expressions. The node that is most + preferred is the one with the greatest sum + of weights, i.e. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added + per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: A label query over a + set of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the + set of namespaces that the term + applies to. The term is applied + to the union of the namespaces selected + by this field and the ones listed + in the namespaces field. null selector + and null or empty namespaces list + means "this pod's namespace". An + empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies + a static list of namespace names + that the term applies to. The term + is applied to the union of the namespaces + listed in this field and the ones + selected by namespaceSelector. null + or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching + the corresponding podAffinityTerm, in + the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements + specified by this field are not met at scheduling + time, the pod will not be scheduled onto the + node. If the anti-affinity requirements specified + by this field cease to be met at some point + during pod execution (e.g. due to a pod label + update), the system may or may not try to + eventually evict the pod from its node. + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this pod + should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is + defined as running on a node whose value + of the label with key matches + that of any node on which a pod of the set + of pods is running + properties: + labelSelector: + description: A label query over a set + of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set + of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this field + and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + automountServiceAccountToken: + description: AutomountServiceAccountToken indicates + whether a service account token should be automatically + mounted. + type: boolean + containers: + description: List of containers belonging to the pod. + Containers cannot currently be added or removed. There + must be at least one container in a Pod. Cannot be + updated. + items: + description: A single application container that you + want to run within a pod. + properties: + args: + description: 'Arguments to the entrypoint. The + container image''s CMD is used if this is not + provided. Variable references $(VAR_NAME) are + expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The container image''s ENTRYPOINT is + used if this is not provided. Variable references + $(VAR_NAME) are expanded using the container''s + environment. If a variable cannot be resolved, + the reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + env: + description: List of environment variables to + set in the container. Cannot be updated. + items: + description: EnvVar represents an environment + variable present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined + environment variables in the container + and any service environment variables. + If a variable cannot be resolved, the + reference in the input string will be + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' + type: string + valueFrom: + description: Source for the environment + variable's value. Cannot be used if value + is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + ConfigMap or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the + pod: supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of + the container: only resources limits + and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env + vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret + in the pod's namespace + properties: + key: + description: The key of the secret + to select from. Must be a valid + secret key. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + Secret or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined + within a source must be a C_IDENTIFIER. All + invalid keys will be reported as an event when + the container is starting. When a key exists + in multiple sources, the value associated with + the last source will take precedence. Values + defined by an Env with a duplicate key will + take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source + of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be + a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level + config management to default or override container + images in workload controllers like Deployments + and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, + Never, IfNotPresent. Defaults to Always if :latest + tag is specified, or IfNotPresent otherwise. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system + should take in response to container lifecycle + events. Cannot be updated. + properties: + postStart: + description: 'PostStart is called immediately + after a container is created. If the handler + fails, the container is terminated and restarted + according to its restart policy. Other management + of the container blocks until the hook completes. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: PreStop is called immediately + before a container is terminated due to + an API request or management event such + as liveness/startup probe failure, preemption, + resource contention, etc. The handler is + not called if the container crashes or exits. + The Pod's termination grace period countdown + begins before the PreStop hook is executed. + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. + Container will be restarted if the probe fails. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as + a DNS_LABEL. Each container in a pod must have + a unique name (DNS_LABEL). Cannot be updated. + type: string + ports: + description: List of ports to expose from the + container. Not specifying a port here DOES NOT + prevent that port from being exposed. Any port + which is listening on the default "0.0.0.0" + address inside a container will be accessible + from the network. Modifying this array with + strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. + items: + description: ContainerPort represents a network + port in a single container. + properties: + containerPort: + description: Number of port to expose on + the pod's IP address. This must be a valid + port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on + the host. If specified, this must be a + valid port number, 0 < x < 65536. If HostNetwork + is specified, this must match ContainerPort. + Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be + an IANA_SVC_NAME and unique within the + pod. Each named port in a pod must have + a unique name. Name for the port that + can be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be + UDP, TCP, or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service + readiness. Container will be removed from service + endpoints if the probe fails. Cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: 'Compute Resources required by this + container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum + amount of compute resources allowed. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum + amount of compute resources required. If + Requests is omitted for a container, it + defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'SecurityContext defines the security + options the container should be run with. If + set, the fields of SecurityContext override + the equivalent fields of PodSecurityContext. + More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges + than its parent process. This bool directly + controls if the no_new_privs flag will be + set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop + when running containers. Defaults to the + default set of capabilities granted by the + container runtime. Note that this field + cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. + Processes in privileged containers are essentially + equivalent to root on the host. Defaults + to false. Note that this field cannot be + set when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of + proc mount to use for the containers. The + default is DefaultProcMount which uses the + container runtime defaults for readonly + paths and masked paths. This requires the + ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a + read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint + of the container process. Uses runtime default + if unset. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container + must run as a non-root user. If true, the + Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 + (root) and fail to start the container if + it does. If unset or false, no such validation + will be performed. May also be set in PodSecurityContext. + type: boolean + runAsUser: + description: The UID to run the entrypoint + of the container process. Defaults to user + specified in image metadata if unspecified. + May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied + to the container. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in + PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. + properties: + level: + description: Level is SELinux level label + that applies to the container. + type: string + role: + description: Role is a SELinux role label + that applies to the container. + type: string + type: + description: Type is a SELinux type label + that applies to the container. + type: string + user: + description: User is a SELinux user label + that applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by + this container. If seccomp options are provided + at both the pod & container level, the container + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates + a profile defined in a file on the node + should be used. The profile must be + preconfigured on the node to work. Must + be a descending path, relative to the + kubelet's configured seccomp profile + location. Must only be set if type is + "Localhost". + type: string + type: + description: "type indicates which kind + of seccomp profile will be applied. + Valid options are: \n Localhost - a + profile defined in a file on the node + should be used. RuntimeDefault - the + container runtime default profile should + be used. Unconfined - no profile should + be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings + applied to all containers. If unspecified, + the options from the PodSecurityContext + will be used. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where + the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName + field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is + the name of the GMSA credential spec + to use. + type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean + runAsUserName: + description: The UserName in Windows to + run the entrypoint of the container + process. Defaults to the user specified + in image metadata if unspecified. May + also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: StartupProbe indicates that the Pod + has successfully initialized. If specified, + no other probes are executed until this completes + successfully. If this probe fails, the Pod will + be restarted, just as if the livenessProbe failed. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. + If this is not set, reads from stdin in the + container will always result in EOF. Default + is false. + type: boolean + stdinOnce: + description: Whether the container runtime should + close the stdin channel after it has been opened + by a single attach. When stdin is true the stdin + stream will remain open across multiple attach + sessions. + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file + to which the container''s termination message + will be written is mounted into the container''s + filesystem. Message written is intended to be + brief final status, such as an assertion failure + message. Will be truncated by the node if greater + than 4096 bytes. The total message length across + all containers will be limited to 12kb. Defaults + to /dev/termination-log.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message + should be populated. File will use the contents + of terminationMessagePath to populate the container + status message on both success and failure. + FallbackToLogsOnError will use the last chunk + of container log output if the termination message + file is empty and the container exited with + an error. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be + true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block + devices to be used by the container. + items: + description: volumeDevice describes a mapping + of a raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside + of the container that the device will + be mapped to. + type: string + name: + description: name must match the name of + a persistentVolumeClaim in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Cannot be updated. + items: + description: VolumeMount describes a mounting + of a Volume within a container. + properties: + mountPath: + description: Path within the container at + which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines + how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is + used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of + a Volume. + type: string + readOnly: + description: Mounted read-only if true, + read-write otherwise (false or unspecified). + Defaults to false. + type: boolean + subPath: + description: Path within the volume from + which the container's volume should be + mounted. Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume + from which the container's volume should + be mounted. Behaves similarly to SubPath + but environment variable references $(VAR_NAME) + are expanded using the container's environment. + Defaults to "" (volume's root). SubPathExpr + and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If + not specified, the container runtime's default + will be used, which might be configured in the + container image. Cannot be updated. + type: string + required: + - name + type: object + type: array + dnsConfig: + description: Specifies the DNS parameters of a pod. + Parameters specified here will be merged to the generated + DNS configuration based on DNSPolicy. + properties: + nameservers: + description: A list of DNS name server IP addresses. + This will be appended to the base nameservers + generated from DNSPolicy. Duplicated nameservers + will be removed. + items: + type: string + type: array + options: + description: A list of DNS resolver options. This + will be merged with the base options generated + from DNSPolicy. Duplicated entries will be removed. + Resolution options given in Options will override + those that appear in the base DNSPolicy. + items: + description: PodDNSConfigOption defines DNS resolver + options of a pod. + properties: + name: + description: Required. + type: string + value: + type: string + type: object + type: array + searches: + description: A list of DNS search domains for host-name + lookup. This will be appended to the base search + paths generated from DNSPolicy. Duplicated search + paths will be removed. + items: + type: string + type: array + type: object + dnsPolicy: + description: Set DNS policy for the pod. Defaults to + "ClusterFirst". Valid values are 'ClusterFirstWithHostNet', + 'ClusterFirst', 'Default' or 'None'. DNS parameters + given in DNSConfig will be merged with the policy + selected with DNSPolicy. To have DNS options set along + with hostNetwork, you have to specify DNS policy explicitly + to 'ClusterFirstWithHostNet'. + type: string + enableServiceLinks: + description: 'EnableServiceLinks indicates whether information + about services should be injected into pod''s environment + variables, matching the syntax of Docker links. Optional: + Defaults to true.' + type: boolean + ephemeralContainers: + description: List of ephemeral containers run in this + pod. Ephemeral containers may be run in an existing + pod to perform user-initiated actions such as debugging. + This list cannot be specified when creating a pod, + and it cannot be modified by updating the pod spec. + In order to add an ephemeral container to an existing + pod, use the pod's ephemeralcontainers subresource. + items: + description: An EphemeralContainer is a temporary + container that you may add to an existing Pod for + user-initiated activities such as debugging. Ephemeral + containers have no resource or scheduling guarantees, + and they will not be restarted when they exit or + when a Pod is removed or restarted. The kubelet + may evict a Pod if an ephemeral container causes + the Pod to exceed its resource allocation. + properties: + args: + description: 'Arguments to the entrypoint. The + image''s CMD is used if this is not provided. + Variable references $(VAR_NAME) are expanded + using the container''s environment. If a variable + cannot be resolved, the reference in the input + string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + produce the string literal "$(VAR_NAME)".' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The image''s ENTRYPOINT is used if + this is not provided. Variable references $(VAR_NAME) + are expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + env: + description: List of environment variables to + set in the container. Cannot be updated. + items: + description: EnvVar represents an environment + variable present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined + environment variables in the container + and any service environment variables. + If a variable cannot be resolved, the + reference in the input string will be + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' + type: string + valueFrom: + description: Source for the environment + variable's value. Cannot be used if value + is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + ConfigMap or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the + pod: supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of + the container: only resources limits + and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env + vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret + in the pod's namespace + properties: + key: + description: The key of the secret + to select from. Must be a valid + secret key. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + Secret or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined + within a source must be a C_IDENTIFIER. All + invalid keys will be reported as an event when + the container is starting. When a key exists + in multiple sources, the value associated with + the last source will take precedence. Values + defined by an Env with a duplicate key will + take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source + of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be + a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, + Never, IfNotPresent. Defaults to Always if :latest + tag is specified, or IfNotPresent otherwise. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Lifecycle is not allowed for ephemeral + containers. + properties: + postStart: + description: 'PostStart is called immediately + after a container is created. If the handler + fails, the container is terminated and restarted + according to its restart policy. Other management + of the container blocks until the hook completes. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: PreStop is called immediately + before a container is terminated due to + an API request or management event such + as liveness/startup probe failure, preemption, + resource contention, etc. The handler is + not called if the container crashes or exits. + The Pod's termination grace period countdown + begins before the PreStop hook is executed. + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: Probes are not allowed for ephemeral + containers. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the ephemeral container specified + as a DNS_LABEL. This name must be unique among + all containers, init containers and ephemeral + containers. + type: string + ports: + description: Ports are not allowed for ephemeral + containers. + items: + description: ContainerPort represents a network + port in a single container. + properties: + containerPort: + description: Number of port to expose on + the pod's IP address. This must be a valid + port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on + the host. If specified, this must be a + valid port number, 0 < x < 65536. If HostNetwork + is specified, this must match ContainerPort. + Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be + an IANA_SVC_NAME and unique within the + pod. Each named port in a pod must have + a unique name. Name for the port that + can be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be + UDP, TCP, or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: Probes are not allowed for ephemeral + containers. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: Resources are not allowed for ephemeral + containers. Ephemeral containers use spare resources + already allocated to the pod. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum + amount of compute resources allowed. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum + amount of compute resources required. If + Requests is omitted for a container, it + defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'Optional: SecurityContext defines + the security options the ephemeral container + should be run with. If set, the fields of SecurityContext + override the equivalent fields of PodSecurityContext.' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges + than its parent process. This bool directly + controls if the no_new_privs flag will be + set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop + when running containers. Defaults to the + default set of capabilities granted by the + container runtime. Note that this field + cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. + Processes in privileged containers are essentially + equivalent to root on the host. Defaults + to false. Note that this field cannot be + set when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of + proc mount to use for the containers. The + default is DefaultProcMount which uses the + container runtime defaults for readonly + paths and masked paths. This requires the + ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a + read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint + of the container process. Uses runtime default + if unset. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container + must run as a non-root user. If true, the + Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 + (root) and fail to start the container if + it does. If unset or false, no such validation + will be performed. May also be set in PodSecurityContext. + type: boolean + runAsUser: + description: The UID to run the entrypoint + of the container process. Defaults to user + specified in image metadata if unspecified. + May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied + to the container. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in + PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. + properties: + level: + description: Level is SELinux level label + that applies to the container. + type: string + role: + description: Role is a SELinux role label + that applies to the container. + type: string + type: + description: Type is a SELinux type label + that applies to the container. + type: string + user: + description: User is a SELinux user label + that applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by + this container. If seccomp options are provided + at both the pod & container level, the container + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates + a profile defined in a file on the node + should be used. The profile must be + preconfigured on the node to work. Must + be a descending path, relative to the + kubelet's configured seccomp profile + location. Must only be set if type is + "Localhost". + type: string + type: + description: "type indicates which kind + of seccomp profile will be applied. + Valid options are: \n Localhost - a + profile defined in a file on the node + should be used. RuntimeDefault - the + container runtime default profile should + be used. Unconfined - no profile should + be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings + applied to all containers. If unspecified, + the options from the PodSecurityContext + will be used. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where + the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName + field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is + the name of the GMSA credential spec + to use. + type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean + runAsUserName: + description: The UserName in Windows to + run the entrypoint of the container + process. Defaults to the user specified + in image metadata if unspecified. May + also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: Probes are not allowed for ephemeral + containers. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. + If this is not set, reads from stdin in the + container will always result in EOF. Default + is false. + type: boolean + stdinOnce: + description: Whether the container runtime should + close the stdin channel after it has been opened + by a single attach. When stdin is true the stdin + stream will remain open across multiple attach + sessions. + type: boolean + targetContainerName: + description: "If set, the name of the container + from PodSpec that this ephemeral container targets. + The ephemeral container will be run in the namespaces + (IPC, PID, etc) of this container. If not set + then the ephemeral container uses the namespaces + configured in the Pod spec. \n The container + runtime must implement support for this feature." + type: string + terminationMessagePath: + description: 'Optional: Path at which the file + to which the container''s termination message + will be written is mounted into the container''s + filesystem. Message written is intended to be + brief final status, such as an assertion failure + message. Will be truncated by the node if greater + than 4096 bytes. The total message length across + all containers will be limited to 12kb. Defaults + to /dev/termination-log.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message + should be populated. File will use the contents + of terminationMessagePath to populate the container + status message on both success and failure. + FallbackToLogsOnError will use the last chunk + of container log output if the termination message + file is empty and the container exited with + an error. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be + true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block + devices to be used by the container. + items: + description: volumeDevice describes a mapping + of a raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside + of the container that the device will + be mapped to. + type: string + name: + description: name must match the name of + a persistentVolumeClaim in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Subpath mounts are not allowed for + ephemeral containers. Cannot be updated. + items: + description: VolumeMount describes a mounting + of a Volume within a container. + properties: + mountPath: + description: Path within the container at + which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines + how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is + used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of + a Volume. + type: string + readOnly: + description: Mounted read-only if true, + read-write otherwise (false or unspecified). + Defaults to false. + type: boolean + subPath: + description: Path within the volume from + which the container's volume should be + mounted. Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume + from which the container's volume should + be mounted. Behaves similarly to SubPath + but environment variable references $(VAR_NAME) + are expanded using the container's environment. + Defaults to "" (volume's root). SubPathExpr + and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If + not specified, the container runtime's default + will be used, which might be configured in the + container image. Cannot be updated. + type: string + required: + - name + type: object + type: array + hostAliases: + description: HostAliases is an optional list of hosts + and IPs that will be injected into the pod's hosts + file if specified. This is only valid for non-hostNetwork + pods. + items: + description: HostAlias holds the mapping between IP + and hostnames that will be injected as an entry + in the pod's hosts file. + properties: + hostnames: + description: Hostnames for the above IP address. + items: + type: string + type: array + ip: + description: IP address of the host file entry. + type: string + type: object + type: array + hostIPC: + description: 'Use the host''s ipc namespace. Optional: + Default to false.' + type: boolean + hostNetwork: + description: Host networking requested for this pod. + Use the host's network namespace. If this option is + set, the ports that will be used must be specified. + Default to false. + type: boolean + hostPID: + description: 'Use the host''s pid namespace. Optional: + Default to false.' + type: boolean + hostUsers: + description: 'Use the host''s user namespace. Optional: + Default to true. If set to true or not present, the + pod will be run in the host user namespace, useful + for when the pod needs a feature only available to + the host user namespace, such as loading a kernel + module with CAP_SYS_MODULE. When set to false, a new + userns is created for the pod.' + type: boolean + hostname: + description: Specifies the hostname of the Pod If not + specified, the pod's hostname will be set to a system-defined + value. + type: string + imagePullSecrets: + description: 'ImagePullSecrets is an optional list of + references to secrets in the same namespace to use + for pulling any of the images used by this PodSpec. + If specified, these secrets will be passed to individual + puller implementations for them to use. More info: + https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' + items: + description: LocalObjectReference contains enough + information to let you locate the referenced object + inside the same namespace. + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: array + initContainers: + description: List of initialization containers belonging + to the pod. Init containers are executed in order + prior to containers being started. If any init container + fails, the pod is considered to have failed and is + handled according to its restartPolicy. The name for + an init container or normal container must be unique + among all containers. + items: + description: A single application container that you + want to run within a pod. + properties: + args: + description: 'Arguments to the entrypoint. The + container image''s CMD is used if this is not + provided. Variable references $(VAR_NAME) are + expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The container image''s ENTRYPOINT is + used if this is not provided. Variable references + $(VAR_NAME) are expanded using the container''s + environment. If a variable cannot be resolved, + the reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + env: + description: List of environment variables to + set in the container. Cannot be updated. + items: + description: EnvVar represents an environment + variable present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined + environment variables in the container + and any service environment variables. + If a variable cannot be resolved, the + reference in the input string will be + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' + type: string + valueFrom: + description: Source for the environment + variable's value. Cannot be used if value + is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + ConfigMap or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the + pod: supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of + the container: only resources limits + and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env + vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret + in the pod's namespace + properties: + key: + description: The key of the secret + to select from. Must be a valid + secret key. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + Secret or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined + within a source must be a C_IDENTIFIER. All + invalid keys will be reported as an event when + the container is starting. When a key exists + in multiple sources, the value associated with + the last source will take precedence. Values + defined by an Env with a duplicate key will + take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source + of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be + a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level + config management to default or override container + images in workload controllers like Deployments + and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, + Never, IfNotPresent. Defaults to Always if :latest + tag is specified, or IfNotPresent otherwise. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system + should take in response to container lifecycle + events. Cannot be updated. + properties: + postStart: + description: 'PostStart is called immediately + after a container is created. If the handler + fails, the container is terminated and restarted + according to its restart policy. Other management + of the container blocks until the hook completes. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: PreStop is called immediately + before a container is terminated due to + an API request or management event such + as liveness/startup probe failure, preemption, + resource contention, etc. The handler is + not called if the container crashes or exits. + The Pod's termination grace period countdown + begins before the PreStop hook is executed. + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. + Container will be restarted if the probe fails. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as + a DNS_LABEL. Each container in a pod must have + a unique name (DNS_LABEL). Cannot be updated. + type: string + ports: + description: List of ports to expose from the + container. Not specifying a port here DOES NOT + prevent that port from being exposed. Any port + which is listening on the default "0.0.0.0" + address inside a container will be accessible + from the network. Modifying this array with + strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. + items: + description: ContainerPort represents a network + port in a single container. + properties: + containerPort: + description: Number of port to expose on + the pod's IP address. This must be a valid + port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on + the host. If specified, this must be a + valid port number, 0 < x < 65536. If HostNetwork + is specified, this must match ContainerPort. + Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be + an IANA_SVC_NAME and unique within the + pod. Each named port in a pod must have + a unique name. Name for the port that + can be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be + UDP, TCP, or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service + readiness. Container will be removed from service + endpoints if the probe fails. Cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: 'Compute Resources required by this + container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum + amount of compute resources allowed. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum + amount of compute resources required. If + Requests is omitted for a container, it + defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'SecurityContext defines the security + options the container should be run with. If + set, the fields of SecurityContext override + the equivalent fields of PodSecurityContext. + More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges + than its parent process. This bool directly + controls if the no_new_privs flag will be + set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop + when running containers. Defaults to the + default set of capabilities granted by the + container runtime. Note that this field + cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. + Processes in privileged containers are essentially + equivalent to root on the host. Defaults + to false. Note that this field cannot be + set when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of + proc mount to use for the containers. The + default is DefaultProcMount which uses the + container runtime defaults for readonly + paths and masked paths. This requires the + ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a + read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint + of the container process. Uses runtime default + if unset. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container + must run as a non-root user. If true, the + Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 + (root) and fail to start the container if + it does. If unset or false, no such validation + will be performed. May also be set in PodSecurityContext. + type: boolean + runAsUser: + description: The UID to run the entrypoint + of the container process. Defaults to user + specified in image metadata if unspecified. + May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied + to the container. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in + PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. + properties: + level: + description: Level is SELinux level label + that applies to the container. + type: string + role: + description: Role is a SELinux role label + that applies to the container. + type: string + type: + description: Type is a SELinux type label + that applies to the container. + type: string + user: + description: User is a SELinux user label + that applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by + this container. If seccomp options are provided + at both the pod & container level, the container + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates + a profile defined in a file on the node + should be used. The profile must be + preconfigured on the node to work. Must + be a descending path, relative to the + kubelet's configured seccomp profile + location. Must only be set if type is + "Localhost". + type: string + type: + description: "type indicates which kind + of seccomp profile will be applied. + Valid options are: \n Localhost - a + profile defined in a file on the node + should be used. RuntimeDefault - the + container runtime default profile should + be used. Unconfined - no profile should + be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings + applied to all containers. If unspecified, + the options from the PodSecurityContext + will be used. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where + the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName + field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is + the name of the GMSA credential spec + to use. + type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean + runAsUserName: + description: The UserName in Windows to + run the entrypoint of the container + process. Defaults to the user specified + in image metadata if unspecified. May + also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: StartupProbe indicates that the Pod + has successfully initialized. If specified, + no other probes are executed until this completes + successfully. If this probe fails, the Pod will + be restarted, just as if the livenessProbe failed. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. + If this is not set, reads from stdin in the + container will always result in EOF. Default + is false. + type: boolean + stdinOnce: + description: Whether the container runtime should + close the stdin channel after it has been opened + by a single attach. When stdin is true the stdin + stream will remain open across multiple attach + sessions. + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file + to which the container''s termination message + will be written is mounted into the container''s + filesystem. Message written is intended to be + brief final status, such as an assertion failure + message. Will be truncated by the node if greater + than 4096 bytes. The total message length across + all containers will be limited to 12kb. Defaults + to /dev/termination-log.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message + should be populated. File will use the contents + of terminationMessagePath to populate the container + status message on both success and failure. + FallbackToLogsOnError will use the last chunk + of container log output if the termination message + file is empty and the container exited with + an error. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be + true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block + devices to be used by the container. + items: + description: volumeDevice describes a mapping + of a raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside + of the container that the device will + be mapped to. + type: string + name: + description: name must match the name of + a persistentVolumeClaim in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Cannot be updated. + items: + description: VolumeMount describes a mounting + of a Volume within a container. + properties: + mountPath: + description: Path within the container at + which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines + how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is + used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of + a Volume. + type: string + readOnly: + description: Mounted read-only if true, + read-write otherwise (false or unspecified). + Defaults to false. + type: boolean + subPath: + description: Path within the volume from + which the container's volume should be + mounted. Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume + from which the container's volume should + be mounted. Behaves similarly to SubPath + but environment variable references $(VAR_NAME) + are expanded using the container's environment. + Defaults to "" (volume's root). SubPathExpr + and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If + not specified, the container runtime's default + will be used, which might be configured in the + container image. Cannot be updated. + type: string + required: + - name + type: object + type: array + nodeName: + description: NodeName is a request to schedule this + pod onto a specific node. If it is non-empty, the + scheduler simply schedules this pod onto that node, + assuming that it fits resource requirements. + type: string + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must + be true for the pod to fit on a node. Selector which + must match a node''s labels for the pod to be scheduled + on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + x-kubernetes-map-type: atomic + os: + description: "Specifies the OS of the containers in + the pod. Some pod and container fields are restricted + if this is set. \n If the OS field is set to linux, + the following fields must be unset: -securityContext.windowsOptions + \n If the OS field is set to windows, following fields + must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers + - spec.securityContext.seLinuxOptions - spec.securityContext." + properties: + name: + description: 'Name is the name of the operating + system. The currently supported values are linux + and windows. Additional value may be defined in + future and can be one of: https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration + Clients should expect to handle additional values + and treat unrecognized values in this field as + os: null' + type: string + required: + - name + type: object + overhead: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Overhead represents the resource overhead + associated with running a pod for a given RuntimeClass. + This field will be autopopulated at admission time + by the RuntimeClass admission controller. If the RuntimeClass + admission controller is enabled, overhead must not + be set in Pod create requests. The RuntimeClass admission + controller will reject Pod create requests which have + the overhead already set. + type: object + preemptionPolicy: + description: PreemptionPolicy is the Policy for preempting + pods with lower priority. One of Never, PreemptLowerPriority. + Defaults to PreemptLowerPriority if unset. + type: string + priority: + description: The priority value. Various system components + use this field to find the priority of the pod. When + Priority Admission Controller is enabled, it prevents + users from setting this field. The admission controller + populates this field from PriorityClassName. The higher + the value, the higher the priority. + format: int32 + type: integer + priorityClassName: + description: If specified, indicates the pod's priority. + "system-node-critical" and "system-cluster-critical" + are two special keywords which indicate the highest + priorities with the former being the highest priority. + Any other name must be defined by creating a PriorityClass + object with that name. If not specified, the pod priority + will be default or zero if there is no default. + type: string + readinessGates: + description: 'If specified, all readiness gates will + be evaluated for pod readiness. A pod is ready when + all its containers are ready AND all conditions specified + in the readiness gates have status equal to "True" + More info: https://git.k8s.io/enhancements/keps/sig-network/580-pod-readiness-gates' + items: + description: PodReadinessGate contains the reference + to a pod condition + properties: + conditionType: + description: ConditionType refers to a condition + in the pod's condition list with matching type. + type: string + required: + - conditionType + type: object + type: array + restartPolicy: + description: 'Restart policy for all containers within + the pod. One of Always, OnFailure, Never. Default + to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy' + type: string + runtimeClassName: + description: 'RuntimeClassName refers to a RuntimeClass + object in the node.k8s.io group, which should be used + to run this pod. If no RuntimeClass resource matches + the named class, the pod will not be run. If unset + or empty, the "legacy" RuntimeClass will be used, + which is an implicit class with an empty definition + that uses the default runtime handler. More info: + https://git.k8s.' + type: string + schedulerName: + description: If specified, the pod will be dispatched + by specified scheduler. If not specified, the pod + will be dispatched by default scheduler. + type: string + securityContext: + description: 'SecurityContext holds pod-level security + attributes and common container settings. Optional: + Defaults to empty. See type description for default + values of each field.' + properties: + fsGroup: + description: "A special supplemental group that + applies to all containers in a pod. Some volume + types allow the Kubelet to change the ownership + of that volume to be owned by the pod: \n 1. The + owning GID will be the FSGroup 2. The setgid bit + is set (new files created in the volume will be + owned by FSGroup) 3." + format: int64 + type: integer + fsGroupChangePolicy: + description: 'fsGroupChangePolicy defines behavior + of changing ownership and permission of the volume + before being exposed inside Pod. This field will + only apply to volume types which support fsGroup + based ownership(and permissions). It will have + no effect on ephemeral volume types such as: secret, + configmaps and emptydir. Valid values are "OnRootMismatch" + and "Always". If not specified, "Always" is used.' + type: string + runAsGroup: + description: The GID to run the entrypoint of the + container process. Uses runtime default if unset. + May also be set in SecurityContext. If set in + both SecurityContext and PodSecurityContext, the + value specified in SecurityContext takes precedence + for that container. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run + as a non-root user. If true, the Kubelet will + validate the image at runtime to ensure that it + does not run as UID 0 (root) and fail to start + the container if it does. If unset or false, no + such validation will be performed. May also be + set in SecurityContext. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the + container process. Defaults to user specified + in image metadata if unspecified. May also be + set in SecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in + SecurityContext takes precedence for that container. + Note that this field cannot be set when spec.os.name + is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to + all containers. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in SecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence + for that container. Note that this field cannot + be set when spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that + applies to the container. + type: string + role: + description: Role is a SELinux role label that + applies to the container. + type: string + type: + description: Type is a SELinux type label that + applies to the container. + type: string + user: + description: User is a SELinux user label that + applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by the containers + in this pod. Note that this field cannot be set + when spec.os.name is windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile + defined in a file on the node should be used. + The profile must be preconfigured on the node + to work. Must be a descending path, relative + to the kubelet's configured seccomp profile + location. Must only be set if type is "Localhost". + type: string + type: + description: "type indicates which kind of seccomp + profile will be applied. Valid options are: + \n Localhost - a profile defined in a file + on the node should be used. RuntimeDefault + - the container runtime default profile should + be used. Unconfined - no profile should be + applied." + type: string + required: + - type + type: object + supplementalGroups: + description: A list of groups applied to the first + process run in each container, in addition to + the container's primary GID. If unspecified, + no groups will be added to any container. Note + that this field cannot be set when spec.os.name + is windows. + items: + format: int64 + type: integer + type: array + sysctls: + description: Sysctls hold a list of namespaced sysctls + used for the pod. Pods with unsupported sysctls + (by the container runtime) might fail to launch. + Note that this field cannot be set when spec.os.name + is windows. + items: + description: Sysctl defines a kernel parameter + to be set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + windowsOptions: + description: The Windows specific settings applied + to all containers. If unspecified, the options + within a container's SecurityContext will be used. + If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the + GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name + of the GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container + should be run as a 'Host Process' container. + This field is alpha-level and will only be + honored by components that enable the WindowsHostProcessContainers + feature flag. Setting this field without the + feature flag will result in errors when validating + the Pod. + type: boolean + runAsUserName: + description: The UserName in Windows to run + the entrypoint of the container process. Defaults + to the user specified in image metadata if + unspecified. May also be set in PodSecurityContext. + If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. + type: string + type: object + type: object + serviceAccount: + description: 'DeprecatedServiceAccount is a depreciated + alias for ServiceAccountName. Deprecated: Use serviceAccountName + instead.' + type: string + serviceAccountName: + description: 'ServiceAccountName is the name of the + ServiceAccount to use to run this pod. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' + type: string + setHostnameAsFQDN: + description: If true the pod's hostname will be configured + as the pod's FQDN, rather than the leaf name (the + default). In Linux containers, this means setting + the FQDN in the hostname field of the kernel (the + nodename field of struct utsname). + type: boolean + shareProcessNamespace: + description: 'Share a single process namespace between + all of the containers in a pod. When this is set containers + will be able to view and signal processes from other + containers in the same pod, and the first process + in each container will not be assigned PID 1. HostPID + and ShareProcessNamespace cannot both be set. Optional: + Default to false.' + type: boolean + subdomain: + description: If specified, the fully qualified Pod hostname + will be "...svc.". If not specified, the pod will not have + a domainname at all. + type: string + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully. May be decreased in delete + request. Value must be non-negative integer. The value + zero indicates stop immediately via the kill signal + (no opportunity to shut down). If this value is nil, + the default grace period will be used instead. + format: int64 + type: integer + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is attached to + tolerates any taint that matches the triple + using the matching operator . + properties: + effect: + description: Effect indicates the taint effect + to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, + PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration + applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; + this combination means to match all values and + all keys. + type: string + operator: + description: Operator represents a key's relationship + to the value. Valid operators are Exists and + Equal. Defaults to Equal. Exists is equivalent + to wildcard for value, so that a pod can tolerate + all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the + period of time the toleration (which must be + of effect NoExecute, otherwise this field is + ignored) tolerates the taint. By default, it + is not set, which means tolerate the taint forever + (do not evict). Zero and negative values will + be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration + matches to. If the operator is Exists, the value + should be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: TopologySpreadConstraints describes how + a group of pods ought to spread across topology domains. + Scheduler will schedule pods in a way which abides + by the constraints. All topologySpreadConstraints + are ANDed. + items: + description: TopologySpreadConstraint specifies how + to spread matching pods among the given topology. + properties: + labelSelector: + description: LabelSelector is used to find matching + pods. Pods that match this label selector are + counted to determine the number of pods in their + corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label + keys to select the pods over which spreading + will be calculated. The keys are used to lookup + values from the incoming pod labels, those key-value + labels are ANDed with labelSelector to select + the group of existing pods over which spreading + will be calculated for the incoming pod. Keys + that don't exist in the incoming pod labels + will be ignored. + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: MaxSkew describes the degree to which + pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference between + the number of matching pods in the target topology + and the global minimum. The global minimum is + the minimum number of matching pods in an eligible + domain or zero if the number of eligible domains + is less than MinDomains. + format: int32 + type: integer + minDomains: + description: MinDomains indicates a minimum number + of eligible domains. When the number of eligible + domains with matching topology keys is less + than minDomains, Pod Topology Spread treats + "global minimum" as 0, and then the calculation + of Skew is performed. And when the number of + eligible domains with matching topology keys + equals or greater than minDomains, this value + has no effect on scheduling. + format: int32 + type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how + we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options + are: - Honor: only nodes matching nodeAffinity/nodeSelector + are included in the calculations. - Ignore: + nodeAffinity/nodeSelector are ignored. All nodes + are included in the calculations. \n If this + value is nil, the behavior is equivalent to + the Honor policy." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how we + will treat node taints when calculating pod + topology spread skew. Options are: - Honor: + nodes without taints, along with tainted nodes + for which the incoming pod has a toleration, + are included. - Ignore: node taints are ignored. + All nodes are included. \n If this value is + nil, the behavior is equivalent to the Ignore + policy." + type: string + topologyKey: + description: TopologyKey is the key of node labels. + Nodes that have a label with this key and identical + values are considered to be in the same topology. + We consider each as a "bucket", + and try to put balanced number of pods into + each bucket. We define a domain as a particular + instance of a topology. + type: string + whenUnsatisfiable: + description: WhenUnsatisfiable indicates how to + deal with a pod if it doesn't satisfy the spread + constraint. - DoNotSchedule (default) tells + the scheduler not to schedule it. - ScheduleAnyway + tells the scheduler to schedule the pod in any + location, but giving higher precedence to topologies + that would help reduce the skew. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + x-kubernetes-list-map-keys: + - topologyKey + - whenUnsatisfiable + x-kubernetes-list-type: map + volumes: + description: 'List of volumes that can be mounted by + containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes' + items: + description: Volume represents a named volume in a + pod that may be accessed by any container in the + pod. + properties: + awsElasticBlockStore: + description: 'awsElasticBlockStore represents + an AWS Disk resource that is attached to a kubelet''s + host machine and then exposed to the pod. More + info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + properties: + fsType: + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + partition: + description: 'partition is the partition in + the volume that you want to mount. If omitted, + the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify + the partition as "1". Similarly, the volume + partition for /dev/sda is "0" (or you can + leave the property empty).' + format: int32 + type: integer + readOnly: + description: 'readOnly value true will force + the readOnly setting in VolumeMounts. More + info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + type: boolean + volumeID: + description: 'volumeID is unique ID of the + persistent disk resource in AWS (Amazon + EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + type: string + required: + - volumeID + type: object + azureDisk: + description: azureDisk represents an Azure Data + Disk mount on the host and bind mount to the + pod. + properties: + cachingMode: + description: 'cachingMode is the Host Caching + mode: None, Read Only, Read Write.' + type: string + diskName: + description: diskName is the Name of the data + disk in the blob storage + type: string + diskURI: + description: diskURI is the URI of data disk + in the blob storage + type: string + fsType: + description: fsType is Filesystem type to + mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. + type: string + kind: + description: 'kind expected values are Shared: + multiple blob disks per storage account Dedicated: + single blob disk per storage account Managed: + azure managed data disk (only in managed + availability set). defaults to shared' + type: string + readOnly: + description: readOnly Defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + description: azureFile represents an Azure File + Service mount on the host and bind mount to + the pod. + properties: + readOnly: + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + secretName: + description: secretName is the name of secret + that contains Azure Storage Account Name + and Key + type: string + shareName: + description: shareName is the azure share + Name + type: string + required: + - secretName + - shareName + type: object + cephfs: + description: cephFS represents a Ceph FS mount + on the host that shares a pod's lifetime + properties: + monitors: + description: 'monitors is Required: Monitors + is a collection of Ceph monitors More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + items: + type: string + type: array + path: + description: 'path is Optional: Used as the + mounted root, rather than the full Ceph + tree, default is /' + type: string + readOnly: + description: 'readOnly is Optional: Defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: boolean + secretFile: + description: 'secretFile is Optional: SecretFile + is the path to key ring for User, default + is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: string + secretRef: + description: 'secretRef is Optional: SecretRef + is reference to the authentication secret + for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: 'user is optional: User is the + rados user name, default is admin More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: string + required: + - monitors + type: object + cinder: + description: 'cinder represents a cinder volume + attached and mounted on kubelets host machine. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + properties: + fsType: + description: 'fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://examples.k8s.io/mysql-cinder-pd/README.md' + type: string + readOnly: + description: 'readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + type: boolean + secretRef: + description: 'secretRef is optional: points + to a secret object containing parameters + used to connect to OpenStack.' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + description: 'volumeID used to identify the + volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + type: string + required: + - volumeID + type: object + configMap: + description: configMap represents a configMap + that should populate this volume + properties: + defaultMode: + description: 'defaultMode is optional: mode + bits used to set permissions on created + files by default. Must be an octal value + between 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. + Directories within the path are not affected + by this setting.' + format: int32 + type: integer + items: + description: items if unspecified, each key-value + pair in the Data field of the referenced + ConfigMap will be projected into the volume + as a file whose name is the key and content + is the value. If specified, the listed keys + will be projected into the specified paths, + and unlisted keys will not be present. + items: + description: Maps a string key to a path + within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode + bits used to set permissions on this + file. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal + and decimal values, JSON requires + decimal values for mode bits. If not + specified, the volume defaultMode + will be used.' + format: int32 + type: integer + path: + description: path is the relative path + of the file to map the key to. May + not be an absolute path. May not contain + the path element '..'. May not start + with the string '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: optional specify whether the + ConfigMap or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + description: csi (Container Storage Interface) + represents ephemeral storage that is handled + by certain external CSI drivers (Beta feature). + properties: + driver: + description: driver is the name of the CSI + driver that handles this volume. Consult + with your admin for the correct name as + registered in the cluster. + type: string + fsType: + description: fsType to mount. Ex. "ext4", + "xfs", "ntfs". If not provided, the empty + value is passed to the associated CSI driver + which will determine the default filesystem + to apply. + type: string + nodePublishSecretRef: + description: nodePublishSecretRef is a reference + to the secret object containing sensitive + information to pass to the CSI driver to + complete the CSI NodePublishVolume and NodeUnpublishVolume + calls. This field is optional, and may + be empty if no secret is required. If the + secret object contains more than one secret, + all secret references are passed. + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + description: readOnly specifies a read-only + configuration for the volume. Defaults to + false (read/write). + type: boolean + volumeAttributes: + additionalProperties: + type: string + description: volumeAttributes stores driver-specific + properties that are passed to the CSI driver. + Consult your driver's documentation for + supported values. + type: object + required: + - driver + type: object + downwardAPI: + description: downwardAPI represents downward API + about the pod that should populate this volume + properties: + defaultMode: + description: 'Optional: mode bits to use on + created files by default. Must be a Optional: + mode bits used to set permissions on created + files by default. Must be an octal value + between 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. + Directories within the path are not affected + by this setting.' + format: int32 + type: integer + items: + description: Items is a list of downward API + volume file + items: + description: DownwardAPIVolumeFile represents + information to create the file containing + the pod field + properties: + fieldRef: + description: 'Required: Selects a field + of the pod: only annotations, labels, + name and namespace are supported.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: 'Optional: mode bits used + to set permissions on this file, must + be an octal value between 0000 and + 0777 or a decimal value between 0 + and 511. YAML accepts both octal and + decimal values, JSON requires decimal + values for mode bits. If not specified, + the volume defaultMode will be used.' + format: int32 + type: integer + path: + description: 'Required: Path is the + relative path name of the file to + be created. Must not be absolute or + contain the ''..'' path. Must be utf-8 + encoded. The first item of the relative + path must not start with ''..''' + type: string + resourceFieldRef: + description: 'Selects a resource of + the container: only resources limits + and requests (limits.cpu, limits.memory, + requests.cpu and requests.memory) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env + vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + type: object + emptyDir: + description: 'emptyDir represents a temporary + directory that shares a pod''s lifetime. More + info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + properties: + medium: + description: 'medium represents what type + of storage medium should back this directory. + The default is "" which means to use the + node''s default medium. Must be an empty + string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + description: 'sizeLimit is the total amount + of local storage required for this EmptyDir + volume. The size limit is also applicable + for memory medium. The maximum usage on + memory medium EmptyDir would be the minimum + value between the SizeLimit specified here + and the sum of memory limits of all containers + in a pod. The default is nil which means + that the limit is undefined. More info: + http://kubernetes.' + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + description: ephemeral represents a volume that + is handled by a cluster storage driver. The + volume's lifecycle is tied to the pod that defines + it - it will be created before the pod starts, + and deleted when the pod is removed. + properties: + volumeClaimTemplate: + description: Will be used to create a stand-alone + PVC to provision the volume. The pod in + which this EphemeralVolumeSource is embedded + will be the owner of the PVC, i.e. the PVC + will be deleted together with the pod. The + name of the PVC will be `-` where `` is the name + from the `PodSpec.Volumes` array entry. + properties: + metadata: + description: May contain labels and annotations + that will be copied into the PVC when + creating it. No other fields are allowed + and will be rejected during validation. + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + description: The specification for the + PersistentVolumeClaim. The entire content + is copied unchanged into the PVC that + gets created from this template. The + same fields as in a PersistentVolumeClaim + are also valid here. + properties: + accessModes: + description: 'accessModes contains + the desired access modes the volume + should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' + items: + type: string + type: array + dataSource: + description: 'dataSource field can + be used to specify either: * An + existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external + controller can support the specified + data source, it will create a new + volume based on the contents of + the specified data source.' + properties: + apiGroup: + description: APIGroup is the group + for the resource being referenced. + If APIGroup is not specified, + the specified Kind must be in + the core API group. For any + other third-party types, APIGroup + is required. + type: string + kind: + description: Kind is the type + of resource being referenced + type: string + name: + description: Name is the name + of resource being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: dataSourceRef specifies + the object from which to populate + the volume with data, if a non-empty + volume is desired. This may be any + local object from a non-empty API + group (non core object) or a PersistentVolumeClaim + object. When this field is specified, + volume binding will only succeed + if the type of the specified object + matches some installed volume populator + or dynamic provisioner. + properties: + apiGroup: + description: APIGroup is the group + for the resource being referenced. + If APIGroup is not specified, + the specified Kind must be in + the core API group. For any + other third-party types, APIGroup + is required. + type: string + kind: + description: Kind is the type + of resource being referenced + type: string + name: + description: Name is the name + of resource being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + resources: + description: 'resources represents + the minimum resources the volume + should have. If RecoverVolumeExpansionFailure + feature is enabled users are allowed + to specify resource requirements + that are lower than previous value + but must still be higher than capacity + recorded in the status field of + the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes + the maximum amount of compute + resources allowed. More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes + the minimum amount of compute + resources required. If Requests + is omitted for a container, + it defaults to Limits if that + is explicitly specified, otherwise + to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + selector: + description: selector is a label query + over volumes to consider for binding. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: 'storageClassName is + the name of the StorageClass required + by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' + type: string + volumeMode: + description: volumeMode defines what + type of volume is required by the + claim. Value of Filesystem is implied + when not included in claim spec. + type: string + volumeName: + description: volumeName is the binding + reference to the PersistentVolume + backing this claim. + type: string + type: object + required: + - spec + type: object + type: object + fc: + description: fc represents a Fibre Channel resource + that is attached to a kubelet's host machine + and then exposed to the pod. + properties: + fsType: + description: 'fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. TODO: how do we prevent + errors in the filesystem from compromising + the machine' + type: string + lun: + description: 'lun is Optional: FC target lun + number' + format: int32 + type: integer + readOnly: + description: 'readOnly is Optional: Defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts.' + type: boolean + targetWWNs: + description: 'targetWWNs is Optional: FC target + worldwide names (WWNs)' + items: + type: string + type: array + wwids: + description: 'wwids Optional: FC volume world + wide identifiers (wwids) Either wwids or + combination of targetWWNs and lun must be + set, but not both simultaneously.' + items: + type: string + type: array + type: object + flexVolume: + description: flexVolume represents a generic volume + resource that is provisioned/attached using + an exec based plugin. + properties: + driver: + description: driver is the name of the driver + to use for this volume. + type: string + fsType: + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". The default filesystem depends + on FlexVolume script. + type: string + options: + additionalProperties: + type: string + description: 'options is Optional: this field + holds extra command options if any.' + type: object + readOnly: + description: 'readOnly is Optional: defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts.' + type: boolean + secretRef: + description: 'secretRef is Optional: secretRef + is reference to the secret object containing + sensitive information to pass to the plugin + scripts. This may be empty if no secret + object is specified. If the secret object + contains more than one secret, all secrets + are passed to the plugin scripts.' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + description: flocker represents a Flocker volume + attached to a kubelet's host machine. This depends + on the Flocker control service being running + properties: + datasetName: + description: datasetName is Name of the dataset + stored as metadata -> name on the dataset + for Flocker should be considered as deprecated + type: string + datasetUUID: + description: datasetUUID is the UUID of the + dataset. This is unique identifier of a + Flocker dataset + type: string + type: object + gcePersistentDisk: + description: 'gcePersistentDisk represents a GCE + Disk resource that is attached to a kubelet''s + host machine and then exposed to the pod. More + info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + properties: + fsType: + description: 'fsType is filesystem type of + the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + partition: + description: 'partition is the partition in + the volume that you want to mount. If omitted, + the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify + the partition as "1". Similarly, the volume + partition for /dev/sda is "0" (or you can + leave the property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + format: int32 + type: integer + pdName: + description: 'pdName is unique name of the + PD resource in GCE. Used to identify the + disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + type: string + readOnly: + description: 'readOnly here will force the + ReadOnly setting in VolumeMounts. Defaults + to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + type: boolean + required: + - pdName + type: object + gitRepo: + description: 'gitRepo represents a git repository + at a particular revision. DEPRECATED: GitRepo + is deprecated. To provision a container with + a git repo, mount an EmptyDir into an InitContainer + that clones the repo using git, then mount the + EmptyDir into the Pod''s container.' + properties: + directory: + description: directory is the target directory + name. Must not contain or start with '..'. If + '.' is supplied, the volume directory will + be the git repository. Otherwise, if specified, + the volume will contain the git repository + in the subdirectory with the given name. + type: string + repository: + description: repository is the URL + type: string + revision: + description: revision is the commit hash for + the specified revision. + type: string + required: + - repository + type: object + glusterfs: + description: 'glusterfs represents a Glusterfs + mount on the host that shares a pod''s lifetime. + More info: https://examples.k8s.io/volumes/glusterfs/README.md' + properties: + endpoints: + description: 'endpoints is the endpoint name + that details Glusterfs topology. More info: + https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: string + path: + description: 'path is the Glusterfs volume + path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: string + readOnly: + description: 'readOnly here will force the + Glusterfs volume to be mounted with read-only + permissions. Defaults to false. More info: + https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: boolean + required: + - endpoints + - path + type: object + hostPath: + description: 'hostPath represents a pre-existing + file or directory on the host machine that is + directly exposed to the container. This is generally + used for system agents or other privileged things + that are allowed to see the host machine. Most + containers will NOT need this. More info: https://kubernetes.' + properties: + path: + description: 'path of the directory on the + host. If the path is a symlink, it will + follow the link to the real path. More info: + https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + type: string + type: + description: 'type for HostPath Volume Defaults + to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + type: string + required: + - path + type: object + iscsi: + description: 'iscsi represents an ISCSI Disk resource + that is attached to a kubelet''s host machine + and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' + properties: + chapAuthDiscovery: + description: chapAuthDiscovery defines whether + support iSCSI Discovery CHAP authentication + type: boolean + chapAuthSession: + description: chapAuthSession defines whether + support iSCSI Session CHAP authentication + type: boolean + fsType: + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#iscsi + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + initiatorName: + description: initiatorName is the custom iSCSI + Initiator Name. If initiatorName is specified + with iscsiInterface simultaneously, new + iSCSI interface : will be created for the connection. + type: string + iqn: + description: iqn is the target iSCSI Qualified + Name. + type: string + iscsiInterface: + description: iscsiInterface is the interface + Name that uses an iSCSI transport. Defaults + to 'default' (tcp). + type: string + lun: + description: lun represents iSCSI Target Lun + number. + format: int32 + type: integer + portals: + description: portals is the iSCSI Target Portal + List. The portal is either an IP or ip_addr:port + if the port is other than default (typically + TCP ports 860 and 3260). + items: + type: string + type: array + readOnly: + description: readOnly here will force the + ReadOnly setting in VolumeMounts. Defaults + to false. + type: boolean + secretRef: + description: secretRef is the CHAP Secret + for iSCSI target and initiator authentication + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + description: targetPortal is iSCSI Target + Portal. The Portal is either an IP or ip_addr:port + if the port is other than default (typically + TCP ports 860 and 3260). + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + description: 'name of the volume. Must be a DNS_LABEL + and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + nfs: + description: 'nfs represents an NFS mount on the + host that shares a pod''s lifetime More info: + https://kubernetes.io/docs/concepts/storage/volumes#nfs' + properties: + path: + description: 'path that is exported by the + NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: string + readOnly: + description: 'readOnly here will force the + NFS export to be mounted with read-only + permissions. Defaults to false. More info: + https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: boolean + server: + description: 'server is the hostname or IP + address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + description: 'persistentVolumeClaimVolumeSource + represents a reference to a PersistentVolumeClaim + in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + properties: + claimName: + description: 'claimName is the name of a PersistentVolumeClaim + in the same namespace as the pod using this + volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + type: string + readOnly: + description: readOnly Will force the ReadOnly + setting in VolumeMounts. Default false. + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + description: photonPersistentDisk represents a + PhotonController persistent disk attached and + mounted on kubelets host machine + properties: + fsType: + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. + type: string + pdID: + description: pdID is the ID that identifies + Photon Controller persistent disk + type: string + required: + - pdID + type: object + portworxVolume: + description: portworxVolume represents a portworx + volume attached and mounted on kubelets host + machine + properties: + fsType: + description: fSType represents the filesystem + type to mount Must be a filesystem type + supported by the host operating system. + Ex. "ext4", "xfs". Implicitly inferred to + be "ext4" if unspecified. + type: string + readOnly: + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + volumeID: + description: volumeID uniquely identifies + a Portworx volume + type: string + required: + - volumeID + type: object + projected: + description: projected items for all in one resources + secrets, configmaps, and downward API + properties: + defaultMode: + description: defaultMode are the mode bits + used to set permissions on created files + by default. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. Directories within the path are + not affected by this setting. + format: int32 + type: integer + sources: + description: sources is the list of volume + projections + items: + description: Projection that may be projected + along with other supported volume types + properties: + configMap: + description: configMap information about + the configMap data to project + properties: + items: + description: items if unspecified, + each key-value pair in the Data + field of the referenced ConfigMap + will be projected into the volume + as a file whose name is the key + and content is the value. If specified, + the listed keys will be projected + into the specified paths, and + unlisted keys will not be present. + items: + description: Maps a string key + to a path within a volume. + properties: + key: + description: key is the key + to project. + type: string + mode: + description: 'mode is Optional: + mode bits used to set permissions + on this file. Must be an + octal value between 0000 + and 0777 or a decimal value + between 0 and 511. YAML + accepts both octal and decimal + values, JSON requires decimal + values for mode bits. If + not specified, the volume + defaultMode will be used.' + format: int32 + type: integer + path: + description: path is the relative + path of the file to map + the key to. May not be an + absolute path. May not contain + the path element '..'. May + not start with the string + '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: optional specify whether + the ConfigMap or its keys must + be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + description: downwardAPI information + about the downwardAPI data to project + properties: + items: + description: Items is a list of + DownwardAPIVolume file + items: + description: DownwardAPIVolumeFile + represents information to create + the file containing the pod + field + properties: + fieldRef: + description: 'Required: Selects + a field of the pod: only + annotations, labels, name + and namespace are supported.' + properties: + apiVersion: + description: Version of + the schema the FieldPath + is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the + field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: 'Optional: mode + bits used to set permissions + on this file, must be an + octal value between 0000 + and 0777 or a decimal value + between 0 and 511. YAML + accepts both octal and decimal + values, JSON requires decimal + values for mode bits. If + not specified, the volume + defaultMode will be used.' + format: int32 + type: integer + path: + description: 'Required: Path + is the relative path name + of the file to be created. + Must not be absolute or + contain the ''..'' path. + Must be utf-8 encoded. The + first item of the relative + path must not start with + ''..''' + type: string + resourceFieldRef: + description: 'Selects a resource + of the container: only resources + limits and requests (limits.cpu, + limits.memory, requests.cpu + and requests.memory) are + currently supported.' + properties: + containerName: + description: 'Container + name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies + the output format of + the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: + resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + type: object + secret: + description: secret information about + the secret data to project + properties: + items: + description: items if unspecified, + each key-value pair in the Data + field of the referenced Secret + will be projected into the volume + as a file whose name is the key + and content is the value. If specified, + the listed keys will be projected + into the specified paths, and + unlisted keys will not be present. + items: + description: Maps a string key + to a path within a volume. + properties: + key: + description: key is the key + to project. + type: string + mode: + description: 'mode is Optional: + mode bits used to set permissions + on this file. Must be an + octal value between 0000 + and 0777 or a decimal value + between 0 and 511. YAML + accepts both octal and decimal + values, JSON requires decimal + values for mode bits. If + not specified, the volume + defaultMode will be used.' + format: int32 + type: integer + path: + description: path is the relative + path of the file to map + the key to. May not be an + absolute path. May not contain + the path element '..'. May + not start with the string + '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: optional field specify + whether the Secret or its key + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + description: serviceAccountToken is + information about the serviceAccountToken + data to project + properties: + audience: + description: audience is the intended + audience of the token. A recipient + of a token must identify itself + with an identifier specified in + the audience of the token, and + otherwise should reject the token. + The audience defaults to the identifier + of the apiserver. + type: string + expirationSeconds: + description: expirationSeconds is + the requested duration of validity + of the service account token. + As the token approaches expiration, + the kubelet volume plugin will + proactively rotate the service + account token. The kubelet will + start trying to rotate the token + if the token is older than 80 + percent of its time to live or + if the token is older than 24 + hours.Defaults to 1 hour and must + be at least 10 minutes. + format: int64 + type: integer + path: + description: path is the path relative + to the mount point of the file + to project the token into. + type: string + required: + - path + type: object + type: object + type: array + type: object + quobyte: + description: quobyte represents a Quobyte mount + on the host that shares a pod's lifetime + properties: + group: + description: group to map volume access to + Default is no group + type: string + readOnly: + description: readOnly here will force the + Quobyte volume to be mounted with read-only + permissions. Defaults to false. + type: boolean + registry: + description: registry represents a single + or multiple Quobyte Registry services specified + as a string as host:port pair (multiple + entries are separated with commas) which + acts as the central registry for volumes + type: string + tenant: + description: tenant owning the given Quobyte + volume in the Backend Used with dynamically + provisioned Quobyte volumes, value is set + by the plugin + type: string + user: + description: user to map volume access to + Defaults to serivceaccount user + type: string + volume: + description: volume is a string that references + an already created Quobyte volume by name. + type: string + required: + - registry + - volume + type: object + rbd: + description: 'rbd represents a Rados Block Device + mount on the host that shares a pod''s lifetime. + More info: https://examples.k8s.io/volumes/rbd/README.md' + properties: + fsType: + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#rbd + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + image: + description: 'image is the rados image name. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + keyring: + description: 'keyring is the path to key ring + for RBDUser. Default is /etc/ceph/keyring. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + monitors: + description: 'monitors is a collection of + Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + items: + type: string + type: array + pool: + description: 'pool is the rados pool name. + Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + readOnly: + description: 'readOnly here will force the + ReadOnly setting in VolumeMounts. Defaults + to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: boolean + secretRef: + description: 'secretRef is name of the authentication + secret for RBDUser. If provided overrides + keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: 'user is the rados user name. + Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + required: + - image + - monitors + type: object + scaleIO: + description: scaleIO represents a ScaleIO persistent + volume attached and mounted on Kubernetes nodes. + properties: + fsType: + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Default is "xfs". + type: string + gateway: + description: gateway is the host address of + the ScaleIO API Gateway. + type: string + protectionDomain: + description: protectionDomain is the name + of the ScaleIO Protection Domain for the + configured storage. + type: string + readOnly: + description: readOnly Defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + secretRef: + description: secretRef references to the secret + for ScaleIO user and other sensitive information. + If this is not provided, Login operation + will fail. + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + description: sslEnabled Flag enable/disable + SSL communication with Gateway, default + false + type: boolean + storageMode: + description: storageMode indicates whether + the storage for a volume should be ThickProvisioned + or ThinProvisioned. Default is ThinProvisioned. + type: string + storagePool: + description: storagePool is the ScaleIO Storage + Pool associated with the protection domain. + type: string + system: + description: system is the name of the storage + system as configured in ScaleIO. + type: string + volumeName: + description: volumeName is the name of a volume + already created in the ScaleIO system that + is associated with this volume source. + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + description: 'secret represents a secret that + should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + properties: + defaultMode: + description: 'defaultMode is Optional: mode + bits used to set permissions on created + files by default. Must be an octal value + between 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. + Directories within the path are not affected + by this setting.' + format: int32 + type: integer + items: + description: items If unspecified, each key-value + pair in the Data field of the referenced + Secret will be projected into the volume + as a file whose name is the key and content + is the value. If specified, the listed keys + will be projected into the specified paths, + and unlisted keys will not be present. + items: + description: Maps a string key to a path + within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode + bits used to set permissions on this + file. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal + and decimal values, JSON requires + decimal values for mode bits. If not + specified, the volume defaultMode + will be used.' + format: int32 + type: integer + path: + description: path is the relative path + of the file to map the key to. May + not be an absolute path. May not contain + the path element '..'. May not start + with the string '..'. + type: string + required: + - key + - path + type: object + type: array + optional: + description: optional field specify whether + the Secret or its keys must be defined + type: boolean + secretName: + description: 'secretName is the name of the + secret in the pod''s namespace to use. More + info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + type: string + type: object + storageos: + description: storageOS represents a StorageOS + volume attached and mounted on Kubernetes nodes. + properties: + fsType: + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. + type: string + readOnly: + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + secretRef: + description: secretRef specifies the secret + to use for obtaining the StorageOS API credentials. If + not specified, default values will be attempted. + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + description: volumeName is the human-readable + name of the StorageOS volume. Volume names + are only unique within a namespace. + type: string + volumeNamespace: + description: volumeNamespace specifies the + scope of the volume within StorageOS. If + no namespace is specified then the Pod's + namespace will be used. This allows the + Kubernetes name scoping to be mirrored within + StorageOS for tighter integration. Set VolumeName + to any name to override the default behaviour. + Set to "default" if you are not using namespaces + within StorageOS. + type: string + type: object + vsphereVolume: + description: vsphereVolume represents a vSphere + volume attached and mounted on kubelets host + machine + properties: + fsType: + description: fsType is filesystem type to + mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. + type: string + storagePolicyID: + description: storagePolicyID is the storage + Policy Based Management (SPBM) profile ID + associated with the StoragePolicyName. + type: string + storagePolicyName: + description: storagePolicyName is the storage + Policy Based Management (SPBM) profile name. + type: string + volumePath: + description: volumePath is the path that identifies + vSphere volume vmdk + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + required: + - containers + type: object + type: object + type: object + description: 'MXReplicaSpecs is map of commonv1.ReplicaType and commonv1.ReplicaSpec + specifies the MX replicas to run. For example, { "Scheduler": commonv1.ReplicaSpec, + "Server": commonv1.ReplicaSpec, "Worker": commonv1.ReplicaSpec, + }' + type: object + runPolicy: + description: RunPolicy encapsulates various runtime policies of the + distributed training job, for example how to clean up resources + and how long the job can stay active. + properties: + activeDeadlineSeconds: + description: Specifies the duration in seconds relative to the + startTime that the job may be active before the system tries + to terminate it; value must be positive integer. + format: int64 + type: integer + backoffLimit: + description: Optional number of retries before marking this job + failed. + format: int32 + type: integer + cleanPodPolicy: + description: CleanPodPolicy defines the policy to kill pods after + the job completes. Default to Running. + type: string + schedulingPolicy: + description: SchedulingPolicy defines the policy related to scheduling, + e.g. gang-scheduling + properties: + minAvailable: + format: int32 + type: integer + minResources: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: ResourceList is a set of (resource name, quantity) + pairs. + type: object + priorityClass: + type: string + queue: + type: string + scheduleTimeoutSeconds: + format: int32 + type: integer + type: object + ttlSecondsAfterFinished: + description: TTLSecondsAfterFinished is the TTL to clean up jobs. + It may take extra ReconcilePeriod seconds for the cleanup, since + reconcile gets called periodically. Default to infinite. + format: int32 + type: integer + type: object + required: + - jobMode + - mxReplicaSpecs + type: object + status: + description: JobStatus represents the current observed state of the training + Job. + properties: + completionTime: + description: Represents time when the job was completed. It is not + guaranteed to be set in happens-before order across separate operations. + It is represented in RFC3339 form and is in UTC. + format: date-time + type: string + conditions: + description: Conditions is an array of current observed job conditions. + items: + description: JobCondition describes the state of the job at a certain + point. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + lastUpdateTime: + description: The last time this condition was updated. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of job condition. + type: string + required: + - status + - type + type: object + type: array + lastReconcileTime: + description: Represents last time when the job was reconciled. It + is not guaranteed to be set in happens-before order across separate + operations. It is represented in RFC3339 form and is in UTC. + format: date-time + type: string + replicaStatuses: + additionalProperties: + description: ReplicaStatus represents the current observed state + of the replica. + properties: + active: + description: The number of actively running pods. + format: int32 + type: integer + failed: + description: The number of pods which reached phase Failed. + format: int32 + type: integer + labelSelector: + description: 'Deprecated: Use Selector instead' + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. This + array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + selector: + description: A Selector is a label query over a set of resources. + The result of matchLabels and matchExpressions are ANDed. + An empty Selector matches all objects. A null Selector matches + no objects. + type: string + succeeded: + description: The number of pods which reached phase Succeeded. + format: int32 + type: integer + type: object + description: ReplicaStatuses is map of ReplicaType and ReplicaStatus, + specifies the status of each replica. + type: object + startTime: + description: Represents time when the job was acknowledged by the + job controller. It is not guaranteed to be set in happens-before + order across separate operations. It is represented in RFC3339 form + and is in UTC. + format: date-time + type: string + required: + - conditions + - replicaStatuses + type: object + type: object + served: true + storage: true + subresources: + status: {} +YAML + +depends_on = [ovh_cloud_project_kube.ovh_kube_cluster, ovh_cloud_project_kube_nodepool.control_plane_pool] +} + +resource "kubectl_manifest" "kubeflow-training-operator-crd-paddlejobs" { + yaml_body = < matches + that of any node on which a pod of the set + of pods is running + properties: + labelSelector: + description: A label query over a set + of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set + of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this field + and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the same + node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the anti-affinity + expressions specified by this field, but it + may choose a node that violates one or more + of the expressions. The node that is most + preferred is the one with the greatest sum + of weights, i.e. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added + per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: A label query over a + set of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the + set of namespaces that the term + applies to. The term is applied + to the union of the namespaces selected + by this field and the ones listed + in the namespaces field. null selector + and null or empty namespaces list + means "this pod's namespace". An + empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies + a static list of namespace names + that the term applies to. The term + is applied to the union of the namespaces + listed in this field and the ones + selected by namespaceSelector. null + or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching + the corresponding podAffinityTerm, in + the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements + specified by this field are not met at scheduling + time, the pod will not be scheduled onto the + node. If the anti-affinity requirements specified + by this field cease to be met at some point + during pod execution (e.g. due to a pod label + update), the system may or may not try to + eventually evict the pod from its node. + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this pod + should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is + defined as running on a node whose value + of the label with key matches + that of any node on which a pod of the set + of pods is running + properties: + labelSelector: + description: A label query over a set + of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set + of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this field + and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + automountServiceAccountToken: + description: AutomountServiceAccountToken indicates + whether a service account token should be automatically + mounted. + type: boolean + containers: + description: List of containers belonging to the pod. + Containers cannot currently be added or removed. There + must be at least one container in a Pod. Cannot be + updated. + items: + description: A single application container that you + want to run within a pod. + properties: + args: + description: 'Arguments to the entrypoint. The + container image''s CMD is used if this is not + provided. Variable references $(VAR_NAME) are + expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The container image''s ENTRYPOINT is + used if this is not provided. Variable references + $(VAR_NAME) are expanded using the container''s + environment. If a variable cannot be resolved, + the reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + env: + description: List of environment variables to + set in the container. Cannot be updated. + items: + description: EnvVar represents an environment + variable present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined + environment variables in the container + and any service environment variables. + If a variable cannot be resolved, the + reference in the input string will be + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' + type: string + valueFrom: + description: Source for the environment + variable's value. Cannot be used if value + is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + ConfigMap or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the + pod: supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of + the container: only resources limits + and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env + vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret + in the pod's namespace + properties: + key: + description: The key of the secret + to select from. Must be a valid + secret key. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + Secret or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined + within a source must be a C_IDENTIFIER. All + invalid keys will be reported as an event when + the container is starting. When a key exists + in multiple sources, the value associated with + the last source will take precedence. Values + defined by an Env with a duplicate key will + take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source + of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be + a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level + config management to default or override container + images in workload controllers like Deployments + and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, + Never, IfNotPresent. Defaults to Always if :latest + tag is specified, or IfNotPresent otherwise. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system + should take in response to container lifecycle + events. Cannot be updated. + properties: + postStart: + description: 'PostStart is called immediately + after a container is created. If the handler + fails, the container is terminated and restarted + according to its restart policy. Other management + of the container blocks until the hook completes. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: PreStop is called immediately + before a container is terminated due to + an API request or management event such + as liveness/startup probe failure, preemption, + resource contention, etc. The handler is + not called if the container crashes or exits. + The Pod's termination grace period countdown + begins before the PreStop hook is executed. + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. + Container will be restarted if the probe fails. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as + a DNS_LABEL. Each container in a pod must have + a unique name (DNS_LABEL). Cannot be updated. + type: string + ports: + description: List of ports to expose from the + container. Not specifying a port here DOES NOT + prevent that port from being exposed. Any port + which is listening on the default "0.0.0.0" + address inside a container will be accessible + from the network. Modifying this array with + strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. + items: + description: ContainerPort represents a network + port in a single container. + properties: + containerPort: + description: Number of port to expose on + the pod's IP address. This must be a valid + port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on + the host. If specified, this must be a + valid port number, 0 < x < 65536. If HostNetwork + is specified, this must match ContainerPort. + Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be + an IANA_SVC_NAME and unique within the + pod. Each named port in a pod must have + a unique name. Name for the port that + can be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be + UDP, TCP, or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service + readiness. Container will be removed from service + endpoints if the probe fails. Cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: 'Compute Resources required by this + container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum + amount of compute resources allowed. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum + amount of compute resources required. If + Requests is omitted for a container, it + defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'SecurityContext defines the security + options the container should be run with. If + set, the fields of SecurityContext override + the equivalent fields of PodSecurityContext. + More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges + than its parent process. This bool directly + controls if the no_new_privs flag will be + set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop + when running containers. Defaults to the + default set of capabilities granted by the + container runtime. Note that this field + cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. + Processes in privileged containers are essentially + equivalent to root on the host. Defaults + to false. Note that this field cannot be + set when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of + proc mount to use for the containers. The + default is DefaultProcMount which uses the + container runtime defaults for readonly + paths and masked paths. This requires the + ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a + read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint + of the container process. Uses runtime default + if unset. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container + must run as a non-root user. If true, the + Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 + (root) and fail to start the container if + it does. If unset or false, no such validation + will be performed. May also be set in PodSecurityContext. + type: boolean + runAsUser: + description: The UID to run the entrypoint + of the container process. Defaults to user + specified in image metadata if unspecified. + May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied + to the container. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in + PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. + properties: + level: + description: Level is SELinux level label + that applies to the container. + type: string + role: + description: Role is a SELinux role label + that applies to the container. + type: string + type: + description: Type is a SELinux type label + that applies to the container. + type: string + user: + description: User is a SELinux user label + that applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by + this container. If seccomp options are provided + at both the pod & container level, the container + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates + a profile defined in a file on the node + should be used. The profile must be + preconfigured on the node to work. Must + be a descending path, relative to the + kubelet's configured seccomp profile + location. Must only be set if type is + "Localhost". + type: string + type: + description: "type indicates which kind + of seccomp profile will be applied. + Valid options are: \n Localhost - a + profile defined in a file on the node + should be used. RuntimeDefault - the + container runtime default profile should + be used. Unconfined - no profile should + be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings + applied to all containers. If unspecified, + the options from the PodSecurityContext + will be used. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where + the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName + field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is + the name of the GMSA credential spec + to use. + type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean + runAsUserName: + description: The UserName in Windows to + run the entrypoint of the container + process. Defaults to the user specified + in image metadata if unspecified. May + also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: StartupProbe indicates that the Pod + has successfully initialized. If specified, + no other probes are executed until this completes + successfully. If this probe fails, the Pod will + be restarted, just as if the livenessProbe failed. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. + If this is not set, reads from stdin in the + container will always result in EOF. Default + is false. + type: boolean + stdinOnce: + description: Whether the container runtime should + close the stdin channel after it has been opened + by a single attach. When stdin is true the stdin + stream will remain open across multiple attach + sessions. + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file + to which the container''s termination message + will be written is mounted into the container''s + filesystem. Message written is intended to be + brief final status, such as an assertion failure + message. Will be truncated by the node if greater + than 4096 bytes. The total message length across + all containers will be limited to 12kb. Defaults + to /dev/termination-log.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message + should be populated. File will use the contents + of terminationMessagePath to populate the container + status message on both success and failure. + FallbackToLogsOnError will use the last chunk + of container log output if the termination message + file is empty and the container exited with + an error. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be + true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block + devices to be used by the container. + items: + description: volumeDevice describes a mapping + of a raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside + of the container that the device will + be mapped to. + type: string + name: + description: name must match the name of + a persistentVolumeClaim in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Cannot be updated. + items: + description: VolumeMount describes a mounting + of a Volume within a container. + properties: + mountPath: + description: Path within the container at + which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines + how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is + used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of + a Volume. + type: string + readOnly: + description: Mounted read-only if true, + read-write otherwise (false or unspecified). + Defaults to false. + type: boolean + subPath: + description: Path within the volume from + which the container's volume should be + mounted. Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume + from which the container's volume should + be mounted. Behaves similarly to SubPath + but environment variable references $(VAR_NAME) + are expanded using the container's environment. + Defaults to "" (volume's root). SubPathExpr + and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If + not specified, the container runtime's default + will be used, which might be configured in the + container image. Cannot be updated. + type: string + required: + - name + type: object + type: array + dnsConfig: + description: Specifies the DNS parameters of a pod. + Parameters specified here will be merged to the generated + DNS configuration based on DNSPolicy. + properties: + nameservers: + description: A list of DNS name server IP addresses. + This will be appended to the base nameservers + generated from DNSPolicy. Duplicated nameservers + will be removed. + items: + type: string + type: array + options: + description: A list of DNS resolver options. This + will be merged with the base options generated + from DNSPolicy. Duplicated entries will be removed. + Resolution options given in Options will override + those that appear in the base DNSPolicy. + items: + description: PodDNSConfigOption defines DNS resolver + options of a pod. + properties: + name: + description: Required. + type: string + value: + type: string + type: object + type: array + searches: + description: A list of DNS search domains for host-name + lookup. This will be appended to the base search + paths generated from DNSPolicy. Duplicated search + paths will be removed. + items: + type: string + type: array + type: object + dnsPolicy: + description: Set DNS policy for the pod. Defaults to + "ClusterFirst". Valid values are 'ClusterFirstWithHostNet', + 'ClusterFirst', 'Default' or 'None'. DNS parameters + given in DNSConfig will be merged with the policy + selected with DNSPolicy. To have DNS options set along + with hostNetwork, you have to specify DNS policy explicitly + to 'ClusterFirstWithHostNet'. + type: string + enableServiceLinks: + description: 'EnableServiceLinks indicates whether information + about services should be injected into pod''s environment + variables, matching the syntax of Docker links. Optional: + Defaults to true.' + type: boolean + ephemeralContainers: + description: List of ephemeral containers run in this + pod. Ephemeral containers may be run in an existing + pod to perform user-initiated actions such as debugging. + This list cannot be specified when creating a pod, + and it cannot be modified by updating the pod spec. + In order to add an ephemeral container to an existing + pod, use the pod's ephemeralcontainers subresource. + items: + description: An EphemeralContainer is a temporary + container that you may add to an existing Pod for + user-initiated activities such as debugging. Ephemeral + containers have no resource or scheduling guarantees, + and they will not be restarted when they exit or + when a Pod is removed or restarted. The kubelet + may evict a Pod if an ephemeral container causes + the Pod to exceed its resource allocation. + properties: + args: + description: 'Arguments to the entrypoint. The + image''s CMD is used if this is not provided. + Variable references $(VAR_NAME) are expanded + using the container''s environment. If a variable + cannot be resolved, the reference in the input + string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + produce the string literal "$(VAR_NAME)".' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The image''s ENTRYPOINT is used if + this is not provided. Variable references $(VAR_NAME) + are expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + env: + description: List of environment variables to + set in the container. Cannot be updated. + items: + description: EnvVar represents an environment + variable present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined + environment variables in the container + and any service environment variables. + If a variable cannot be resolved, the + reference in the input string will be + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' + type: string + valueFrom: + description: Source for the environment + variable's value. Cannot be used if value + is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + ConfigMap or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the + pod: supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of + the container: only resources limits + and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env + vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret + in the pod's namespace + properties: + key: + description: The key of the secret + to select from. Must be a valid + secret key. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + Secret or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined + within a source must be a C_IDENTIFIER. All + invalid keys will be reported as an event when + the container is starting. When a key exists + in multiple sources, the value associated with + the last source will take precedence. Values + defined by an Env with a duplicate key will + take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source + of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be + a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, + Never, IfNotPresent. Defaults to Always if :latest + tag is specified, or IfNotPresent otherwise. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Lifecycle is not allowed for ephemeral + containers. + properties: + postStart: + description: 'PostStart is called immediately + after a container is created. If the handler + fails, the container is terminated and restarted + according to its restart policy. Other management + of the container blocks until the hook completes. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: PreStop is called immediately + before a container is terminated due to + an API request or management event such + as liveness/startup probe failure, preemption, + resource contention, etc. The handler is + not called if the container crashes or exits. + The Pod's termination grace period countdown + begins before the PreStop hook is executed. + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: Probes are not allowed for ephemeral + containers. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the ephemeral container specified + as a DNS_LABEL. This name must be unique among + all containers, init containers and ephemeral + containers. + type: string + ports: + description: Ports are not allowed for ephemeral + containers. + items: + description: ContainerPort represents a network + port in a single container. + properties: + containerPort: + description: Number of port to expose on + the pod's IP address. This must be a valid + port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on + the host. If specified, this must be a + valid port number, 0 < x < 65536. If HostNetwork + is specified, this must match ContainerPort. + Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be + an IANA_SVC_NAME and unique within the + pod. Each named port in a pod must have + a unique name. Name for the port that + can be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be + UDP, TCP, or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: Probes are not allowed for ephemeral + containers. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: Resources are not allowed for ephemeral + containers. Ephemeral containers use spare resources + already allocated to the pod. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum + amount of compute resources allowed. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum + amount of compute resources required. If + Requests is omitted for a container, it + defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'Optional: SecurityContext defines + the security options the ephemeral container + should be run with. If set, the fields of SecurityContext + override the equivalent fields of PodSecurityContext.' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges + than its parent process. This bool directly + controls if the no_new_privs flag will be + set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop + when running containers. Defaults to the + default set of capabilities granted by the + container runtime. Note that this field + cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. + Processes in privileged containers are essentially + equivalent to root on the host. Defaults + to false. Note that this field cannot be + set when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of + proc mount to use for the containers. The + default is DefaultProcMount which uses the + container runtime defaults for readonly + paths and masked paths. This requires the + ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a + read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint + of the container process. Uses runtime default + if unset. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container + must run as a non-root user. If true, the + Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 + (root) and fail to start the container if + it does. If unset or false, no such validation + will be performed. May also be set in PodSecurityContext. + type: boolean + runAsUser: + description: The UID to run the entrypoint + of the container process. Defaults to user + specified in image metadata if unspecified. + May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied + to the container. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in + PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. + properties: + level: + description: Level is SELinux level label + that applies to the container. + type: string + role: + description: Role is a SELinux role label + that applies to the container. + type: string + type: + description: Type is a SELinux type label + that applies to the container. + type: string + user: + description: User is a SELinux user label + that applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by + this container. If seccomp options are provided + at both the pod & container level, the container + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates + a profile defined in a file on the node + should be used. The profile must be + preconfigured on the node to work. Must + be a descending path, relative to the + kubelet's configured seccomp profile + location. Must only be set if type is + "Localhost". + type: string + type: + description: "type indicates which kind + of seccomp profile will be applied. + Valid options are: \n Localhost - a + profile defined in a file on the node + should be used. RuntimeDefault - the + container runtime default profile should + be used. Unconfined - no profile should + be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings + applied to all containers. If unspecified, + the options from the PodSecurityContext + will be used. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where + the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName + field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is + the name of the GMSA credential spec + to use. + type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean + runAsUserName: + description: The UserName in Windows to + run the entrypoint of the container + process. Defaults to the user specified + in image metadata if unspecified. May + also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: Probes are not allowed for ephemeral + containers. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. + If this is not set, reads from stdin in the + container will always result in EOF. Default + is false. + type: boolean + stdinOnce: + description: Whether the container runtime should + close the stdin channel after it has been opened + by a single attach. When stdin is true the stdin + stream will remain open across multiple attach + sessions. + type: boolean + targetContainerName: + description: "If set, the name of the container + from PodSpec that this ephemeral container targets. + The ephemeral container will be run in the namespaces + (IPC, PID, etc) of this container. If not set + then the ephemeral container uses the namespaces + configured in the Pod spec. \n The container + runtime must implement support for this feature." + type: string + terminationMessagePath: + description: 'Optional: Path at which the file + to which the container''s termination message + will be written is mounted into the container''s + filesystem. Message written is intended to be + brief final status, such as an assertion failure + message. Will be truncated by the node if greater + than 4096 bytes. The total message length across + all containers will be limited to 12kb. Defaults + to /dev/termination-log.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message + should be populated. File will use the contents + of terminationMessagePath to populate the container + status message on both success and failure. + FallbackToLogsOnError will use the last chunk + of container log output if the termination message + file is empty and the container exited with + an error. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be + true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block + devices to be used by the container. + items: + description: volumeDevice describes a mapping + of a raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside + of the container that the device will + be mapped to. + type: string + name: + description: name must match the name of + a persistentVolumeClaim in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Subpath mounts are not allowed for + ephemeral containers. Cannot be updated. + items: + description: VolumeMount describes a mounting + of a Volume within a container. + properties: + mountPath: + description: Path within the container at + which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines + how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is + used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of + a Volume. + type: string + readOnly: + description: Mounted read-only if true, + read-write otherwise (false or unspecified). + Defaults to false. + type: boolean + subPath: + description: Path within the volume from + which the container's volume should be + mounted. Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume + from which the container's volume should + be mounted. Behaves similarly to SubPath + but environment variable references $(VAR_NAME) + are expanded using the container's environment. + Defaults to "" (volume's root). SubPathExpr + and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If + not specified, the container runtime's default + will be used, which might be configured in the + container image. Cannot be updated. + type: string + required: + - name + type: object + type: array + hostAliases: + description: HostAliases is an optional list of hosts + and IPs that will be injected into the pod's hosts + file if specified. This is only valid for non-hostNetwork + pods. + items: + description: HostAlias holds the mapping between IP + and hostnames that will be injected as an entry + in the pod's hosts file. + properties: + hostnames: + description: Hostnames for the above IP address. + items: + type: string + type: array + ip: + description: IP address of the host file entry. + type: string + type: object + type: array + hostIPC: + description: 'Use the host''s ipc namespace. Optional: + Default to false.' + type: boolean + hostNetwork: + description: Host networking requested for this pod. + Use the host's network namespace. If this option is + set, the ports that will be used must be specified. + Default to false. + type: boolean + hostPID: + description: 'Use the host''s pid namespace. Optional: + Default to false.' + type: boolean + hostUsers: + description: 'Use the host''s user namespace. Optional: + Default to true. If set to true or not present, the + pod will be run in the host user namespace, useful + for when the pod needs a feature only available to + the host user namespace, such as loading a kernel + module with CAP_SYS_MODULE. When set to false, a new + userns is created for the pod.' + type: boolean + hostname: + description: Specifies the hostname of the Pod If not + specified, the pod's hostname will be set to a system-defined + value. + type: string + imagePullSecrets: + description: 'ImagePullSecrets is an optional list of + references to secrets in the same namespace to use + for pulling any of the images used by this PodSpec. + If specified, these secrets will be passed to individual + puller implementations for them to use. More info: + https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' + items: + description: LocalObjectReference contains enough + information to let you locate the referenced object + inside the same namespace. + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: array + initContainers: + description: List of initialization containers belonging + to the pod. Init containers are executed in order + prior to containers being started. If any init container + fails, the pod is considered to have failed and is + handled according to its restartPolicy. The name for + an init container or normal container must be unique + among all containers. + items: + description: A single application container that you + want to run within a pod. + properties: + args: + description: 'Arguments to the entrypoint. The + container image''s CMD is used if this is not + provided. Variable references $(VAR_NAME) are + expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The container image''s ENTRYPOINT is + used if this is not provided. Variable references + $(VAR_NAME) are expanded using the container''s + environment. If a variable cannot be resolved, + the reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + env: + description: List of environment variables to + set in the container. Cannot be updated. + items: + description: EnvVar represents an environment + variable present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined + environment variables in the container + and any service environment variables. + If a variable cannot be resolved, the + reference in the input string will be + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' + type: string + valueFrom: + description: Source for the environment + variable's value. Cannot be used if value + is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + ConfigMap or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the + pod: supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of + the container: only resources limits + and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env + vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret + in the pod's namespace + properties: + key: + description: The key of the secret + to select from. Must be a valid + secret key. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + Secret or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined + within a source must be a C_IDENTIFIER. All + invalid keys will be reported as an event when + the container is starting. When a key exists + in multiple sources, the value associated with + the last source will take precedence. Values + defined by an Env with a duplicate key will + take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source + of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be + a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level + config management to default or override container + images in workload controllers like Deployments + and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, + Never, IfNotPresent. Defaults to Always if :latest + tag is specified, or IfNotPresent otherwise. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system + should take in response to container lifecycle + events. Cannot be updated. + properties: + postStart: + description: 'PostStart is called immediately + after a container is created. If the handler + fails, the container is terminated and restarted + according to its restart policy. Other management + of the container blocks until the hook completes. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: PreStop is called immediately + before a container is terminated due to + an API request or management event such + as liveness/startup probe failure, preemption, + resource contention, etc. The handler is + not called if the container crashes or exits. + The Pod's termination grace period countdown + begins before the PreStop hook is executed. + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. + Container will be restarted if the probe fails. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as + a DNS_LABEL. Each container in a pod must have + a unique name (DNS_LABEL). Cannot be updated. + type: string + ports: + description: List of ports to expose from the + container. Not specifying a port here DOES NOT + prevent that port from being exposed. Any port + which is listening on the default "0.0.0.0" + address inside a container will be accessible + from the network. Modifying this array with + strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. + items: + description: ContainerPort represents a network + port in a single container. + properties: + containerPort: + description: Number of port to expose on + the pod's IP address. This must be a valid + port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on + the host. If specified, this must be a + valid port number, 0 < x < 65536. If HostNetwork + is specified, this must match ContainerPort. + Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be + an IANA_SVC_NAME and unique within the + pod. Each named port in a pod must have + a unique name. Name for the port that + can be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be + UDP, TCP, or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service + readiness. Container will be removed from service + endpoints if the probe fails. Cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: 'Compute Resources required by this + container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum + amount of compute resources allowed. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum + amount of compute resources required. If + Requests is omitted for a container, it + defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'SecurityContext defines the security + options the container should be run with. If + set, the fields of SecurityContext override + the equivalent fields of PodSecurityContext. + More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges + than its parent process. This bool directly + controls if the no_new_privs flag will be + set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop + when running containers. Defaults to the + default set of capabilities granted by the + container runtime. Note that this field + cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. + Processes in privileged containers are essentially + equivalent to root on the host. Defaults + to false. Note that this field cannot be + set when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of + proc mount to use for the containers. The + default is DefaultProcMount which uses the + container runtime defaults for readonly + paths and masked paths. This requires the + ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a + read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint + of the container process. Uses runtime default + if unset. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container + must run as a non-root user. If true, the + Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 + (root) and fail to start the container if + it does. If unset or false, no such validation + will be performed. May also be set in PodSecurityContext. + type: boolean + runAsUser: + description: The UID to run the entrypoint + of the container process. Defaults to user + specified in image metadata if unspecified. + May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied + to the container. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in + PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. + properties: + level: + description: Level is SELinux level label + that applies to the container. + type: string + role: + description: Role is a SELinux role label + that applies to the container. + type: string + type: + description: Type is a SELinux type label + that applies to the container. + type: string + user: + description: User is a SELinux user label + that applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by + this container. If seccomp options are provided + at both the pod & container level, the container + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates + a profile defined in a file on the node + should be used. The profile must be + preconfigured on the node to work. Must + be a descending path, relative to the + kubelet's configured seccomp profile + location. Must only be set if type is + "Localhost". + type: string + type: + description: "type indicates which kind + of seccomp profile will be applied. + Valid options are: \n Localhost - a + profile defined in a file on the node + should be used. RuntimeDefault - the + container runtime default profile should + be used. Unconfined - no profile should + be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings + applied to all containers. If unspecified, + the options from the PodSecurityContext + will be used. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where + the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName + field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is + the name of the GMSA credential spec + to use. + type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean + runAsUserName: + description: The UserName in Windows to + run the entrypoint of the container + process. Defaults to the user specified + in image metadata if unspecified. May + also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: StartupProbe indicates that the Pod + has successfully initialized. If specified, + no other probes are executed until this completes + successfully. If this probe fails, the Pod will + be restarted, just as if the livenessProbe failed. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. + If this is not set, reads from stdin in the + container will always result in EOF. Default + is false. + type: boolean + stdinOnce: + description: Whether the container runtime should + close the stdin channel after it has been opened + by a single attach. When stdin is true the stdin + stream will remain open across multiple attach + sessions. + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file + to which the container''s termination message + will be written is mounted into the container''s + filesystem. Message written is intended to be + brief final status, such as an assertion failure + message. Will be truncated by the node if greater + than 4096 bytes. The total message length across + all containers will be limited to 12kb. Defaults + to /dev/termination-log.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message + should be populated. File will use the contents + of terminationMessagePath to populate the container + status message on both success and failure. + FallbackToLogsOnError will use the last chunk + of container log output if the termination message + file is empty and the container exited with + an error. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be + true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block + devices to be used by the container. + items: + description: volumeDevice describes a mapping + of a raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside + of the container that the device will + be mapped to. + type: string + name: + description: name must match the name of + a persistentVolumeClaim in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Cannot be updated. + items: + description: VolumeMount describes a mounting + of a Volume within a container. + properties: + mountPath: + description: Path within the container at + which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines + how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is + used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of + a Volume. + type: string + readOnly: + description: Mounted read-only if true, + read-write otherwise (false or unspecified). + Defaults to false. + type: boolean + subPath: + description: Path within the volume from + which the container's volume should be + mounted. Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume + from which the container's volume should + be mounted. Behaves similarly to SubPath + but environment variable references $(VAR_NAME) + are expanded using the container's environment. + Defaults to "" (volume's root). SubPathExpr + and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If + not specified, the container runtime's default + will be used, which might be configured in the + container image. Cannot be updated. + type: string + required: + - name + type: object + type: array + nodeName: + description: NodeName is a request to schedule this + pod onto a specific node. If it is non-empty, the + scheduler simply schedules this pod onto that node, + assuming that it fits resource requirements. + type: string + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must + be true for the pod to fit on a node. Selector which + must match a node''s labels for the pod to be scheduled + on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + x-kubernetes-map-type: atomic + os: + description: "Specifies the OS of the containers in + the pod. Some pod and container fields are restricted + if this is set. \n If the OS field is set to linux, + the following fields must be unset: -securityContext.windowsOptions + \n If the OS field is set to windows, following fields + must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers + - spec.securityContext.seLinuxOptions - spec.securityContext." + properties: + name: + description: 'Name is the name of the operating + system. The currently supported values are linux + and windows. Additional value may be defined in + future and can be one of: https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration + Clients should expect to handle additional values + and treat unrecognized values in this field as + os: null' + type: string + required: + - name + type: object + overhead: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Overhead represents the resource overhead + associated with running a pod for a given RuntimeClass. + This field will be autopopulated at admission time + by the RuntimeClass admission controller. If the RuntimeClass + admission controller is enabled, overhead must not + be set in Pod create requests. The RuntimeClass admission + controller will reject Pod create requests which have + the overhead already set. + type: object + preemptionPolicy: + description: PreemptionPolicy is the Policy for preempting + pods with lower priority. One of Never, PreemptLowerPriority. + Defaults to PreemptLowerPriority if unset. + type: string + priority: + description: The priority value. Various system components + use this field to find the priority of the pod. When + Priority Admission Controller is enabled, it prevents + users from setting this field. The admission controller + populates this field from PriorityClassName. The higher + the value, the higher the priority. + format: int32 + type: integer + priorityClassName: + description: If specified, indicates the pod's priority. + "system-node-critical" and "system-cluster-critical" + are two special keywords which indicate the highest + priorities with the former being the highest priority. + Any other name must be defined by creating a PriorityClass + object with that name. If not specified, the pod priority + will be default or zero if there is no default. + type: string + readinessGates: + description: 'If specified, all readiness gates will + be evaluated for pod readiness. A pod is ready when + all its containers are ready AND all conditions specified + in the readiness gates have status equal to "True" + More info: https://git.k8s.io/enhancements/keps/sig-network/580-pod-readiness-gates' + items: + description: PodReadinessGate contains the reference + to a pod condition + properties: + conditionType: + description: ConditionType refers to a condition + in the pod's condition list with matching type. + type: string + required: + - conditionType + type: object + type: array + restartPolicy: + description: 'Restart policy for all containers within + the pod. One of Always, OnFailure, Never. Default + to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy' + type: string + runtimeClassName: + description: 'RuntimeClassName refers to a RuntimeClass + object in the node.k8s.io group, which should be used + to run this pod. If no RuntimeClass resource matches + the named class, the pod will not be run. If unset + or empty, the "legacy" RuntimeClass will be used, + which is an implicit class with an empty definition + that uses the default runtime handler. More info: + https://git.k8s.' + type: string + schedulerName: + description: If specified, the pod will be dispatched + by specified scheduler. If not specified, the pod + will be dispatched by default scheduler. + type: string + securityContext: + description: 'SecurityContext holds pod-level security + attributes and common container settings. Optional: + Defaults to empty. See type description for default + values of each field.' + properties: + fsGroup: + description: "A special supplemental group that + applies to all containers in a pod. Some volume + types allow the Kubelet to change the ownership + of that volume to be owned by the pod: \n 1. The + owning GID will be the FSGroup 2. The setgid bit + is set (new files created in the volume will be + owned by FSGroup) 3." + format: int64 + type: integer + fsGroupChangePolicy: + description: 'fsGroupChangePolicy defines behavior + of changing ownership and permission of the volume + before being exposed inside Pod. This field will + only apply to volume types which support fsGroup + based ownership(and permissions). It will have + no effect on ephemeral volume types such as: secret, + configmaps and emptydir. Valid values are "OnRootMismatch" + and "Always". If not specified, "Always" is used.' + type: string + runAsGroup: + description: The GID to run the entrypoint of the + container process. Uses runtime default if unset. + May also be set in SecurityContext. If set in + both SecurityContext and PodSecurityContext, the + value specified in SecurityContext takes precedence + for that container. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run + as a non-root user. If true, the Kubelet will + validate the image at runtime to ensure that it + does not run as UID 0 (root) and fail to start + the container if it does. If unset or false, no + such validation will be performed. May also be + set in SecurityContext. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the + container process. Defaults to user specified + in image metadata if unspecified. May also be + set in SecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in + SecurityContext takes precedence for that container. + Note that this field cannot be set when spec.os.name + is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to + all containers. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in SecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence + for that container. Note that this field cannot + be set when spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that + applies to the container. + type: string + role: + description: Role is a SELinux role label that + applies to the container. + type: string + type: + description: Type is a SELinux type label that + applies to the container. + type: string + user: + description: User is a SELinux user label that + applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by the containers + in this pod. Note that this field cannot be set + when spec.os.name is windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile + defined in a file on the node should be used. + The profile must be preconfigured on the node + to work. Must be a descending path, relative + to the kubelet's configured seccomp profile + location. Must only be set if type is "Localhost". + type: string + type: + description: "type indicates which kind of seccomp + profile will be applied. Valid options are: + \n Localhost - a profile defined in a file + on the node should be used. RuntimeDefault + - the container runtime default profile should + be used. Unconfined - no profile should be + applied." + type: string + required: + - type + type: object + supplementalGroups: + description: A list of groups applied to the first + process run in each container, in addition to + the container's primary GID. If unspecified, + no groups will be added to any container. Note + that this field cannot be set when spec.os.name + is windows. + items: + format: int64 + type: integer + type: array + sysctls: + description: Sysctls hold a list of namespaced sysctls + used for the pod. Pods with unsupported sysctls + (by the container runtime) might fail to launch. + Note that this field cannot be set when spec.os.name + is windows. + items: + description: Sysctl defines a kernel parameter + to be set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + windowsOptions: + description: The Windows specific settings applied + to all containers. If unspecified, the options + within a container's SecurityContext will be used. + If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the + GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name + of the GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container + should be run as a 'Host Process' container. + This field is alpha-level and will only be + honored by components that enable the WindowsHostProcessContainers + feature flag. Setting this field without the + feature flag will result in errors when validating + the Pod. + type: boolean + runAsUserName: + description: The UserName in Windows to run + the entrypoint of the container process. Defaults + to the user specified in image metadata if + unspecified. May also be set in PodSecurityContext. + If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. + type: string + type: object + type: object + serviceAccount: + description: 'DeprecatedServiceAccount is a depreciated + alias for ServiceAccountName. Deprecated: Use serviceAccountName + instead.' + type: string + serviceAccountName: + description: 'ServiceAccountName is the name of the + ServiceAccount to use to run this pod. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' + type: string + setHostnameAsFQDN: + description: If true the pod's hostname will be configured + as the pod's FQDN, rather than the leaf name (the + default). In Linux containers, this means setting + the FQDN in the hostname field of the kernel (the + nodename field of struct utsname). + type: boolean + shareProcessNamespace: + description: 'Share a single process namespace between + all of the containers in a pod. When this is set containers + will be able to view and signal processes from other + containers in the same pod, and the first process + in each container will not be assigned PID 1. HostPID + and ShareProcessNamespace cannot both be set. Optional: + Default to false.' + type: boolean + subdomain: + description: If specified, the fully qualified Pod hostname + will be "...svc.". If not specified, the pod will not have + a domainname at all. + type: string + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully. May be decreased in delete + request. Value must be non-negative integer. The value + zero indicates stop immediately via the kill signal + (no opportunity to shut down). If this value is nil, + the default grace period will be used instead. + format: int64 + type: integer + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is attached to + tolerates any taint that matches the triple + using the matching operator . + properties: + effect: + description: Effect indicates the taint effect + to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, + PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration + applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; + this combination means to match all values and + all keys. + type: string + operator: + description: Operator represents a key's relationship + to the value. Valid operators are Exists and + Equal. Defaults to Equal. Exists is equivalent + to wildcard for value, so that a pod can tolerate + all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the + period of time the toleration (which must be + of effect NoExecute, otherwise this field is + ignored) tolerates the taint. By default, it + is not set, which means tolerate the taint forever + (do not evict). Zero and negative values will + be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration + matches to. If the operator is Exists, the value + should be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: TopologySpreadConstraints describes how + a group of pods ought to spread across topology domains. + Scheduler will schedule pods in a way which abides + by the constraints. All topologySpreadConstraints + are ANDed. + items: + description: TopologySpreadConstraint specifies how + to spread matching pods among the given topology. + properties: + labelSelector: + description: LabelSelector is used to find matching + pods. Pods that match this label selector are + counted to determine the number of pods in their + corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label + keys to select the pods over which spreading + will be calculated. The keys are used to lookup + values from the incoming pod labels, those key-value + labels are ANDed with labelSelector to select + the group of existing pods over which spreading + will be calculated for the incoming pod. Keys + that don't exist in the incoming pod labels + will be ignored. + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: MaxSkew describes the degree to which + pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference between + the number of matching pods in the target topology + and the global minimum. The global minimum is + the minimum number of matching pods in an eligible + domain or zero if the number of eligible domains + is less than MinDomains. + format: int32 + type: integer + minDomains: + description: MinDomains indicates a minimum number + of eligible domains. When the number of eligible + domains with matching topology keys is less + than minDomains, Pod Topology Spread treats + "global minimum" as 0, and then the calculation + of Skew is performed. And when the number of + eligible domains with matching topology keys + equals or greater than minDomains, this value + has no effect on scheduling. + format: int32 + type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how + we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options + are: - Honor: only nodes matching nodeAffinity/nodeSelector + are included in the calculations. - Ignore: + nodeAffinity/nodeSelector are ignored. All nodes + are included in the calculations. \n If this + value is nil, the behavior is equivalent to + the Honor policy." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how we + will treat node taints when calculating pod + topology spread skew. Options are: - Honor: + nodes without taints, along with tainted nodes + for which the incoming pod has a toleration, + are included. - Ignore: node taints are ignored. + All nodes are included. \n If this value is + nil, the behavior is equivalent to the Ignore + policy." + type: string + topologyKey: + description: TopologyKey is the key of node labels. + Nodes that have a label with this key and identical + values are considered to be in the same topology. + We consider each as a "bucket", + and try to put balanced number of pods into + each bucket. We define a domain as a particular + instance of a topology. + type: string + whenUnsatisfiable: + description: WhenUnsatisfiable indicates how to + deal with a pod if it doesn't satisfy the spread + constraint. - DoNotSchedule (default) tells + the scheduler not to schedule it. - ScheduleAnyway + tells the scheduler to schedule the pod in any + location, but giving higher precedence to topologies + that would help reduce the skew. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + x-kubernetes-list-map-keys: + - topologyKey + - whenUnsatisfiable + x-kubernetes-list-type: map + volumes: + description: 'List of volumes that can be mounted by + containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes' + items: + description: Volume represents a named volume in a + pod that may be accessed by any container in the + pod. + properties: + awsElasticBlockStore: + description: 'awsElasticBlockStore represents + an AWS Disk resource that is attached to a kubelet''s + host machine and then exposed to the pod. More + info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + properties: + fsType: + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + partition: + description: 'partition is the partition in + the volume that you want to mount. If omitted, + the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify + the partition as "1". Similarly, the volume + partition for /dev/sda is "0" (or you can + leave the property empty).' + format: int32 + type: integer + readOnly: + description: 'readOnly value true will force + the readOnly setting in VolumeMounts. More + info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + type: boolean + volumeID: + description: 'volumeID is unique ID of the + persistent disk resource in AWS (Amazon + EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + type: string + required: + - volumeID + type: object + azureDisk: + description: azureDisk represents an Azure Data + Disk mount on the host and bind mount to the + pod. + properties: + cachingMode: + description: 'cachingMode is the Host Caching + mode: None, Read Only, Read Write.' + type: string + diskName: + description: diskName is the Name of the data + disk in the blob storage + type: string + diskURI: + description: diskURI is the URI of data disk + in the blob storage + type: string + fsType: + description: fsType is Filesystem type to + mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. + type: string + kind: + description: 'kind expected values are Shared: + multiple blob disks per storage account Dedicated: + single blob disk per storage account Managed: + azure managed data disk (only in managed + availability set). defaults to shared' + type: string + readOnly: + description: readOnly Defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + description: azureFile represents an Azure File + Service mount on the host and bind mount to + the pod. + properties: + readOnly: + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + secretName: + description: secretName is the name of secret + that contains Azure Storage Account Name + and Key + type: string + shareName: + description: shareName is the azure share + Name + type: string + required: + - secretName + - shareName + type: object + cephfs: + description: cephFS represents a Ceph FS mount + on the host that shares a pod's lifetime + properties: + monitors: + description: 'monitors is Required: Monitors + is a collection of Ceph monitors More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + items: + type: string + type: array + path: + description: 'path is Optional: Used as the + mounted root, rather than the full Ceph + tree, default is /' + type: string + readOnly: + description: 'readOnly is Optional: Defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: boolean + secretFile: + description: 'secretFile is Optional: SecretFile + is the path to key ring for User, default + is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: string + secretRef: + description: 'secretRef is Optional: SecretRef + is reference to the authentication secret + for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: 'user is optional: User is the + rados user name, default is admin More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: string + required: + - monitors + type: object + cinder: + description: 'cinder represents a cinder volume + attached and mounted on kubelets host machine. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + properties: + fsType: + description: 'fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://examples.k8s.io/mysql-cinder-pd/README.md' + type: string + readOnly: + description: 'readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + type: boolean + secretRef: + description: 'secretRef is optional: points + to a secret object containing parameters + used to connect to OpenStack.' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + description: 'volumeID used to identify the + volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + type: string + required: + - volumeID + type: object + configMap: + description: configMap represents a configMap + that should populate this volume + properties: + defaultMode: + description: 'defaultMode is optional: mode + bits used to set permissions on created + files by default. Must be an octal value + between 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. + Directories within the path are not affected + by this setting.' + format: int32 + type: integer + items: + description: items if unspecified, each key-value + pair in the Data field of the referenced + ConfigMap will be projected into the volume + as a file whose name is the key and content + is the value. If specified, the listed keys + will be projected into the specified paths, + and unlisted keys will not be present. + items: + description: Maps a string key to a path + within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode + bits used to set permissions on this + file. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal + and decimal values, JSON requires + decimal values for mode bits. If not + specified, the volume defaultMode + will be used.' + format: int32 + type: integer + path: + description: path is the relative path + of the file to map the key to. May + not be an absolute path. May not contain + the path element '..'. May not start + with the string '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: optional specify whether the + ConfigMap or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + description: csi (Container Storage Interface) + represents ephemeral storage that is handled + by certain external CSI drivers (Beta feature). + properties: + driver: + description: driver is the name of the CSI + driver that handles this volume. Consult + with your admin for the correct name as + registered in the cluster. + type: string + fsType: + description: fsType to mount. Ex. "ext4", + "xfs", "ntfs". If not provided, the empty + value is passed to the associated CSI driver + which will determine the default filesystem + to apply. + type: string + nodePublishSecretRef: + description: nodePublishSecretRef is a reference + to the secret object containing sensitive + information to pass to the CSI driver to + complete the CSI NodePublishVolume and NodeUnpublishVolume + calls. This field is optional, and may + be empty if no secret is required. If the + secret object contains more than one secret, + all secret references are passed. + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + description: readOnly specifies a read-only + configuration for the volume. Defaults to + false (read/write). + type: boolean + volumeAttributes: + additionalProperties: + type: string + description: volumeAttributes stores driver-specific + properties that are passed to the CSI driver. + Consult your driver's documentation for + supported values. + type: object + required: + - driver + type: object + downwardAPI: + description: downwardAPI represents downward API + about the pod that should populate this volume + properties: + defaultMode: + description: 'Optional: mode bits to use on + created files by default. Must be a Optional: + mode bits used to set permissions on created + files by default. Must be an octal value + between 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. + Directories within the path are not affected + by this setting.' + format: int32 + type: integer + items: + description: Items is a list of downward API + volume file + items: + description: DownwardAPIVolumeFile represents + information to create the file containing + the pod field + properties: + fieldRef: + description: 'Required: Selects a field + of the pod: only annotations, labels, + name and namespace are supported.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: 'Optional: mode bits used + to set permissions on this file, must + be an octal value between 0000 and + 0777 or a decimal value between 0 + and 511. YAML accepts both octal and + decimal values, JSON requires decimal + values for mode bits. If not specified, + the volume defaultMode will be used.' + format: int32 + type: integer + path: + description: 'Required: Path is the + relative path name of the file to + be created. Must not be absolute or + contain the ''..'' path. Must be utf-8 + encoded. The first item of the relative + path must not start with ''..''' + type: string + resourceFieldRef: + description: 'Selects a resource of + the container: only resources limits + and requests (limits.cpu, limits.memory, + requests.cpu and requests.memory) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env + vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + type: object + emptyDir: + description: 'emptyDir represents a temporary + directory that shares a pod''s lifetime. More + info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + properties: + medium: + description: 'medium represents what type + of storage medium should back this directory. + The default is "" which means to use the + node''s default medium. Must be an empty + string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + description: 'sizeLimit is the total amount + of local storage required for this EmptyDir + volume. The size limit is also applicable + for memory medium. The maximum usage on + memory medium EmptyDir would be the minimum + value between the SizeLimit specified here + and the sum of memory limits of all containers + in a pod. The default is nil which means + that the limit is undefined. More info: + http://kubernetes.' + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + description: ephemeral represents a volume that + is handled by a cluster storage driver. The + volume's lifecycle is tied to the pod that defines + it - it will be created before the pod starts, + and deleted when the pod is removed. + properties: + volumeClaimTemplate: + description: Will be used to create a stand-alone + PVC to provision the volume. The pod in + which this EphemeralVolumeSource is embedded + will be the owner of the PVC, i.e. the PVC + will be deleted together with the pod. The + name of the PVC will be `-` where `` is the name + from the `PodSpec.Volumes` array entry. + properties: + metadata: + description: May contain labels and annotations + that will be copied into the PVC when + creating it. No other fields are allowed + and will be rejected during validation. + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + description: The specification for the + PersistentVolumeClaim. The entire content + is copied unchanged into the PVC that + gets created from this template. The + same fields as in a PersistentVolumeClaim + are also valid here. + properties: + accessModes: + description: 'accessModes contains + the desired access modes the volume + should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' + items: + type: string + type: array + dataSource: + description: 'dataSource field can + be used to specify either: * An + existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external + controller can support the specified + data source, it will create a new + volume based on the contents of + the specified data source.' + properties: + apiGroup: + description: APIGroup is the group + for the resource being referenced. + If APIGroup is not specified, + the specified Kind must be in + the core API group. For any + other third-party types, APIGroup + is required. + type: string + kind: + description: Kind is the type + of resource being referenced + type: string + name: + description: Name is the name + of resource being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: dataSourceRef specifies + the object from which to populate + the volume with data, if a non-empty + volume is desired. This may be any + local object from a non-empty API + group (non core object) or a PersistentVolumeClaim + object. When this field is specified, + volume binding will only succeed + if the type of the specified object + matches some installed volume populator + or dynamic provisioner. + properties: + apiGroup: + description: APIGroup is the group + for the resource being referenced. + If APIGroup is not specified, + the specified Kind must be in + the core API group. For any + other third-party types, APIGroup + is required. + type: string + kind: + description: Kind is the type + of resource being referenced + type: string + name: + description: Name is the name + of resource being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + resources: + description: 'resources represents + the minimum resources the volume + should have. If RecoverVolumeExpansionFailure + feature is enabled users are allowed + to specify resource requirements + that are lower than previous value + but must still be higher than capacity + recorded in the status field of + the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes + the maximum amount of compute + resources allowed. More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes + the minimum amount of compute + resources required. If Requests + is omitted for a container, + it defaults to Limits if that + is explicitly specified, otherwise + to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + selector: + description: selector is a label query + over volumes to consider for binding. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: 'storageClassName is + the name of the StorageClass required + by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' + type: string + volumeMode: + description: volumeMode defines what + type of volume is required by the + claim. Value of Filesystem is implied + when not included in claim spec. + type: string + volumeName: + description: volumeName is the binding + reference to the PersistentVolume + backing this claim. + type: string + type: object + required: + - spec + type: object + type: object + fc: + description: fc represents a Fibre Channel resource + that is attached to a kubelet's host machine + and then exposed to the pod. + properties: + fsType: + description: 'fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. TODO: how do we prevent + errors in the filesystem from compromising + the machine' + type: string + lun: + description: 'lun is Optional: FC target lun + number' + format: int32 + type: integer + readOnly: + description: 'readOnly is Optional: Defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts.' + type: boolean + targetWWNs: + description: 'targetWWNs is Optional: FC target + worldwide names (WWNs)' + items: + type: string + type: array + wwids: + description: 'wwids Optional: FC volume world + wide identifiers (wwids) Either wwids or + combination of targetWWNs and lun must be + set, but not both simultaneously.' + items: + type: string + type: array + type: object + flexVolume: + description: flexVolume represents a generic volume + resource that is provisioned/attached using + an exec based plugin. + properties: + driver: + description: driver is the name of the driver + to use for this volume. + type: string + fsType: + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". The default filesystem depends + on FlexVolume script. + type: string + options: + additionalProperties: + type: string + description: 'options is Optional: this field + holds extra command options if any.' + type: object + readOnly: + description: 'readOnly is Optional: defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts.' + type: boolean + secretRef: + description: 'secretRef is Optional: secretRef + is reference to the secret object containing + sensitive information to pass to the plugin + scripts. This may be empty if no secret + object is specified. If the secret object + contains more than one secret, all secrets + are passed to the plugin scripts.' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + description: flocker represents a Flocker volume + attached to a kubelet's host machine. This depends + on the Flocker control service being running + properties: + datasetName: + description: datasetName is Name of the dataset + stored as metadata -> name on the dataset + for Flocker should be considered as deprecated + type: string + datasetUUID: + description: datasetUUID is the UUID of the + dataset. This is unique identifier of a + Flocker dataset + type: string + type: object + gcePersistentDisk: + description: 'gcePersistentDisk represents a GCE + Disk resource that is attached to a kubelet''s + host machine and then exposed to the pod. More + info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + properties: + fsType: + description: 'fsType is filesystem type of + the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + partition: + description: 'partition is the partition in + the volume that you want to mount. If omitted, + the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify + the partition as "1". Similarly, the volume + partition for /dev/sda is "0" (or you can + leave the property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + format: int32 + type: integer + pdName: + description: 'pdName is unique name of the + PD resource in GCE. Used to identify the + disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + type: string + readOnly: + description: 'readOnly here will force the + ReadOnly setting in VolumeMounts. Defaults + to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + type: boolean + required: + - pdName + type: object + gitRepo: + description: 'gitRepo represents a git repository + at a particular revision. DEPRECATED: GitRepo + is deprecated. To provision a container with + a git repo, mount an EmptyDir into an InitContainer + that clones the repo using git, then mount the + EmptyDir into the Pod''s container.' + properties: + directory: + description: directory is the target directory + name. Must not contain or start with '..'. If + '.' is supplied, the volume directory will + be the git repository. Otherwise, if specified, + the volume will contain the git repository + in the subdirectory with the given name. + type: string + repository: + description: repository is the URL + type: string + revision: + description: revision is the commit hash for + the specified revision. + type: string + required: + - repository + type: object + glusterfs: + description: 'glusterfs represents a Glusterfs + mount on the host that shares a pod''s lifetime. + More info: https://examples.k8s.io/volumes/glusterfs/README.md' + properties: + endpoints: + description: 'endpoints is the endpoint name + that details Glusterfs topology. More info: + https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: string + path: + description: 'path is the Glusterfs volume + path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: string + readOnly: + description: 'readOnly here will force the + Glusterfs volume to be mounted with read-only + permissions. Defaults to false. More info: + https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: boolean + required: + - endpoints + - path + type: object + hostPath: + description: 'hostPath represents a pre-existing + file or directory on the host machine that is + directly exposed to the container. This is generally + used for system agents or other privileged things + that are allowed to see the host machine. Most + containers will NOT need this. More info: https://kubernetes.' + properties: + path: + description: 'path of the directory on the + host. If the path is a symlink, it will + follow the link to the real path. More info: + https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + type: string + type: + description: 'type for HostPath Volume Defaults + to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + type: string + required: + - path + type: object + iscsi: + description: 'iscsi represents an ISCSI Disk resource + that is attached to a kubelet''s host machine + and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' + properties: + chapAuthDiscovery: + description: chapAuthDiscovery defines whether + support iSCSI Discovery CHAP authentication + type: boolean + chapAuthSession: + description: chapAuthSession defines whether + support iSCSI Session CHAP authentication + type: boolean + fsType: + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#iscsi + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + initiatorName: + description: initiatorName is the custom iSCSI + Initiator Name. If initiatorName is specified + with iscsiInterface simultaneously, new + iSCSI interface : will be created for the connection. + type: string + iqn: + description: iqn is the target iSCSI Qualified + Name. + type: string + iscsiInterface: + description: iscsiInterface is the interface + Name that uses an iSCSI transport. Defaults + to 'default' (tcp). + type: string + lun: + description: lun represents iSCSI Target Lun + number. + format: int32 + type: integer + portals: + description: portals is the iSCSI Target Portal + List. The portal is either an IP or ip_addr:port + if the port is other than default (typically + TCP ports 860 and 3260). + items: + type: string + type: array + readOnly: + description: readOnly here will force the + ReadOnly setting in VolumeMounts. Defaults + to false. + type: boolean + secretRef: + description: secretRef is the CHAP Secret + for iSCSI target and initiator authentication + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + description: targetPortal is iSCSI Target + Portal. The Portal is either an IP or ip_addr:port + if the port is other than default (typically + TCP ports 860 and 3260). + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + description: 'name of the volume. Must be a DNS_LABEL + and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + nfs: + description: 'nfs represents an NFS mount on the + host that shares a pod''s lifetime More info: + https://kubernetes.io/docs/concepts/storage/volumes#nfs' + properties: + path: + description: 'path that is exported by the + NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: string + readOnly: + description: 'readOnly here will force the + NFS export to be mounted with read-only + permissions. Defaults to false. More info: + https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: boolean + server: + description: 'server is the hostname or IP + address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + description: 'persistentVolumeClaimVolumeSource + represents a reference to a PersistentVolumeClaim + in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + properties: + claimName: + description: 'claimName is the name of a PersistentVolumeClaim + in the same namespace as the pod using this + volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + type: string + readOnly: + description: readOnly Will force the ReadOnly + setting in VolumeMounts. Default false. + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + description: photonPersistentDisk represents a + PhotonController persistent disk attached and + mounted on kubelets host machine + properties: + fsType: + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. + type: string + pdID: + description: pdID is the ID that identifies + Photon Controller persistent disk + type: string + required: + - pdID + type: object + portworxVolume: + description: portworxVolume represents a portworx + volume attached and mounted on kubelets host + machine + properties: + fsType: + description: fSType represents the filesystem + type to mount Must be a filesystem type + supported by the host operating system. + Ex. "ext4", "xfs". Implicitly inferred to + be "ext4" if unspecified. + type: string + readOnly: + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + volumeID: + description: volumeID uniquely identifies + a Portworx volume + type: string + required: + - volumeID + type: object + projected: + description: projected items for all in one resources + secrets, configmaps, and downward API + properties: + defaultMode: + description: defaultMode are the mode bits + used to set permissions on created files + by default. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. Directories within the path are + not affected by this setting. + format: int32 + type: integer + sources: + description: sources is the list of volume + projections + items: + description: Projection that may be projected + along with other supported volume types + properties: + configMap: + description: configMap information about + the configMap data to project + properties: + items: + description: items if unspecified, + each key-value pair in the Data + field of the referenced ConfigMap + will be projected into the volume + as a file whose name is the key + and content is the value. If specified, + the listed keys will be projected + into the specified paths, and + unlisted keys will not be present. + items: + description: Maps a string key + to a path within a volume. + properties: + key: + description: key is the key + to project. + type: string + mode: + description: 'mode is Optional: + mode bits used to set permissions + on this file. Must be an + octal value between 0000 + and 0777 or a decimal value + between 0 and 511. YAML + accepts both octal and decimal + values, JSON requires decimal + values for mode bits. If + not specified, the volume + defaultMode will be used.' + format: int32 + type: integer + path: + description: path is the relative + path of the file to map + the key to. May not be an + absolute path. May not contain + the path element '..'. May + not start with the string + '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: optional specify whether + the ConfigMap or its keys must + be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + description: downwardAPI information + about the downwardAPI data to project + properties: + items: + description: Items is a list of + DownwardAPIVolume file + items: + description: DownwardAPIVolumeFile + represents information to create + the file containing the pod + field + properties: + fieldRef: + description: 'Required: Selects + a field of the pod: only + annotations, labels, name + and namespace are supported.' + properties: + apiVersion: + description: Version of + the schema the FieldPath + is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the + field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: 'Optional: mode + bits used to set permissions + on this file, must be an + octal value between 0000 + and 0777 or a decimal value + between 0 and 511. YAML + accepts both octal and decimal + values, JSON requires decimal + values for mode bits. If + not specified, the volume + defaultMode will be used.' + format: int32 + type: integer + path: + description: 'Required: Path + is the relative path name + of the file to be created. + Must not be absolute or + contain the ''..'' path. + Must be utf-8 encoded. The + first item of the relative + path must not start with + ''..''' + type: string + resourceFieldRef: + description: 'Selects a resource + of the container: only resources + limits and requests (limits.cpu, + limits.memory, requests.cpu + and requests.memory) are + currently supported.' + properties: + containerName: + description: 'Container + name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies + the output format of + the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: + resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + type: object + secret: + description: secret information about + the secret data to project + properties: + items: + description: items if unspecified, + each key-value pair in the Data + field of the referenced Secret + will be projected into the volume + as a file whose name is the key + and content is the value. If specified, + the listed keys will be projected + into the specified paths, and + unlisted keys will not be present. + items: + description: Maps a string key + to a path within a volume. + properties: + key: + description: key is the key + to project. + type: string + mode: + description: 'mode is Optional: + mode bits used to set permissions + on this file. Must be an + octal value between 0000 + and 0777 or a decimal value + between 0 and 511. YAML + accepts both octal and decimal + values, JSON requires decimal + values for mode bits. If + not specified, the volume + defaultMode will be used.' + format: int32 + type: integer + path: + description: path is the relative + path of the file to map + the key to. May not be an + absolute path. May not contain + the path element '..'. May + not start with the string + '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: optional field specify + whether the Secret or its key + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + description: serviceAccountToken is + information about the serviceAccountToken + data to project + properties: + audience: + description: audience is the intended + audience of the token. A recipient + of a token must identify itself + with an identifier specified in + the audience of the token, and + otherwise should reject the token. + The audience defaults to the identifier + of the apiserver. + type: string + expirationSeconds: + description: expirationSeconds is + the requested duration of validity + of the service account token. + As the token approaches expiration, + the kubelet volume plugin will + proactively rotate the service + account token. The kubelet will + start trying to rotate the token + if the token is older than 80 + percent of its time to live or + if the token is older than 24 + hours.Defaults to 1 hour and must + be at least 10 minutes. + format: int64 + type: integer + path: + description: path is the path relative + to the mount point of the file + to project the token into. + type: string + required: + - path + type: object + type: object + type: array + type: object + quobyte: + description: quobyte represents a Quobyte mount + on the host that shares a pod's lifetime + properties: + group: + description: group to map volume access to + Default is no group + type: string + readOnly: + description: readOnly here will force the + Quobyte volume to be mounted with read-only + permissions. Defaults to false. + type: boolean + registry: + description: registry represents a single + or multiple Quobyte Registry services specified + as a string as host:port pair (multiple + entries are separated with commas) which + acts as the central registry for volumes + type: string + tenant: + description: tenant owning the given Quobyte + volume in the Backend Used with dynamically + provisioned Quobyte volumes, value is set + by the plugin + type: string + user: + description: user to map volume access to + Defaults to serivceaccount user + type: string + volume: + description: volume is a string that references + an already created Quobyte volume by name. + type: string + required: + - registry + - volume + type: object + rbd: + description: 'rbd represents a Rados Block Device + mount on the host that shares a pod''s lifetime. + More info: https://examples.k8s.io/volumes/rbd/README.md' + properties: + fsType: + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#rbd + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + image: + description: 'image is the rados image name. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + keyring: + description: 'keyring is the path to key ring + for RBDUser. Default is /etc/ceph/keyring. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + monitors: + description: 'monitors is a collection of + Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + items: + type: string + type: array + pool: + description: 'pool is the rados pool name. + Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + readOnly: + description: 'readOnly here will force the + ReadOnly setting in VolumeMounts. Defaults + to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: boolean + secretRef: + description: 'secretRef is name of the authentication + secret for RBDUser. If provided overrides + keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: 'user is the rados user name. + Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + required: + - image + - monitors + type: object + scaleIO: + description: scaleIO represents a ScaleIO persistent + volume attached and mounted on Kubernetes nodes. + properties: + fsType: + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Default is "xfs". + type: string + gateway: + description: gateway is the host address of + the ScaleIO API Gateway. + type: string + protectionDomain: + description: protectionDomain is the name + of the ScaleIO Protection Domain for the + configured storage. + type: string + readOnly: + description: readOnly Defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + secretRef: + description: secretRef references to the secret + for ScaleIO user and other sensitive information. + If this is not provided, Login operation + will fail. + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + description: sslEnabled Flag enable/disable + SSL communication with Gateway, default + false + type: boolean + storageMode: + description: storageMode indicates whether + the storage for a volume should be ThickProvisioned + or ThinProvisioned. Default is ThinProvisioned. + type: string + storagePool: + description: storagePool is the ScaleIO Storage + Pool associated with the protection domain. + type: string + system: + description: system is the name of the storage + system as configured in ScaleIO. + type: string + volumeName: + description: volumeName is the name of a volume + already created in the ScaleIO system that + is associated with this volume source. + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + description: 'secret represents a secret that + should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + properties: + defaultMode: + description: 'defaultMode is Optional: mode + bits used to set permissions on created + files by default. Must be an octal value + between 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. + Directories within the path are not affected + by this setting.' + format: int32 + type: integer + items: + description: items If unspecified, each key-value + pair in the Data field of the referenced + Secret will be projected into the volume + as a file whose name is the key and content + is the value. If specified, the listed keys + will be projected into the specified paths, + and unlisted keys will not be present. + items: + description: Maps a string key to a path + within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode + bits used to set permissions on this + file. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal + and decimal values, JSON requires + decimal values for mode bits. If not + specified, the volume defaultMode + will be used.' + format: int32 + type: integer + path: + description: path is the relative path + of the file to map the key to. May + not be an absolute path. May not contain + the path element '..'. May not start + with the string '..'. + type: string + required: + - key + - path + type: object + type: array + optional: + description: optional field specify whether + the Secret or its keys must be defined + type: boolean + secretName: + description: 'secretName is the name of the + secret in the pod''s namespace to use. More + info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + type: string + type: object + storageos: + description: storageOS represents a StorageOS + volume attached and mounted on Kubernetes nodes. + properties: + fsType: + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. + type: string + readOnly: + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + secretRef: + description: secretRef specifies the secret + to use for obtaining the StorageOS API credentials. If + not specified, default values will be attempted. + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + description: volumeName is the human-readable + name of the StorageOS volume. Volume names + are only unique within a namespace. + type: string + volumeNamespace: + description: volumeNamespace specifies the + scope of the volume within StorageOS. If + no namespace is specified then the Pod's + namespace will be used. This allows the + Kubernetes name scoping to be mirrored within + StorageOS for tighter integration. Set VolumeName + to any name to override the default behaviour. + Set to "default" if you are not using namespaces + within StorageOS. + type: string + type: object + vsphereVolume: + description: vsphereVolume represents a vSphere + volume attached and mounted on kubelets host + machine + properties: + fsType: + description: fsType is filesystem type to + mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. + type: string + storagePolicyID: + description: storagePolicyID is the storage + Policy Based Management (SPBM) profile ID + associated with the StoragePolicyName. + type: string + storagePolicyName: + description: storagePolicyName is the storage + Policy Based Management (SPBM) profile name. + type: string + volumePath: + description: volumePath is the path that identifies + vSphere volume vmdk + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + required: + - containers + type: object + type: object + type: object + description: 'A map of PaddleReplicaType (type) to ReplicaSpec (value). + Specifies the Paddle cluster configuration. For example, { "Master": + PaddleReplicaSpec, "Worker": PaddleReplicaSpec, }' + type: object + runPolicy: + description: RunPolicy encapsulates various runtime policies of the + distributed training job, for example how to clean up resources + and how long the job can stay active. + properties: + activeDeadlineSeconds: + description: Specifies the duration in seconds relative to the + startTime that the job may be active before the system tries + to terminate it; value must be positive integer. + format: int64 + type: integer + backoffLimit: + description: Optional number of retries before marking this job + failed. + format: int32 + type: integer + cleanPodPolicy: + description: CleanPodPolicy defines the policy to kill pods after + the job completes. Default to Running. + type: string + schedulingPolicy: + description: SchedulingPolicy defines the policy related to scheduling, + e.g. gang-scheduling + properties: + minAvailable: + format: int32 + type: integer + minResources: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: ResourceList is a set of (resource name, quantity) + pairs. + type: object + priorityClass: + type: string + queue: + type: string + scheduleTimeoutSeconds: + format: int32 + type: integer + type: object + ttlSecondsAfterFinished: + description: TTLSecondsAfterFinished is the TTL to clean up jobs. + It may take extra ReconcilePeriod seconds for the cleanup, since + reconcile gets called periodically. Default to infinite. + format: int32 + type: integer + type: object + required: + - paddleReplicaSpecs + type: object + status: + description: Most recently observed status of the PaddleJob. Read-only + (modified by the system). + properties: + completionTime: + description: Represents time when the job was completed. It is not + guaranteed to be set in happens-before order across separate operations. + It is represented in RFC3339 form and is in UTC. + format: date-time + type: string + conditions: + description: Conditions is an array of current observed job conditions. + items: + description: JobCondition describes the state of the job at a certain + point. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + lastUpdateTime: + description: The last time this condition was updated. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of job condition. + type: string + required: + - status + - type + type: object + type: array + lastReconcileTime: + description: Represents last time when the job was reconciled. It + is not guaranteed to be set in happens-before order across separate + operations. It is represented in RFC3339 form and is in UTC. + format: date-time + type: string + replicaStatuses: + additionalProperties: + description: ReplicaStatus represents the current observed state + of the replica. + properties: + active: + description: The number of actively running pods. + format: int32 + type: integer + failed: + description: The number of pods which reached phase Failed. + format: int32 + type: integer + labelSelector: + description: 'Deprecated: Use Selector instead' + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. This + array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + selector: + description: A Selector is a label query over a set of resources. + The result of matchLabels and matchExpressions are ANDed. + An empty Selector matches all objects. A null Selector matches + no objects. + type: string + succeeded: + description: The number of pods which reached phase Succeeded. + format: int32 + type: integer + type: object + description: ReplicaStatuses is map of ReplicaType and ReplicaStatus, + specifies the status of each replica. + type: object + startTime: + description: Represents time when the job was acknowledged by the + job controller. It is not guaranteed to be set in happens-before + order across separate operations. It is represented in RFC3339 form + and is in UTC. + format: date-time + type: string + required: + - conditions + - replicaStatuses + type: object + type: object + served: true + storage: true + subresources: + scale: + labelSelectorPath: .status.replicaStatuses.Worker.selector + specReplicasPath: .spec.paddleReplicaSpecs.Worker.replicas + statusReplicasPath: .status.replicaStatuses.Worker.active + status: {} +YAML + +depends_on = [ovh_cloud_project_kube.ovh_kube_cluster, ovh_cloud_project_kube_nodepool.control_plane_pool] +} + +resource "kubectl_manifest" "kubeflow-training-operator-cdr-pytorchjobs" { + yaml_body = <=,=,...). + items: + properties: + key: + type: string + value: + type: string + type: object + type: array + rdzvHost: + type: string + rdzvId: + type: string + rdzvPort: + format: int32 + type: integer + standalone: + description: Start a local standalone rendezvous backend that + is represented by a C10d TCP store on port 29400. Useful when + launching single-node, multi-worker job. If specified --rdzv_backend, + --rdzv_endpoint, --rdzv_id are auto-assigned; any explicitly + set values are ignored. + type: boolean + type: object + pytorchReplicaSpecs: + additionalProperties: + description: ReplicaSpec is a description of the replica + properties: + replicas: + description: Replicas is the desired number of replicas of the + given template. If unspecified, defaults to 1. + format: int32 + type: integer + restartPolicy: + description: Restart policy for all replicas within the job. + One of Always, OnFailure, Never and ExitCode. Default to Never. + type: string + template: + description: Template is the object that describes the pod that + will be created for this replica. RestartPolicy in PodTemplateSpec + will be overide by RestartPolicy in ReplicaSpec + properties: + metadata: + description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata' + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + description: 'Specification of the desired behavior of the + pod. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + properties: + activeDeadlineSeconds: + description: Optional duration in seconds the pod may + be active on the node relative to StartTime before + the system will actively try to mark it failed and + kill associated containers. Value must be a positive + integer. + format: int64 + type: integer + affinity: + description: If specified, the pod's scheduling constraints + properties: + nodeAffinity: + description: Describes node affinity scheduling + rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the affinity expressions + specified by this field, but it may choose + a node that violates one or more of the expressions. + The node that is most preferred is the one + with the greatest sum of weights, i.e. for + each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc. + items: + description: An empty preferred scheduling + term matches all objects with implicit weight + 0 (i.e. it's a no-op). A null preferred + scheduling term matches no objects (i.e. + is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: Represents a key's + relationship to a set of values. + Valid operators are In, NotIn, + Exists, DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array of string + values. If the operator is + In or NotIn, the values array + must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, + the values array must have + a single element, which will + be interpreted as an integer. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: Represents a key's + relationship to a set of values. + Valid operators are In, NotIn, + Exists, DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array of string + values. If the operator is + In or NotIn, the values array + must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, + the values array must have + a single element, which will + be interpreted as an integer. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, + in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified + by this field are not met at scheduling time, + the pod will not be scheduled onto the node. + If the affinity requirements specified by + this field cease to be met at some point during + pod execution (e.g. due to an update), the + system may or may not try to eventually evict + the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: A null or empty node selector + term matches no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: Represents a key's + relationship to a set of values. + Valid operators are In, NotIn, + Exists, DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array of string + values. If the operator is + In or NotIn, the values array + must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, + the values array must have + a single element, which will + be interpreted as an integer. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: Represents a key's + relationship to a set of values. + Valid operators are In, NotIn, + Exists, DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array of string + values. If the operator is + In or NotIn, the values array + must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, + the values array must have + a single element, which will + be interpreted as an integer. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules + (e.g. co-locate this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the affinity expressions + specified by this field, but it may choose + a node that violates one or more of the expressions. + The node that is most preferred is the one + with the greatest sum of weights, i.e. for + each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added + per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: A label query over a + set of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the + set of namespaces that the term + applies to. The term is applied + to the union of the namespaces selected + by this field and the ones listed + in the namespaces field. null selector + and null or empty namespaces list + means "this pod's namespace". An + empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies + a static list of namespace names + that the term applies to. The term + is applied to the union of the namespaces + listed in this field and the ones + selected by namespaceSelector. null + or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching + the corresponding podAffinityTerm, in + the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified + by this field are not met at scheduling time, + the pod will not be scheduled onto the node. + If the affinity requirements specified by + this field cease to be met at some point during + pod execution (e.g. due to a pod label update), + the system may or may not try to eventually + evict the pod from its node. + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this pod + should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is + defined as running on a node whose value + of the label with key matches + that of any node on which a pod of the set + of pods is running + properties: + labelSelector: + description: A label query over a set + of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set + of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this field + and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the same + node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the anti-affinity + expressions specified by this field, but it + may choose a node that violates one or more + of the expressions. The node that is most + preferred is the one with the greatest sum + of weights, i.e. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added + per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: A label query over a + set of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the + set of namespaces that the term + applies to. The term is applied + to the union of the namespaces selected + by this field and the ones listed + in the namespaces field. null selector + and null or empty namespaces list + means "this pod's namespace". An + empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies + a static list of namespace names + that the term applies to. The term + is applied to the union of the namespaces + listed in this field and the ones + selected by namespaceSelector. null + or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching + the corresponding podAffinityTerm, in + the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements + specified by this field are not met at scheduling + time, the pod will not be scheduled onto the + node. If the anti-affinity requirements specified + by this field cease to be met at some point + during pod execution (e.g. due to a pod label + update), the system may or may not try to + eventually evict the pod from its node. + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this pod + should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is + defined as running on a node whose value + of the label with key matches + that of any node on which a pod of the set + of pods is running + properties: + labelSelector: + description: A label query over a set + of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set + of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this field + and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + automountServiceAccountToken: + description: AutomountServiceAccountToken indicates + whether a service account token should be automatically + mounted. + type: boolean + containers: + description: List of containers belonging to the pod. + Containers cannot currently be added or removed. There + must be at least one container in a Pod. Cannot be + updated. + items: + description: A single application container that you + want to run within a pod. + properties: + args: + description: 'Arguments to the entrypoint. The + container image''s CMD is used if this is not + provided. Variable references $(VAR_NAME) are + expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The container image''s ENTRYPOINT is + used if this is not provided. Variable references + $(VAR_NAME) are expanded using the container''s + environment. If a variable cannot be resolved, + the reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + env: + description: List of environment variables to + set in the container. Cannot be updated. + items: + description: EnvVar represents an environment + variable present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined + environment variables in the container + and any service environment variables. + If a variable cannot be resolved, the + reference in the input string will be + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' + type: string + valueFrom: + description: Source for the environment + variable's value. Cannot be used if value + is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + ConfigMap or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the + pod: supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of + the container: only resources limits + and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env + vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret + in the pod's namespace + properties: + key: + description: The key of the secret + to select from. Must be a valid + secret key. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + Secret or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined + within a source must be a C_IDENTIFIER. All + invalid keys will be reported as an event when + the container is starting. When a key exists + in multiple sources, the value associated with + the last source will take precedence. Values + defined by an Env with a duplicate key will + take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source + of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be + a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level + config management to default or override container + images in workload controllers like Deployments + and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, + Never, IfNotPresent. Defaults to Always if :latest + tag is specified, or IfNotPresent otherwise. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system + should take in response to container lifecycle + events. Cannot be updated. + properties: + postStart: + description: 'PostStart is called immediately + after a container is created. If the handler + fails, the container is terminated and restarted + according to its restart policy. Other management + of the container blocks until the hook completes. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: PreStop is called immediately + before a container is terminated due to + an API request or management event such + as liveness/startup probe failure, preemption, + resource contention, etc. The handler is + not called if the container crashes or exits. + The Pod's termination grace period countdown + begins before the PreStop hook is executed. + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. + Container will be restarted if the probe fails. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as + a DNS_LABEL. Each container in a pod must have + a unique name (DNS_LABEL). Cannot be updated. + type: string + ports: + description: List of ports to expose from the + container. Not specifying a port here DOES NOT + prevent that port from being exposed. Any port + which is listening on the default "0.0.0.0" + address inside a container will be accessible + from the network. Modifying this array with + strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. + items: + description: ContainerPort represents a network + port in a single container. + properties: + containerPort: + description: Number of port to expose on + the pod's IP address. This must be a valid + port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on + the host. If specified, this must be a + valid port number, 0 < x < 65536. If HostNetwork + is specified, this must match ContainerPort. + Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be + an IANA_SVC_NAME and unique within the + pod. Each named port in a pod must have + a unique name. Name for the port that + can be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be + UDP, TCP, or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service + readiness. Container will be removed from service + endpoints if the probe fails. Cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: 'Compute Resources required by this + container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum + amount of compute resources allowed. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum + amount of compute resources required. If + Requests is omitted for a container, it + defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'SecurityContext defines the security + options the container should be run with. If + set, the fields of SecurityContext override + the equivalent fields of PodSecurityContext. + More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges + than its parent process. This bool directly + controls if the no_new_privs flag will be + set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop + when running containers. Defaults to the + default set of capabilities granted by the + container runtime. Note that this field + cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. + Processes in privileged containers are essentially + equivalent to root on the host. Defaults + to false. Note that this field cannot be + set when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of + proc mount to use for the containers. The + default is DefaultProcMount which uses the + container runtime defaults for readonly + paths and masked paths. This requires the + ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a + read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint + of the container process. Uses runtime default + if unset. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container + must run as a non-root user. If true, the + Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 + (root) and fail to start the container if + it does. If unset or false, no such validation + will be performed. May also be set in PodSecurityContext. + type: boolean + runAsUser: + description: The UID to run the entrypoint + of the container process. Defaults to user + specified in image metadata if unspecified. + May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied + to the container. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in + PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. + properties: + level: + description: Level is SELinux level label + that applies to the container. + type: string + role: + description: Role is a SELinux role label + that applies to the container. + type: string + type: + description: Type is a SELinux type label + that applies to the container. + type: string + user: + description: User is a SELinux user label + that applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by + this container. If seccomp options are provided + at both the pod & container level, the container + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates + a profile defined in a file on the node + should be used. The profile must be + preconfigured on the node to work. Must + be a descending path, relative to the + kubelet's configured seccomp profile + location. Must only be set if type is + "Localhost". + type: string + type: + description: "type indicates which kind + of seccomp profile will be applied. + Valid options are: \n Localhost - a + profile defined in a file on the node + should be used. RuntimeDefault - the + container runtime default profile should + be used. Unconfined - no profile should + be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings + applied to all containers. If unspecified, + the options from the PodSecurityContext + will be used. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where + the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName + field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is + the name of the GMSA credential spec + to use. + type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean + runAsUserName: + description: The UserName in Windows to + run the entrypoint of the container + process. Defaults to the user specified + in image metadata if unspecified. May + also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: StartupProbe indicates that the Pod + has successfully initialized. If specified, + no other probes are executed until this completes + successfully. If this probe fails, the Pod will + be restarted, just as if the livenessProbe failed. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. + If this is not set, reads from stdin in the + container will always result in EOF. Default + is false. + type: boolean + stdinOnce: + description: Whether the container runtime should + close the stdin channel after it has been opened + by a single attach. When stdin is true the stdin + stream will remain open across multiple attach + sessions. + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file + to which the container''s termination message + will be written is mounted into the container''s + filesystem. Message written is intended to be + brief final status, such as an assertion failure + message. Will be truncated by the node if greater + than 4096 bytes. The total message length across + all containers will be limited to 12kb. Defaults + to /dev/termination-log.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message + should be populated. File will use the contents + of terminationMessagePath to populate the container + status message on both success and failure. + FallbackToLogsOnError will use the last chunk + of container log output if the termination message + file is empty and the container exited with + an error. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be + true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block + devices to be used by the container. + items: + description: volumeDevice describes a mapping + of a raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside + of the container that the device will + be mapped to. + type: string + name: + description: name must match the name of + a persistentVolumeClaim in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Cannot be updated. + items: + description: VolumeMount describes a mounting + of a Volume within a container. + properties: + mountPath: + description: Path within the container at + which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines + how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is + used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of + a Volume. + type: string + readOnly: + description: Mounted read-only if true, + read-write otherwise (false or unspecified). + Defaults to false. + type: boolean + subPath: + description: Path within the volume from + which the container's volume should be + mounted. Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume + from which the container's volume should + be mounted. Behaves similarly to SubPath + but environment variable references $(VAR_NAME) + are expanded using the container's environment. + Defaults to "" (volume's root). SubPathExpr + and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If + not specified, the container runtime's default + will be used, which might be configured in the + container image. Cannot be updated. + type: string + required: + - name + type: object + type: array + dnsConfig: + description: Specifies the DNS parameters of a pod. + Parameters specified here will be merged to the generated + DNS configuration based on DNSPolicy. + properties: + nameservers: + description: A list of DNS name server IP addresses. + This will be appended to the base nameservers + generated from DNSPolicy. Duplicated nameservers + will be removed. + items: + type: string + type: array + options: + description: A list of DNS resolver options. This + will be merged with the base options generated + from DNSPolicy. Duplicated entries will be removed. + Resolution options given in Options will override + those that appear in the base DNSPolicy. + items: + description: PodDNSConfigOption defines DNS resolver + options of a pod. + properties: + name: + description: Required. + type: string + value: + type: string + type: object + type: array + searches: + description: A list of DNS search domains for host-name + lookup. This will be appended to the base search + paths generated from DNSPolicy. Duplicated search + paths will be removed. + items: + type: string + type: array + type: object + dnsPolicy: + description: Set DNS policy for the pod. Defaults to + "ClusterFirst". Valid values are 'ClusterFirstWithHostNet', + 'ClusterFirst', 'Default' or 'None'. DNS parameters + given in DNSConfig will be merged with the policy + selected with DNSPolicy. To have DNS options set along + with hostNetwork, you have to specify DNS policy explicitly + to 'ClusterFirstWithHostNet'. + type: string + enableServiceLinks: + description: 'EnableServiceLinks indicates whether information + about services should be injected into pod''s environment + variables, matching the syntax of Docker links. Optional: + Defaults to true.' + type: boolean + ephemeralContainers: + description: List of ephemeral containers run in this + pod. Ephemeral containers may be run in an existing + pod to perform user-initiated actions such as debugging. + This list cannot be specified when creating a pod, + and it cannot be modified by updating the pod spec. + In order to add an ephemeral container to an existing + pod, use the pod's ephemeralcontainers subresource. + items: + description: An EphemeralContainer is a temporary + container that you may add to an existing Pod for + user-initiated activities such as debugging. Ephemeral + containers have no resource or scheduling guarantees, + and they will not be restarted when they exit or + when a Pod is removed or restarted. The kubelet + may evict a Pod if an ephemeral container causes + the Pod to exceed its resource allocation. + properties: + args: + description: 'Arguments to the entrypoint. The + image''s CMD is used if this is not provided. + Variable references $(VAR_NAME) are expanded + using the container''s environment. If a variable + cannot be resolved, the reference in the input + string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + produce the string literal "$(VAR_NAME)".' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The image''s ENTRYPOINT is used if + this is not provided. Variable references $(VAR_NAME) + are expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + env: + description: List of environment variables to + set in the container. Cannot be updated. + items: + description: EnvVar represents an environment + variable present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined + environment variables in the container + and any service environment variables. + If a variable cannot be resolved, the + reference in the input string will be + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' + type: string + valueFrom: + description: Source for the environment + variable's value. Cannot be used if value + is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + ConfigMap or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the + pod: supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of + the container: only resources limits + and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env + vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret + in the pod's namespace + properties: + key: + description: The key of the secret + to select from. Must be a valid + secret key. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + Secret or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined + within a source must be a C_IDENTIFIER. All + invalid keys will be reported as an event when + the container is starting. When a key exists + in multiple sources, the value associated with + the last source will take precedence. Values + defined by an Env with a duplicate key will + take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source + of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be + a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, + Never, IfNotPresent. Defaults to Always if :latest + tag is specified, or IfNotPresent otherwise. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Lifecycle is not allowed for ephemeral + containers. + properties: + postStart: + description: 'PostStart is called immediately + after a container is created. If the handler + fails, the container is terminated and restarted + according to its restart policy. Other management + of the container blocks until the hook completes. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: PreStop is called immediately + before a container is terminated due to + an API request or management event such + as liveness/startup probe failure, preemption, + resource contention, etc. The handler is + not called if the container crashes or exits. + The Pod's termination grace period countdown + begins before the PreStop hook is executed. + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: Probes are not allowed for ephemeral + containers. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the ephemeral container specified + as a DNS_LABEL. This name must be unique among + all containers, init containers and ephemeral + containers. + type: string + ports: + description: Ports are not allowed for ephemeral + containers. + items: + description: ContainerPort represents a network + port in a single container. + properties: + containerPort: + description: Number of port to expose on + the pod's IP address. This must be a valid + port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on + the host. If specified, this must be a + valid port number, 0 < x < 65536. If HostNetwork + is specified, this must match ContainerPort. + Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be + an IANA_SVC_NAME and unique within the + pod. Each named port in a pod must have + a unique name. Name for the port that + can be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be + UDP, TCP, or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: Probes are not allowed for ephemeral + containers. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: Resources are not allowed for ephemeral + containers. Ephemeral containers use spare resources + already allocated to the pod. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum + amount of compute resources allowed. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum + amount of compute resources required. If + Requests is omitted for a container, it + defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'Optional: SecurityContext defines + the security options the ephemeral container + should be run with. If set, the fields of SecurityContext + override the equivalent fields of PodSecurityContext.' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges + than its parent process. This bool directly + controls if the no_new_privs flag will be + set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop + when running containers. Defaults to the + default set of capabilities granted by the + container runtime. Note that this field + cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. + Processes in privileged containers are essentially + equivalent to root on the host. Defaults + to false. Note that this field cannot be + set when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of + proc mount to use for the containers. The + default is DefaultProcMount which uses the + container runtime defaults for readonly + paths and masked paths. This requires the + ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a + read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint + of the container process. Uses runtime default + if unset. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container + must run as a non-root user. If true, the + Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 + (root) and fail to start the container if + it does. If unset or false, no such validation + will be performed. May also be set in PodSecurityContext. + type: boolean + runAsUser: + description: The UID to run the entrypoint + of the container process. Defaults to user + specified in image metadata if unspecified. + May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied + to the container. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in + PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. + properties: + level: + description: Level is SELinux level label + that applies to the container. + type: string + role: + description: Role is a SELinux role label + that applies to the container. + type: string + type: + description: Type is a SELinux type label + that applies to the container. + type: string + user: + description: User is a SELinux user label + that applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by + this container. If seccomp options are provided + at both the pod & container level, the container + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates + a profile defined in a file on the node + should be used. The profile must be + preconfigured on the node to work. Must + be a descending path, relative to the + kubelet's configured seccomp profile + location. Must only be set if type is + "Localhost". + type: string + type: + description: "type indicates which kind + of seccomp profile will be applied. + Valid options are: \n Localhost - a + profile defined in a file on the node + should be used. RuntimeDefault - the + container runtime default profile should + be used. Unconfined - no profile should + be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings + applied to all containers. If unspecified, + the options from the PodSecurityContext + will be used. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where + the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName + field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is + the name of the GMSA credential spec + to use. + type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean + runAsUserName: + description: The UserName in Windows to + run the entrypoint of the container + process. Defaults to the user specified + in image metadata if unspecified. May + also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: Probes are not allowed for ephemeral + containers. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. + If this is not set, reads from stdin in the + container will always result in EOF. Default + is false. + type: boolean + stdinOnce: + description: Whether the container runtime should + close the stdin channel after it has been opened + by a single attach. When stdin is true the stdin + stream will remain open across multiple attach + sessions. + type: boolean + targetContainerName: + description: "If set, the name of the container + from PodSpec that this ephemeral container targets. + The ephemeral container will be run in the namespaces + (IPC, PID, etc) of this container. If not set + then the ephemeral container uses the namespaces + configured in the Pod spec. \n The container + runtime must implement support for this feature." + type: string + terminationMessagePath: + description: 'Optional: Path at which the file + to which the container''s termination message + will be written is mounted into the container''s + filesystem. Message written is intended to be + brief final status, such as an assertion failure + message. Will be truncated by the node if greater + than 4096 bytes. The total message length across + all containers will be limited to 12kb. Defaults + to /dev/termination-log.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message + should be populated. File will use the contents + of terminationMessagePath to populate the container + status message on both success and failure. + FallbackToLogsOnError will use the last chunk + of container log output if the termination message + file is empty and the container exited with + an error. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be + true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block + devices to be used by the container. + items: + description: volumeDevice describes a mapping + of a raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside + of the container that the device will + be mapped to. + type: string + name: + description: name must match the name of + a persistentVolumeClaim in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Subpath mounts are not allowed for + ephemeral containers. Cannot be updated. + items: + description: VolumeMount describes a mounting + of a Volume within a container. + properties: + mountPath: + description: Path within the container at + which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines + how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is + used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of + a Volume. + type: string + readOnly: + description: Mounted read-only if true, + read-write otherwise (false or unspecified). + Defaults to false. + type: boolean + subPath: + description: Path within the volume from + which the container's volume should be + mounted. Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume + from which the container's volume should + be mounted. Behaves similarly to SubPath + but environment variable references $(VAR_NAME) + are expanded using the container's environment. + Defaults to "" (volume's root). SubPathExpr + and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If + not specified, the container runtime's default + will be used, which might be configured in the + container image. Cannot be updated. + type: string + required: + - name + type: object + type: array + hostAliases: + description: HostAliases is an optional list of hosts + and IPs that will be injected into the pod's hosts + file if specified. This is only valid for non-hostNetwork + pods. + items: + description: HostAlias holds the mapping between IP + and hostnames that will be injected as an entry + in the pod's hosts file. + properties: + hostnames: + description: Hostnames for the above IP address. + items: + type: string + type: array + ip: + description: IP address of the host file entry. + type: string + type: object + type: array + hostIPC: + description: 'Use the host''s ipc namespace. Optional: + Default to false.' + type: boolean + hostNetwork: + description: Host networking requested for this pod. + Use the host's network namespace. If this option is + set, the ports that will be used must be specified. + Default to false. + type: boolean + hostPID: + description: 'Use the host''s pid namespace. Optional: + Default to false.' + type: boolean + hostUsers: + description: 'Use the host''s user namespace. Optional: + Default to true. If set to true or not present, the + pod will be run in the host user namespace, useful + for when the pod needs a feature only available to + the host user namespace, such as loading a kernel + module with CAP_SYS_MODULE. When set to false, a new + userns is created for the pod.' + type: boolean + hostname: + description: Specifies the hostname of the Pod If not + specified, the pod's hostname will be set to a system-defined + value. + type: string + imagePullSecrets: + description: 'ImagePullSecrets is an optional list of + references to secrets in the same namespace to use + for pulling any of the images used by this PodSpec. + If specified, these secrets will be passed to individual + puller implementations for them to use. More info: + https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' + items: + description: LocalObjectReference contains enough + information to let you locate the referenced object + inside the same namespace. + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: array + initContainers: + description: List of initialization containers belonging + to the pod. Init containers are executed in order + prior to containers being started. If any init container + fails, the pod is considered to have failed and is + handled according to its restartPolicy. The name for + an init container or normal container must be unique + among all containers. + items: + description: A single application container that you + want to run within a pod. + properties: + args: + description: 'Arguments to the entrypoint. The + container image''s CMD is used if this is not + provided. Variable references $(VAR_NAME) are + expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The container image''s ENTRYPOINT is + used if this is not provided. Variable references + $(VAR_NAME) are expanded using the container''s + environment. If a variable cannot be resolved, + the reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + env: + description: List of environment variables to + set in the container. Cannot be updated. + items: + description: EnvVar represents an environment + variable present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined + environment variables in the container + and any service environment variables. + If a variable cannot be resolved, the + reference in the input string will be + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' + type: string + valueFrom: + description: Source for the environment + variable's value. Cannot be used if value + is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + ConfigMap or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the + pod: supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of + the container: only resources limits + and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env + vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret + in the pod's namespace + properties: + key: + description: The key of the secret + to select from. Must be a valid + secret key. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + Secret or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined + within a source must be a C_IDENTIFIER. All + invalid keys will be reported as an event when + the container is starting. When a key exists + in multiple sources, the value associated with + the last source will take precedence. Values + defined by an Env with a duplicate key will + take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source + of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be + a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level + config management to default or override container + images in workload controllers like Deployments + and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, + Never, IfNotPresent. Defaults to Always if :latest + tag is specified, or IfNotPresent otherwise. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system + should take in response to container lifecycle + events. Cannot be updated. + properties: + postStart: + description: 'PostStart is called immediately + after a container is created. If the handler + fails, the container is terminated and restarted + according to its restart policy. Other management + of the container blocks until the hook completes. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: PreStop is called immediately + before a container is terminated due to + an API request or management event such + as liveness/startup probe failure, preemption, + resource contention, etc. The handler is + not called if the container crashes or exits. + The Pod's termination grace period countdown + begins before the PreStop hook is executed. + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. + Container will be restarted if the probe fails. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as + a DNS_LABEL. Each container in a pod must have + a unique name (DNS_LABEL). Cannot be updated. + type: string + ports: + description: List of ports to expose from the + container. Not specifying a port here DOES NOT + prevent that port from being exposed. Any port + which is listening on the default "0.0.0.0" + address inside a container will be accessible + from the network. Modifying this array with + strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. + items: + description: ContainerPort represents a network + port in a single container. + properties: + containerPort: + description: Number of port to expose on + the pod's IP address. This must be a valid + port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on + the host. If specified, this must be a + valid port number, 0 < x < 65536. If HostNetwork + is specified, this must match ContainerPort. + Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be + an IANA_SVC_NAME and unique within the + pod. Each named port in a pod must have + a unique name. Name for the port that + can be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be + UDP, TCP, or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service + readiness. Container will be removed from service + endpoints if the probe fails. Cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: 'Compute Resources required by this + container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum + amount of compute resources allowed. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum + amount of compute resources required. If + Requests is omitted for a container, it + defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'SecurityContext defines the security + options the container should be run with. If + set, the fields of SecurityContext override + the equivalent fields of PodSecurityContext. + More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges + than its parent process. This bool directly + controls if the no_new_privs flag will be + set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop + when running containers. Defaults to the + default set of capabilities granted by the + container runtime. Note that this field + cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. + Processes in privileged containers are essentially + equivalent to root on the host. Defaults + to false. Note that this field cannot be + set when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of + proc mount to use for the containers. The + default is DefaultProcMount which uses the + container runtime defaults for readonly + paths and masked paths. This requires the + ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a + read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint + of the container process. Uses runtime default + if unset. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container + must run as a non-root user. If true, the + Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 + (root) and fail to start the container if + it does. If unset or false, no such validation + will be performed. May also be set in PodSecurityContext. + type: boolean + runAsUser: + description: The UID to run the entrypoint + of the container process. Defaults to user + specified in image metadata if unspecified. + May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied + to the container. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in + PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. + properties: + level: + description: Level is SELinux level label + that applies to the container. + type: string + role: + description: Role is a SELinux role label + that applies to the container. + type: string + type: + description: Type is a SELinux type label + that applies to the container. + type: string + user: + description: User is a SELinux user label + that applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by + this container. If seccomp options are provided + at both the pod & container level, the container + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates + a profile defined in a file on the node + should be used. The profile must be + preconfigured on the node to work. Must + be a descending path, relative to the + kubelet's configured seccomp profile + location. Must only be set if type is + "Localhost". + type: string + type: + description: "type indicates which kind + of seccomp profile will be applied. + Valid options are: \n Localhost - a + profile defined in a file on the node + should be used. RuntimeDefault - the + container runtime default profile should + be used. Unconfined - no profile should + be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings + applied to all containers. If unspecified, + the options from the PodSecurityContext + will be used. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where + the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName + field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is + the name of the GMSA credential spec + to use. + type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean + runAsUserName: + description: The UserName in Windows to + run the entrypoint of the container + process. Defaults to the user specified + in image metadata if unspecified. May + also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: StartupProbe indicates that the Pod + has successfully initialized. If specified, + no other probes are executed until this completes + successfully. If this probe fails, the Pod will + be restarted, just as if the livenessProbe failed. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. + If this is not set, reads from stdin in the + container will always result in EOF. Default + is false. + type: boolean + stdinOnce: + description: Whether the container runtime should + close the stdin channel after it has been opened + by a single attach. When stdin is true the stdin + stream will remain open across multiple attach + sessions. + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file + to which the container''s termination message + will be written is mounted into the container''s + filesystem. Message written is intended to be + brief final status, such as an assertion failure + message. Will be truncated by the node if greater + than 4096 bytes. The total message length across + all containers will be limited to 12kb. Defaults + to /dev/termination-log.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message + should be populated. File will use the contents + of terminationMessagePath to populate the container + status message on both success and failure. + FallbackToLogsOnError will use the last chunk + of container log output if the termination message + file is empty and the container exited with + an error. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be + true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block + devices to be used by the container. + items: + description: volumeDevice describes a mapping + of a raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside + of the container that the device will + be mapped to. + type: string + name: + description: name must match the name of + a persistentVolumeClaim in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Cannot be updated. + items: + description: VolumeMount describes a mounting + of a Volume within a container. + properties: + mountPath: + description: Path within the container at + which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines + how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is + used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of + a Volume. + type: string + readOnly: + description: Mounted read-only if true, + read-write otherwise (false or unspecified). + Defaults to false. + type: boolean + subPath: + description: Path within the volume from + which the container's volume should be + mounted. Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume + from which the container's volume should + be mounted. Behaves similarly to SubPath + but environment variable references $(VAR_NAME) + are expanded using the container's environment. + Defaults to "" (volume's root). SubPathExpr + and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If + not specified, the container runtime's default + will be used, which might be configured in the + container image. Cannot be updated. + type: string + required: + - name + type: object + type: array + nodeName: + description: NodeName is a request to schedule this + pod onto a specific node. If it is non-empty, the + scheduler simply schedules this pod onto that node, + assuming that it fits resource requirements. + type: string + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must + be true for the pod to fit on a node. Selector which + must match a node''s labels for the pod to be scheduled + on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + x-kubernetes-map-type: atomic + os: + description: "Specifies the OS of the containers in + the pod. Some pod and container fields are restricted + if this is set. \n If the OS field is set to linux, + the following fields must be unset: -securityContext.windowsOptions + \n If the OS field is set to windows, following fields + must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers + - spec.securityContext.seLinuxOptions - spec.securityContext." + properties: + name: + description: 'Name is the name of the operating + system. The currently supported values are linux + and windows. Additional value may be defined in + future and can be one of: https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration + Clients should expect to handle additional values + and treat unrecognized values in this field as + os: null' + type: string + required: + - name + type: object + overhead: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Overhead represents the resource overhead + associated with running a pod for a given RuntimeClass. + This field will be autopopulated at admission time + by the RuntimeClass admission controller. If the RuntimeClass + admission controller is enabled, overhead must not + be set in Pod create requests. The RuntimeClass admission + controller will reject Pod create requests which have + the overhead already set. + type: object + preemptionPolicy: + description: PreemptionPolicy is the Policy for preempting + pods with lower priority. One of Never, PreemptLowerPriority. + Defaults to PreemptLowerPriority if unset. + type: string + priority: + description: The priority value. Various system components + use this field to find the priority of the pod. When + Priority Admission Controller is enabled, it prevents + users from setting this field. The admission controller + populates this field from PriorityClassName. The higher + the value, the higher the priority. + format: int32 + type: integer + priorityClassName: + description: If specified, indicates the pod's priority. + "system-node-critical" and "system-cluster-critical" + are two special keywords which indicate the highest + priorities with the former being the highest priority. + Any other name must be defined by creating a PriorityClass + object with that name. If not specified, the pod priority + will be default or zero if there is no default. + type: string + readinessGates: + description: 'If specified, all readiness gates will + be evaluated for pod readiness. A pod is ready when + all its containers are ready AND all conditions specified + in the readiness gates have status equal to "True" + More info: https://git.k8s.io/enhancements/keps/sig-network/580-pod-readiness-gates' + items: + description: PodReadinessGate contains the reference + to a pod condition + properties: + conditionType: + description: ConditionType refers to a condition + in the pod's condition list with matching type. + type: string + required: + - conditionType + type: object + type: array + restartPolicy: + description: 'Restart policy for all containers within + the pod. One of Always, OnFailure, Never. Default + to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy' + type: string + runtimeClassName: + description: 'RuntimeClassName refers to a RuntimeClass + object in the node.k8s.io group, which should be used + to run this pod. If no RuntimeClass resource matches + the named class, the pod will not be run. If unset + or empty, the "legacy" RuntimeClass will be used, + which is an implicit class with an empty definition + that uses the default runtime handler. More info: + https://git.k8s.' + type: string + schedulerName: + description: If specified, the pod will be dispatched + by specified scheduler. If not specified, the pod + will be dispatched by default scheduler. + type: string + securityContext: + description: 'SecurityContext holds pod-level security + attributes and common container settings. Optional: + Defaults to empty. See type description for default + values of each field.' + properties: + fsGroup: + description: "A special supplemental group that + applies to all containers in a pod. Some volume + types allow the Kubelet to change the ownership + of that volume to be owned by the pod: \n 1. The + owning GID will be the FSGroup 2. The setgid bit + is set (new files created in the volume will be + owned by FSGroup) 3." + format: int64 + type: integer + fsGroupChangePolicy: + description: 'fsGroupChangePolicy defines behavior + of changing ownership and permission of the volume + before being exposed inside Pod. This field will + only apply to volume types which support fsGroup + based ownership(and permissions). It will have + no effect on ephemeral volume types such as: secret, + configmaps and emptydir. Valid values are "OnRootMismatch" + and "Always". If not specified, "Always" is used.' + type: string + runAsGroup: + description: The GID to run the entrypoint of the + container process. Uses runtime default if unset. + May also be set in SecurityContext. If set in + both SecurityContext and PodSecurityContext, the + value specified in SecurityContext takes precedence + for that container. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run + as a non-root user. If true, the Kubelet will + validate the image at runtime to ensure that it + does not run as UID 0 (root) and fail to start + the container if it does. If unset or false, no + such validation will be performed. May also be + set in SecurityContext. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the + container process. Defaults to user specified + in image metadata if unspecified. May also be + set in SecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in + SecurityContext takes precedence for that container. + Note that this field cannot be set when spec.os.name + is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to + all containers. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in SecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence + for that container. Note that this field cannot + be set when spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that + applies to the container. + type: string + role: + description: Role is a SELinux role label that + applies to the container. + type: string + type: + description: Type is a SELinux type label that + applies to the container. + type: string + user: + description: User is a SELinux user label that + applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by the containers + in this pod. Note that this field cannot be set + when spec.os.name is windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile + defined in a file on the node should be used. + The profile must be preconfigured on the node + to work. Must be a descending path, relative + to the kubelet's configured seccomp profile + location. Must only be set if type is "Localhost". + type: string + type: + description: "type indicates which kind of seccomp + profile will be applied. Valid options are: + \n Localhost - a profile defined in a file + on the node should be used. RuntimeDefault + - the container runtime default profile should + be used. Unconfined - no profile should be + applied." + type: string + required: + - type + type: object + supplementalGroups: + description: A list of groups applied to the first + process run in each container, in addition to + the container's primary GID. If unspecified, + no groups will be added to any container. Note + that this field cannot be set when spec.os.name + is windows. + items: + format: int64 + type: integer + type: array + sysctls: + description: Sysctls hold a list of namespaced sysctls + used for the pod. Pods with unsupported sysctls + (by the container runtime) might fail to launch. + Note that this field cannot be set when spec.os.name + is windows. + items: + description: Sysctl defines a kernel parameter + to be set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + windowsOptions: + description: The Windows specific settings applied + to all containers. If unspecified, the options + within a container's SecurityContext will be used. + If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the + GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name + of the GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container + should be run as a 'Host Process' container. + This field is alpha-level and will only be + honored by components that enable the WindowsHostProcessContainers + feature flag. Setting this field without the + feature flag will result in errors when validating + the Pod. + type: boolean + runAsUserName: + description: The UserName in Windows to run + the entrypoint of the container process. Defaults + to the user specified in image metadata if + unspecified. May also be set in PodSecurityContext. + If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. + type: string + type: object + type: object + serviceAccount: + description: 'DeprecatedServiceAccount is a depreciated + alias for ServiceAccountName. Deprecated: Use serviceAccountName + instead.' + type: string + serviceAccountName: + description: 'ServiceAccountName is the name of the + ServiceAccount to use to run this pod. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' + type: string + setHostnameAsFQDN: + description: If true the pod's hostname will be configured + as the pod's FQDN, rather than the leaf name (the + default). In Linux containers, this means setting + the FQDN in the hostname field of the kernel (the + nodename field of struct utsname). + type: boolean + shareProcessNamespace: + description: 'Share a single process namespace between + all of the containers in a pod. When this is set containers + will be able to view and signal processes from other + containers in the same pod, and the first process + in each container will not be assigned PID 1. HostPID + and ShareProcessNamespace cannot both be set. Optional: + Default to false.' + type: boolean + subdomain: + description: If specified, the fully qualified Pod hostname + will be "...svc.". If not specified, the pod will not have + a domainname at all. + type: string + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully. May be decreased in delete + request. Value must be non-negative integer. The value + zero indicates stop immediately via the kill signal + (no opportunity to shut down). If this value is nil, + the default grace period will be used instead. + format: int64 + type: integer + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is attached to + tolerates any taint that matches the triple + using the matching operator . + properties: + effect: + description: Effect indicates the taint effect + to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, + PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration + applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; + this combination means to match all values and + all keys. + type: string + operator: + description: Operator represents a key's relationship + to the value. Valid operators are Exists and + Equal. Defaults to Equal. Exists is equivalent + to wildcard for value, so that a pod can tolerate + all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the + period of time the toleration (which must be + of effect NoExecute, otherwise this field is + ignored) tolerates the taint. By default, it + is not set, which means tolerate the taint forever + (do not evict). Zero and negative values will + be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration + matches to. If the operator is Exists, the value + should be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: TopologySpreadConstraints describes how + a group of pods ought to spread across topology domains. + Scheduler will schedule pods in a way which abides + by the constraints. All topologySpreadConstraints + are ANDed. + items: + description: TopologySpreadConstraint specifies how + to spread matching pods among the given topology. + properties: + labelSelector: + description: LabelSelector is used to find matching + pods. Pods that match this label selector are + counted to determine the number of pods in their + corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label + keys to select the pods over which spreading + will be calculated. The keys are used to lookup + values from the incoming pod labels, those key-value + labels are ANDed with labelSelector to select + the group of existing pods over which spreading + will be calculated for the incoming pod. Keys + that don't exist in the incoming pod labels + will be ignored. + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: MaxSkew describes the degree to which + pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference between + the number of matching pods in the target topology + and the global minimum. The global minimum is + the minimum number of matching pods in an eligible + domain or zero if the number of eligible domains + is less than MinDomains. + format: int32 + type: integer + minDomains: + description: MinDomains indicates a minimum number + of eligible domains. When the number of eligible + domains with matching topology keys is less + than minDomains, Pod Topology Spread treats + "global minimum" as 0, and then the calculation + of Skew is performed. And when the number of + eligible domains with matching topology keys + equals or greater than minDomains, this value + has no effect on scheduling. + format: int32 + type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how + we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options + are: - Honor: only nodes matching nodeAffinity/nodeSelector + are included in the calculations. - Ignore: + nodeAffinity/nodeSelector are ignored. All nodes + are included in the calculations. \n If this + value is nil, the behavior is equivalent to + the Honor policy." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how we + will treat node taints when calculating pod + topology spread skew. Options are: - Honor: + nodes without taints, along with tainted nodes + for which the incoming pod has a toleration, + are included. - Ignore: node taints are ignored. + All nodes are included. \n If this value is + nil, the behavior is equivalent to the Ignore + policy." + type: string + topologyKey: + description: TopologyKey is the key of node labels. + Nodes that have a label with this key and identical + values are considered to be in the same topology. + We consider each as a "bucket", + and try to put balanced number of pods into + each bucket. We define a domain as a particular + instance of a topology. + type: string + whenUnsatisfiable: + description: WhenUnsatisfiable indicates how to + deal with a pod if it doesn't satisfy the spread + constraint. - DoNotSchedule (default) tells + the scheduler not to schedule it. - ScheduleAnyway + tells the scheduler to schedule the pod in any + location, but giving higher precedence to topologies + that would help reduce the skew. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + x-kubernetes-list-map-keys: + - topologyKey + - whenUnsatisfiable + x-kubernetes-list-type: map + volumes: + description: 'List of volumes that can be mounted by + containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes' + items: + description: Volume represents a named volume in a + pod that may be accessed by any container in the + pod. + properties: + awsElasticBlockStore: + description: 'awsElasticBlockStore represents + an AWS Disk resource that is attached to a kubelet''s + host machine and then exposed to the pod. More + info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + properties: + fsType: + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + partition: + description: 'partition is the partition in + the volume that you want to mount. If omitted, + the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify + the partition as "1". Similarly, the volume + partition for /dev/sda is "0" (or you can + leave the property empty).' + format: int32 + type: integer + readOnly: + description: 'readOnly value true will force + the readOnly setting in VolumeMounts. More + info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + type: boolean + volumeID: + description: 'volumeID is unique ID of the + persistent disk resource in AWS (Amazon + EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + type: string + required: + - volumeID + type: object + azureDisk: + description: azureDisk represents an Azure Data + Disk mount on the host and bind mount to the + pod. + properties: + cachingMode: + description: 'cachingMode is the Host Caching + mode: None, Read Only, Read Write.' + type: string + diskName: + description: diskName is the Name of the data + disk in the blob storage + type: string + diskURI: + description: diskURI is the URI of data disk + in the blob storage + type: string + fsType: + description: fsType is Filesystem type to + mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. + type: string + kind: + description: 'kind expected values are Shared: + multiple blob disks per storage account Dedicated: + single blob disk per storage account Managed: + azure managed data disk (only in managed + availability set). defaults to shared' + type: string + readOnly: + description: readOnly Defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + description: azureFile represents an Azure File + Service mount on the host and bind mount to + the pod. + properties: + readOnly: + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + secretName: + description: secretName is the name of secret + that contains Azure Storage Account Name + and Key + type: string + shareName: + description: shareName is the azure share + Name + type: string + required: + - secretName + - shareName + type: object + cephfs: + description: cephFS represents a Ceph FS mount + on the host that shares a pod's lifetime + properties: + monitors: + description: 'monitors is Required: Monitors + is a collection of Ceph monitors More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + items: + type: string + type: array + path: + description: 'path is Optional: Used as the + mounted root, rather than the full Ceph + tree, default is /' + type: string + readOnly: + description: 'readOnly is Optional: Defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: boolean + secretFile: + description: 'secretFile is Optional: SecretFile + is the path to key ring for User, default + is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: string + secretRef: + description: 'secretRef is Optional: SecretRef + is reference to the authentication secret + for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: 'user is optional: User is the + rados user name, default is admin More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: string + required: + - monitors + type: object + cinder: + description: 'cinder represents a cinder volume + attached and mounted on kubelets host machine. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + properties: + fsType: + description: 'fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://examples.k8s.io/mysql-cinder-pd/README.md' + type: string + readOnly: + description: 'readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + type: boolean + secretRef: + description: 'secretRef is optional: points + to a secret object containing parameters + used to connect to OpenStack.' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + description: 'volumeID used to identify the + volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + type: string + required: + - volumeID + type: object + configMap: + description: configMap represents a configMap + that should populate this volume + properties: + defaultMode: + description: 'defaultMode is optional: mode + bits used to set permissions on created + files by default. Must be an octal value + between 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. + Directories within the path are not affected + by this setting.' + format: int32 + type: integer + items: + description: items if unspecified, each key-value + pair in the Data field of the referenced + ConfigMap will be projected into the volume + as a file whose name is the key and content + is the value. If specified, the listed keys + will be projected into the specified paths, + and unlisted keys will not be present. + items: + description: Maps a string key to a path + within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode + bits used to set permissions on this + file. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal + and decimal values, JSON requires + decimal values for mode bits. If not + specified, the volume defaultMode + will be used.' + format: int32 + type: integer + path: + description: path is the relative path + of the file to map the key to. May + not be an absolute path. May not contain + the path element '..'. May not start + with the string '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: optional specify whether the + ConfigMap or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + description: csi (Container Storage Interface) + represents ephemeral storage that is handled + by certain external CSI drivers (Beta feature). + properties: + driver: + description: driver is the name of the CSI + driver that handles this volume. Consult + with your admin for the correct name as + registered in the cluster. + type: string + fsType: + description: fsType to mount. Ex. "ext4", + "xfs", "ntfs". If not provided, the empty + value is passed to the associated CSI driver + which will determine the default filesystem + to apply. + type: string + nodePublishSecretRef: + description: nodePublishSecretRef is a reference + to the secret object containing sensitive + information to pass to the CSI driver to + complete the CSI NodePublishVolume and NodeUnpublishVolume + calls. This field is optional, and may + be empty if no secret is required. If the + secret object contains more than one secret, + all secret references are passed. + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + description: readOnly specifies a read-only + configuration for the volume. Defaults to + false (read/write). + type: boolean + volumeAttributes: + additionalProperties: + type: string + description: volumeAttributes stores driver-specific + properties that are passed to the CSI driver. + Consult your driver's documentation for + supported values. + type: object + required: + - driver + type: object + downwardAPI: + description: downwardAPI represents downward API + about the pod that should populate this volume + properties: + defaultMode: + description: 'Optional: mode bits to use on + created files by default. Must be a Optional: + mode bits used to set permissions on created + files by default. Must be an octal value + between 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. + Directories within the path are not affected + by this setting.' + format: int32 + type: integer + items: + description: Items is a list of downward API + volume file + items: + description: DownwardAPIVolumeFile represents + information to create the file containing + the pod field + properties: + fieldRef: + description: 'Required: Selects a field + of the pod: only annotations, labels, + name and namespace are supported.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: 'Optional: mode bits used + to set permissions on this file, must + be an octal value between 0000 and + 0777 or a decimal value between 0 + and 511. YAML accepts both octal and + decimal values, JSON requires decimal + values for mode bits. If not specified, + the volume defaultMode will be used.' + format: int32 + type: integer + path: + description: 'Required: Path is the + relative path name of the file to + be created. Must not be absolute or + contain the ''..'' path. Must be utf-8 + encoded. The first item of the relative + path must not start with ''..''' + type: string + resourceFieldRef: + description: 'Selects a resource of + the container: only resources limits + and requests (limits.cpu, limits.memory, + requests.cpu and requests.memory) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env + vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + type: object + emptyDir: + description: 'emptyDir represents a temporary + directory that shares a pod''s lifetime. More + info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + properties: + medium: + description: 'medium represents what type + of storage medium should back this directory. + The default is "" which means to use the + node''s default medium. Must be an empty + string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + description: 'sizeLimit is the total amount + of local storage required for this EmptyDir + volume. The size limit is also applicable + for memory medium. The maximum usage on + memory medium EmptyDir would be the minimum + value between the SizeLimit specified here + and the sum of memory limits of all containers + in a pod. The default is nil which means + that the limit is undefined. More info: + http://kubernetes.' + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + description: ephemeral represents a volume that + is handled by a cluster storage driver. The + volume's lifecycle is tied to the pod that defines + it - it will be created before the pod starts, + and deleted when the pod is removed. + properties: + volumeClaimTemplate: + description: Will be used to create a stand-alone + PVC to provision the volume. The pod in + which this EphemeralVolumeSource is embedded + will be the owner of the PVC, i.e. the PVC + will be deleted together with the pod. The + name of the PVC will be `-` where `` is the name + from the `PodSpec.Volumes` array entry. + properties: + metadata: + description: May contain labels and annotations + that will be copied into the PVC when + creating it. No other fields are allowed + and will be rejected during validation. + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + description: The specification for the + PersistentVolumeClaim. The entire content + is copied unchanged into the PVC that + gets created from this template. The + same fields as in a PersistentVolumeClaim + are also valid here. + properties: + accessModes: + description: 'accessModes contains + the desired access modes the volume + should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' + items: + type: string + type: array + dataSource: + description: 'dataSource field can + be used to specify either: * An + existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external + controller can support the specified + data source, it will create a new + volume based on the contents of + the specified data source.' + properties: + apiGroup: + description: APIGroup is the group + for the resource being referenced. + If APIGroup is not specified, + the specified Kind must be in + the core API group. For any + other third-party types, APIGroup + is required. + type: string + kind: + description: Kind is the type + of resource being referenced + type: string + name: + description: Name is the name + of resource being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: dataSourceRef specifies + the object from which to populate + the volume with data, if a non-empty + volume is desired. This may be any + local object from a non-empty API + group (non core object) or a PersistentVolumeClaim + object. When this field is specified, + volume binding will only succeed + if the type of the specified object + matches some installed volume populator + or dynamic provisioner. + properties: + apiGroup: + description: APIGroup is the group + for the resource being referenced. + If APIGroup is not specified, + the specified Kind must be in + the core API group. For any + other third-party types, APIGroup + is required. + type: string + kind: + description: Kind is the type + of resource being referenced + type: string + name: + description: Name is the name + of resource being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + resources: + description: 'resources represents + the minimum resources the volume + should have. If RecoverVolumeExpansionFailure + feature is enabled users are allowed + to specify resource requirements + that are lower than previous value + but must still be higher than capacity + recorded in the status field of + the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes + the maximum amount of compute + resources allowed. More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes + the minimum amount of compute + resources required. If Requests + is omitted for a container, + it defaults to Limits if that + is explicitly specified, otherwise + to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + selector: + description: selector is a label query + over volumes to consider for binding. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: 'storageClassName is + the name of the StorageClass required + by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' + type: string + volumeMode: + description: volumeMode defines what + type of volume is required by the + claim. Value of Filesystem is implied + when not included in claim spec. + type: string + volumeName: + description: volumeName is the binding + reference to the PersistentVolume + backing this claim. + type: string + type: object + required: + - spec + type: object + type: object + fc: + description: fc represents a Fibre Channel resource + that is attached to a kubelet's host machine + and then exposed to the pod. + properties: + fsType: + description: 'fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. TODO: how do we prevent + errors in the filesystem from compromising + the machine' + type: string + lun: + description: 'lun is Optional: FC target lun + number' + format: int32 + type: integer + readOnly: + description: 'readOnly is Optional: Defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts.' + type: boolean + targetWWNs: + description: 'targetWWNs is Optional: FC target + worldwide names (WWNs)' + items: + type: string + type: array + wwids: + description: 'wwids Optional: FC volume world + wide identifiers (wwids) Either wwids or + combination of targetWWNs and lun must be + set, but not both simultaneously.' + items: + type: string + type: array + type: object + flexVolume: + description: flexVolume represents a generic volume + resource that is provisioned/attached using + an exec based plugin. + properties: + driver: + description: driver is the name of the driver + to use for this volume. + type: string + fsType: + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". The default filesystem depends + on FlexVolume script. + type: string + options: + additionalProperties: + type: string + description: 'options is Optional: this field + holds extra command options if any.' + type: object + readOnly: + description: 'readOnly is Optional: defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts.' + type: boolean + secretRef: + description: 'secretRef is Optional: secretRef + is reference to the secret object containing + sensitive information to pass to the plugin + scripts. This may be empty if no secret + object is specified. If the secret object + contains more than one secret, all secrets + are passed to the plugin scripts.' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + description: flocker represents a Flocker volume + attached to a kubelet's host machine. This depends + on the Flocker control service being running + properties: + datasetName: + description: datasetName is Name of the dataset + stored as metadata -> name on the dataset + for Flocker should be considered as deprecated + type: string + datasetUUID: + description: datasetUUID is the UUID of the + dataset. This is unique identifier of a + Flocker dataset + type: string + type: object + gcePersistentDisk: + description: 'gcePersistentDisk represents a GCE + Disk resource that is attached to a kubelet''s + host machine and then exposed to the pod. More + info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + properties: + fsType: + description: 'fsType is filesystem type of + the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + partition: + description: 'partition is the partition in + the volume that you want to mount. If omitted, + the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify + the partition as "1". Similarly, the volume + partition for /dev/sda is "0" (or you can + leave the property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + format: int32 + type: integer + pdName: + description: 'pdName is unique name of the + PD resource in GCE. Used to identify the + disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + type: string + readOnly: + description: 'readOnly here will force the + ReadOnly setting in VolumeMounts. Defaults + to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + type: boolean + required: + - pdName + type: object + gitRepo: + description: 'gitRepo represents a git repository + at a particular revision. DEPRECATED: GitRepo + is deprecated. To provision a container with + a git repo, mount an EmptyDir into an InitContainer + that clones the repo using git, then mount the + EmptyDir into the Pod''s container.' + properties: + directory: + description: directory is the target directory + name. Must not contain or start with '..'. If + '.' is supplied, the volume directory will + be the git repository. Otherwise, if specified, + the volume will contain the git repository + in the subdirectory with the given name. + type: string + repository: + description: repository is the URL + type: string + revision: + description: revision is the commit hash for + the specified revision. + type: string + required: + - repository + type: object + glusterfs: + description: 'glusterfs represents a Glusterfs + mount on the host that shares a pod''s lifetime. + More info: https://examples.k8s.io/volumes/glusterfs/README.md' + properties: + endpoints: + description: 'endpoints is the endpoint name + that details Glusterfs topology. More info: + https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: string + path: + description: 'path is the Glusterfs volume + path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: string + readOnly: + description: 'readOnly here will force the + Glusterfs volume to be mounted with read-only + permissions. Defaults to false. More info: + https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: boolean + required: + - endpoints + - path + type: object + hostPath: + description: 'hostPath represents a pre-existing + file or directory on the host machine that is + directly exposed to the container. This is generally + used for system agents or other privileged things + that are allowed to see the host machine. Most + containers will NOT need this. More info: https://kubernetes.' + properties: + path: + description: 'path of the directory on the + host. If the path is a symlink, it will + follow the link to the real path. More info: + https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + type: string + type: + description: 'type for HostPath Volume Defaults + to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + type: string + required: + - path + type: object + iscsi: + description: 'iscsi represents an ISCSI Disk resource + that is attached to a kubelet''s host machine + and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' + properties: + chapAuthDiscovery: + description: chapAuthDiscovery defines whether + support iSCSI Discovery CHAP authentication + type: boolean + chapAuthSession: + description: chapAuthSession defines whether + support iSCSI Session CHAP authentication + type: boolean + fsType: + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#iscsi + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + initiatorName: + description: initiatorName is the custom iSCSI + Initiator Name. If initiatorName is specified + with iscsiInterface simultaneously, new + iSCSI interface : will be created for the connection. + type: string + iqn: + description: iqn is the target iSCSI Qualified + Name. + type: string + iscsiInterface: + description: iscsiInterface is the interface + Name that uses an iSCSI transport. Defaults + to 'default' (tcp). + type: string + lun: + description: lun represents iSCSI Target Lun + number. + format: int32 + type: integer + portals: + description: portals is the iSCSI Target Portal + List. The portal is either an IP or ip_addr:port + if the port is other than default (typically + TCP ports 860 and 3260). + items: + type: string + type: array + readOnly: + description: readOnly here will force the + ReadOnly setting in VolumeMounts. Defaults + to false. + type: boolean + secretRef: + description: secretRef is the CHAP Secret + for iSCSI target and initiator authentication + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + description: targetPortal is iSCSI Target + Portal. The Portal is either an IP or ip_addr:port + if the port is other than default (typically + TCP ports 860 and 3260). + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + description: 'name of the volume. Must be a DNS_LABEL + and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + nfs: + description: 'nfs represents an NFS mount on the + host that shares a pod''s lifetime More info: + https://kubernetes.io/docs/concepts/storage/volumes#nfs' + properties: + path: + description: 'path that is exported by the + NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: string + readOnly: + description: 'readOnly here will force the + NFS export to be mounted with read-only + permissions. Defaults to false. More info: + https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: boolean + server: + description: 'server is the hostname or IP + address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + description: 'persistentVolumeClaimVolumeSource + represents a reference to a PersistentVolumeClaim + in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + properties: + claimName: + description: 'claimName is the name of a PersistentVolumeClaim + in the same namespace as the pod using this + volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + type: string + readOnly: + description: readOnly Will force the ReadOnly + setting in VolumeMounts. Default false. + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + description: photonPersistentDisk represents a + PhotonController persistent disk attached and + mounted on kubelets host machine + properties: + fsType: + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. + type: string + pdID: + description: pdID is the ID that identifies + Photon Controller persistent disk + type: string + required: + - pdID + type: object + portworxVolume: + description: portworxVolume represents a portworx + volume attached and mounted on kubelets host + machine + properties: + fsType: + description: fSType represents the filesystem + type to mount Must be a filesystem type + supported by the host operating system. + Ex. "ext4", "xfs". Implicitly inferred to + be "ext4" if unspecified. + type: string + readOnly: + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + volumeID: + description: volumeID uniquely identifies + a Portworx volume + type: string + required: + - volumeID + type: object + projected: + description: projected items for all in one resources + secrets, configmaps, and downward API + properties: + defaultMode: + description: defaultMode are the mode bits + used to set permissions on created files + by default. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. Directories within the path are + not affected by this setting. + format: int32 + type: integer + sources: + description: sources is the list of volume + projections + items: + description: Projection that may be projected + along with other supported volume types + properties: + configMap: + description: configMap information about + the configMap data to project + properties: + items: + description: items if unspecified, + each key-value pair in the Data + field of the referenced ConfigMap + will be projected into the volume + as a file whose name is the key + and content is the value. If specified, + the listed keys will be projected + into the specified paths, and + unlisted keys will not be present. + items: + description: Maps a string key + to a path within a volume. + properties: + key: + description: key is the key + to project. + type: string + mode: + description: 'mode is Optional: + mode bits used to set permissions + on this file. Must be an + octal value between 0000 + and 0777 or a decimal value + between 0 and 511. YAML + accepts both octal and decimal + values, JSON requires decimal + values for mode bits. If + not specified, the volume + defaultMode will be used.' + format: int32 + type: integer + path: + description: path is the relative + path of the file to map + the key to. May not be an + absolute path. May not contain + the path element '..'. May + not start with the string + '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: optional specify whether + the ConfigMap or its keys must + be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + description: downwardAPI information + about the downwardAPI data to project + properties: + items: + description: Items is a list of + DownwardAPIVolume file + items: + description: DownwardAPIVolumeFile + represents information to create + the file containing the pod + field + properties: + fieldRef: + description: 'Required: Selects + a field of the pod: only + annotations, labels, name + and namespace are supported.' + properties: + apiVersion: + description: Version of + the schema the FieldPath + is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the + field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: 'Optional: mode + bits used to set permissions + on this file, must be an + octal value between 0000 + and 0777 or a decimal value + between 0 and 511. YAML + accepts both octal and decimal + values, JSON requires decimal + values for mode bits. If + not specified, the volume + defaultMode will be used.' + format: int32 + type: integer + path: + description: 'Required: Path + is the relative path name + of the file to be created. + Must not be absolute or + contain the ''..'' path. + Must be utf-8 encoded. The + first item of the relative + path must not start with + ''..''' + type: string + resourceFieldRef: + description: 'Selects a resource + of the container: only resources + limits and requests (limits.cpu, + limits.memory, requests.cpu + and requests.memory) are + currently supported.' + properties: + containerName: + description: 'Container + name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies + the output format of + the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: + resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + type: object + secret: + description: secret information about + the secret data to project + properties: + items: + description: items if unspecified, + each key-value pair in the Data + field of the referenced Secret + will be projected into the volume + as a file whose name is the key + and content is the value. If specified, + the listed keys will be projected + into the specified paths, and + unlisted keys will not be present. + items: + description: Maps a string key + to a path within a volume. + properties: + key: + description: key is the key + to project. + type: string + mode: + description: 'mode is Optional: + mode bits used to set permissions + on this file. Must be an + octal value between 0000 + and 0777 or a decimal value + between 0 and 511. YAML + accepts both octal and decimal + values, JSON requires decimal + values for mode bits. If + not specified, the volume + defaultMode will be used.' + format: int32 + type: integer + path: + description: path is the relative + path of the file to map + the key to. May not be an + absolute path. May not contain + the path element '..'. May + not start with the string + '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: optional field specify + whether the Secret or its key + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + description: serviceAccountToken is + information about the serviceAccountToken + data to project + properties: + audience: + description: audience is the intended + audience of the token. A recipient + of a token must identify itself + with an identifier specified in + the audience of the token, and + otherwise should reject the token. + The audience defaults to the identifier + of the apiserver. + type: string + expirationSeconds: + description: expirationSeconds is + the requested duration of validity + of the service account token. + As the token approaches expiration, + the kubelet volume plugin will + proactively rotate the service + account token. The kubelet will + start trying to rotate the token + if the token is older than 80 + percent of its time to live or + if the token is older than 24 + hours.Defaults to 1 hour and must + be at least 10 minutes. + format: int64 + type: integer + path: + description: path is the path relative + to the mount point of the file + to project the token into. + type: string + required: + - path + type: object + type: object + type: array + type: object + quobyte: + description: quobyte represents a Quobyte mount + on the host that shares a pod's lifetime + properties: + group: + description: group to map volume access to + Default is no group + type: string + readOnly: + description: readOnly here will force the + Quobyte volume to be mounted with read-only + permissions. Defaults to false. + type: boolean + registry: + description: registry represents a single + or multiple Quobyte Registry services specified + as a string as host:port pair (multiple + entries are separated with commas) which + acts as the central registry for volumes + type: string + tenant: + description: tenant owning the given Quobyte + volume in the Backend Used with dynamically + provisioned Quobyte volumes, value is set + by the plugin + type: string + user: + description: user to map volume access to + Defaults to serivceaccount user + type: string + volume: + description: volume is a string that references + an already created Quobyte volume by name. + type: string + required: + - registry + - volume + type: object + rbd: + description: 'rbd represents a Rados Block Device + mount on the host that shares a pod''s lifetime. + More info: https://examples.k8s.io/volumes/rbd/README.md' + properties: + fsType: + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#rbd + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + image: + description: 'image is the rados image name. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + keyring: + description: 'keyring is the path to key ring + for RBDUser. Default is /etc/ceph/keyring. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + monitors: + description: 'monitors is a collection of + Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + items: + type: string + type: array + pool: + description: 'pool is the rados pool name. + Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + readOnly: + description: 'readOnly here will force the + ReadOnly setting in VolumeMounts. Defaults + to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: boolean + secretRef: + description: 'secretRef is name of the authentication + secret for RBDUser. If provided overrides + keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: 'user is the rados user name. + Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + required: + - image + - monitors + type: object + scaleIO: + description: scaleIO represents a ScaleIO persistent + volume attached and mounted on Kubernetes nodes. + properties: + fsType: + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Default is "xfs". + type: string + gateway: + description: gateway is the host address of + the ScaleIO API Gateway. + type: string + protectionDomain: + description: protectionDomain is the name + of the ScaleIO Protection Domain for the + configured storage. + type: string + readOnly: + description: readOnly Defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + secretRef: + description: secretRef references to the secret + for ScaleIO user and other sensitive information. + If this is not provided, Login operation + will fail. + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + description: sslEnabled Flag enable/disable + SSL communication with Gateway, default + false + type: boolean + storageMode: + description: storageMode indicates whether + the storage for a volume should be ThickProvisioned + or ThinProvisioned. Default is ThinProvisioned. + type: string + storagePool: + description: storagePool is the ScaleIO Storage + Pool associated with the protection domain. + type: string + system: + description: system is the name of the storage + system as configured in ScaleIO. + type: string + volumeName: + description: volumeName is the name of a volume + already created in the ScaleIO system that + is associated with this volume source. + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + description: 'secret represents a secret that + should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + properties: + defaultMode: + description: 'defaultMode is Optional: mode + bits used to set permissions on created + files by default. Must be an octal value + between 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. + Directories within the path are not affected + by this setting.' + format: int32 + type: integer + items: + description: items If unspecified, each key-value + pair in the Data field of the referenced + Secret will be projected into the volume + as a file whose name is the key and content + is the value. If specified, the listed keys + will be projected into the specified paths, + and unlisted keys will not be present. + items: + description: Maps a string key to a path + within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode + bits used to set permissions on this + file. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal + and decimal values, JSON requires + decimal values for mode bits. If not + specified, the volume defaultMode + will be used.' + format: int32 + type: integer + path: + description: path is the relative path + of the file to map the key to. May + not be an absolute path. May not contain + the path element '..'. May not start + with the string '..'. + type: string + required: + - key + - path + type: object + type: array + optional: + description: optional field specify whether + the Secret or its keys must be defined + type: boolean + secretName: + description: 'secretName is the name of the + secret in the pod''s namespace to use. More + info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + type: string + type: object + storageos: + description: storageOS represents a StorageOS + volume attached and mounted on Kubernetes nodes. + properties: + fsType: + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. + type: string + readOnly: + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + secretRef: + description: secretRef specifies the secret + to use for obtaining the StorageOS API credentials. If + not specified, default values will be attempted. + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + description: volumeName is the human-readable + name of the StorageOS volume. Volume names + are only unique within a namespace. + type: string + volumeNamespace: + description: volumeNamespace specifies the + scope of the volume within StorageOS. If + no namespace is specified then the Pod's + namespace will be used. This allows the + Kubernetes name scoping to be mirrored within + StorageOS for tighter integration. Set VolumeName + to any name to override the default behaviour. + Set to "default" if you are not using namespaces + within StorageOS. + type: string + type: object + vsphereVolume: + description: vsphereVolume represents a vSphere + volume attached and mounted on kubelets host + machine + properties: + fsType: + description: fsType is filesystem type to + mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. + type: string + storagePolicyID: + description: storagePolicyID is the storage + Policy Based Management (SPBM) profile ID + associated with the StoragePolicyName. + type: string + storagePolicyName: + description: storagePolicyName is the storage + Policy Based Management (SPBM) profile name. + type: string + volumePath: + description: volumePath is the path that identifies + vSphere volume vmdk + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + required: + - containers + type: object + type: object + type: object + description: 'A map of PyTorchReplicaType (type) to ReplicaSpec (value). + Specifies the PyTorch cluster configuration. For example, { "Master": + PyTorchReplicaSpec, "Worker": PyTorchReplicaSpec, }' + type: object + runPolicy: + description: RunPolicy encapsulates various runtime policies of the + distributed training job, for example how to clean up resources + and how long the job can stay active. + properties: + activeDeadlineSeconds: + description: Specifies the duration in seconds relative to the + startTime that the job may be active before the system tries + to terminate it; value must be positive integer. + format: int64 + type: integer + backoffLimit: + description: Optional number of retries before marking this job + failed. + format: int32 + type: integer + cleanPodPolicy: + description: CleanPodPolicy defines the policy to kill pods after + the job completes. Default to Running. + type: string + schedulingPolicy: + description: SchedulingPolicy defines the policy related to scheduling, + e.g. gang-scheduling + properties: + minAvailable: + format: int32 + type: integer + minResources: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: ResourceList is a set of (resource name, quantity) + pairs. + type: object + priorityClass: + type: string + queue: + type: string + scheduleTimeoutSeconds: + format: int32 + type: integer + type: object + ttlSecondsAfterFinished: + description: TTLSecondsAfterFinished is the TTL to clean up jobs. + It may take extra ReconcilePeriod seconds for the cleanup, since + reconcile gets called periodically. Default to infinite. + format: int32 + type: integer + type: object + required: + - pytorchReplicaSpecs + type: object + status: + description: Most recently observed status of the PyTorchJob. Read-only + (modified by the system). + properties: + completionTime: + description: Represents time when the job was completed. It is not + guaranteed to be set in happens-before order across separate operations. + It is represented in RFC3339 form and is in UTC. + format: date-time + type: string + conditions: + description: Conditions is an array of current observed job conditions. + items: + description: JobCondition describes the state of the job at a certain + point. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + lastUpdateTime: + description: The last time this condition was updated. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of job condition. + type: string + required: + - status + - type + type: object + type: array + lastReconcileTime: + description: Represents last time when the job was reconciled. It + is not guaranteed to be set in happens-before order across separate + operations. It is represented in RFC3339 form and is in UTC. + format: date-time + type: string + replicaStatuses: + additionalProperties: + description: ReplicaStatus represents the current observed state + of the replica. + properties: + active: + description: The number of actively running pods. + format: int32 + type: integer + failed: + description: The number of pods which reached phase Failed. + format: int32 + type: integer + labelSelector: + description: 'Deprecated: Use Selector instead' + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. This + array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + selector: + description: A Selector is a label query over a set of resources. + The result of matchLabels and matchExpressions are ANDed. + An empty Selector matches all objects. A null Selector matches + no objects. + type: string + succeeded: + description: The number of pods which reached phase Succeeded. + format: int32 + type: integer + type: object + description: ReplicaStatuses is map of ReplicaType and ReplicaStatus, + specifies the status of each replica. + type: object + startTime: + description: Represents time when the job was acknowledged by the + job controller. It is not guaranteed to be set in happens-before + order across separate operations. It is represented in RFC3339 form + and is in UTC. + format: date-time + type: string + required: + - conditions + - replicaStatuses + type: object + type: object + served: true + storage: true + subresources: + scale: + labelSelectorPath: .status.replicaStatuses.Worker.selector + specReplicasPath: .spec.pytorchReplicaSpecs.Worker.replicas + statusReplicasPath: .status.replicaStatuses.Worker.active + status: {} +YAML + +depends_on = [ovh_cloud_project_kube.ovh_kube_cluster, ovh_cloud_project_kube_nodepool.control_plane_pool] +} + +resource "kubectl_manifest" "kubeflow-training-operator-crd-tfjobs" { + yaml_body = < matches + that of any node on which a pod of the set + of pods is running + properties: + labelSelector: + description: A label query over a set + of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set + of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this field + and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the same + node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the anti-affinity + expressions specified by this field, but it + may choose a node that violates one or more + of the expressions. The node that is most + preferred is the one with the greatest sum + of weights, i.e. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added + per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: A label query over a + set of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the + set of namespaces that the term + applies to. The term is applied + to the union of the namespaces selected + by this field and the ones listed + in the namespaces field. null selector + and null or empty namespaces list + means "this pod's namespace". An + empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies + a static list of namespace names + that the term applies to. The term + is applied to the union of the namespaces + listed in this field and the ones + selected by namespaceSelector. null + or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching + the corresponding podAffinityTerm, in + the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements + specified by this field are not met at scheduling + time, the pod will not be scheduled onto the + node. If the anti-affinity requirements specified + by this field cease to be met at some point + during pod execution (e.g. due to a pod label + update), the system may or may not try to + eventually evict the pod from its node. + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this pod + should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is + defined as running on a node whose value + of the label with key matches + that of any node on which a pod of the set + of pods is running + properties: + labelSelector: + description: A label query over a set + of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set + of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this field + and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + automountServiceAccountToken: + description: AutomountServiceAccountToken indicates + whether a service account token should be automatically + mounted. + type: boolean + containers: + description: List of containers belonging to the pod. + Containers cannot currently be added or removed. There + must be at least one container in a Pod. Cannot be + updated. + items: + description: A single application container that you + want to run within a pod. + properties: + args: + description: 'Arguments to the entrypoint. The + container image''s CMD is used if this is not + provided. Variable references $(VAR_NAME) are + expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The container image''s ENTRYPOINT is + used if this is not provided. Variable references + $(VAR_NAME) are expanded using the container''s + environment. If a variable cannot be resolved, + the reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + env: + description: List of environment variables to + set in the container. Cannot be updated. + items: + description: EnvVar represents an environment + variable present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined + environment variables in the container + and any service environment variables. + If a variable cannot be resolved, the + reference in the input string will be + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' + type: string + valueFrom: + description: Source for the environment + variable's value. Cannot be used if value + is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + ConfigMap or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the + pod: supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of + the container: only resources limits + and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env + vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret + in the pod's namespace + properties: + key: + description: The key of the secret + to select from. Must be a valid + secret key. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + Secret or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined + within a source must be a C_IDENTIFIER. All + invalid keys will be reported as an event when + the container is starting. When a key exists + in multiple sources, the value associated with + the last source will take precedence. Values + defined by an Env with a duplicate key will + take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source + of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be + a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level + config management to default or override container + images in workload controllers like Deployments + and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, + Never, IfNotPresent. Defaults to Always if :latest + tag is specified, or IfNotPresent otherwise. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system + should take in response to container lifecycle + events. Cannot be updated. + properties: + postStart: + description: 'PostStart is called immediately + after a container is created. If the handler + fails, the container is terminated and restarted + according to its restart policy. Other management + of the container blocks until the hook completes. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: PreStop is called immediately + before a container is terminated due to + an API request or management event such + as liveness/startup probe failure, preemption, + resource contention, etc. The handler is + not called if the container crashes or exits. + The Pod's termination grace period countdown + begins before the PreStop hook is executed. + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. + Container will be restarted if the probe fails. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as + a DNS_LABEL. Each container in a pod must have + a unique name (DNS_LABEL). Cannot be updated. + type: string + ports: + description: List of ports to expose from the + container. Not specifying a port here DOES NOT + prevent that port from being exposed. Any port + which is listening on the default "0.0.0.0" + address inside a container will be accessible + from the network. Modifying this array with + strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. + items: + description: ContainerPort represents a network + port in a single container. + properties: + containerPort: + description: Number of port to expose on + the pod's IP address. This must be a valid + port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on + the host. If specified, this must be a + valid port number, 0 < x < 65536. If HostNetwork + is specified, this must match ContainerPort. + Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be + an IANA_SVC_NAME and unique within the + pod. Each named port in a pod must have + a unique name. Name for the port that + can be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be + UDP, TCP, or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service + readiness. Container will be removed from service + endpoints if the probe fails. Cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: 'Compute Resources required by this + container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum + amount of compute resources allowed. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum + amount of compute resources required. If + Requests is omitted for a container, it + defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'SecurityContext defines the security + options the container should be run with. If + set, the fields of SecurityContext override + the equivalent fields of PodSecurityContext. + More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges + than its parent process. This bool directly + controls if the no_new_privs flag will be + set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop + when running containers. Defaults to the + default set of capabilities granted by the + container runtime. Note that this field + cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. + Processes in privileged containers are essentially + equivalent to root on the host. Defaults + to false. Note that this field cannot be + set when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of + proc mount to use for the containers. The + default is DefaultProcMount which uses the + container runtime defaults for readonly + paths and masked paths. This requires the + ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a + read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint + of the container process. Uses runtime default + if unset. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container + must run as a non-root user. If true, the + Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 + (root) and fail to start the container if + it does. If unset or false, no such validation + will be performed. May also be set in PodSecurityContext. + type: boolean + runAsUser: + description: The UID to run the entrypoint + of the container process. Defaults to user + specified in image metadata if unspecified. + May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied + to the container. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in + PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. + properties: + level: + description: Level is SELinux level label + that applies to the container. + type: string + role: + description: Role is a SELinux role label + that applies to the container. + type: string + type: + description: Type is a SELinux type label + that applies to the container. + type: string + user: + description: User is a SELinux user label + that applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by + this container. If seccomp options are provided + at both the pod & container level, the container + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates + a profile defined in a file on the node + should be used. The profile must be + preconfigured on the node to work. Must + be a descending path, relative to the + kubelet's configured seccomp profile + location. Must only be set if type is + "Localhost". + type: string + type: + description: "type indicates which kind + of seccomp profile will be applied. + Valid options are: \n Localhost - a + profile defined in a file on the node + should be used. RuntimeDefault - the + container runtime default profile should + be used. Unconfined - no profile should + be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings + applied to all containers. If unspecified, + the options from the PodSecurityContext + will be used. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where + the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName + field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is + the name of the GMSA credential spec + to use. + type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean + runAsUserName: + description: The UserName in Windows to + run the entrypoint of the container + process. Defaults to the user specified + in image metadata if unspecified. May + also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: StartupProbe indicates that the Pod + has successfully initialized. If specified, + no other probes are executed until this completes + successfully. If this probe fails, the Pod will + be restarted, just as if the livenessProbe failed. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. + If this is not set, reads from stdin in the + container will always result in EOF. Default + is false. + type: boolean + stdinOnce: + description: Whether the container runtime should + close the stdin channel after it has been opened + by a single attach. When stdin is true the stdin + stream will remain open across multiple attach + sessions. + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file + to which the container''s termination message + will be written is mounted into the container''s + filesystem. Message written is intended to be + brief final status, such as an assertion failure + message. Will be truncated by the node if greater + than 4096 bytes. The total message length across + all containers will be limited to 12kb. Defaults + to /dev/termination-log.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message + should be populated. File will use the contents + of terminationMessagePath to populate the container + status message on both success and failure. + FallbackToLogsOnError will use the last chunk + of container log output if the termination message + file is empty and the container exited with + an error. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be + true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block + devices to be used by the container. + items: + description: volumeDevice describes a mapping + of a raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside + of the container that the device will + be mapped to. + type: string + name: + description: name must match the name of + a persistentVolumeClaim in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Cannot be updated. + items: + description: VolumeMount describes a mounting + of a Volume within a container. + properties: + mountPath: + description: Path within the container at + which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines + how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is + used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of + a Volume. + type: string + readOnly: + description: Mounted read-only if true, + read-write otherwise (false or unspecified). + Defaults to false. + type: boolean + subPath: + description: Path within the volume from + which the container's volume should be + mounted. Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume + from which the container's volume should + be mounted. Behaves similarly to SubPath + but environment variable references $(VAR_NAME) + are expanded using the container's environment. + Defaults to "" (volume's root). SubPathExpr + and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If + not specified, the container runtime's default + will be used, which might be configured in the + container image. Cannot be updated. + type: string + required: + - name + type: object + type: array + dnsConfig: + description: Specifies the DNS parameters of a pod. + Parameters specified here will be merged to the generated + DNS configuration based on DNSPolicy. + properties: + nameservers: + description: A list of DNS name server IP addresses. + This will be appended to the base nameservers + generated from DNSPolicy. Duplicated nameservers + will be removed. + items: + type: string + type: array + options: + description: A list of DNS resolver options. This + will be merged with the base options generated + from DNSPolicy. Duplicated entries will be removed. + Resolution options given in Options will override + those that appear in the base DNSPolicy. + items: + description: PodDNSConfigOption defines DNS resolver + options of a pod. + properties: + name: + description: Required. + type: string + value: + type: string + type: object + type: array + searches: + description: A list of DNS search domains for host-name + lookup. This will be appended to the base search + paths generated from DNSPolicy. Duplicated search + paths will be removed. + items: + type: string + type: array + type: object + dnsPolicy: + description: Set DNS policy for the pod. Defaults to + "ClusterFirst". Valid values are 'ClusterFirstWithHostNet', + 'ClusterFirst', 'Default' or 'None'. DNS parameters + given in DNSConfig will be merged with the policy + selected with DNSPolicy. To have DNS options set along + with hostNetwork, you have to specify DNS policy explicitly + to 'ClusterFirstWithHostNet'. + type: string + enableServiceLinks: + description: 'EnableServiceLinks indicates whether information + about services should be injected into pod''s environment + variables, matching the syntax of Docker links. Optional: + Defaults to true.' + type: boolean + ephemeralContainers: + description: List of ephemeral containers run in this + pod. Ephemeral containers may be run in an existing + pod to perform user-initiated actions such as debugging. + This list cannot be specified when creating a pod, + and it cannot be modified by updating the pod spec. + In order to add an ephemeral container to an existing + pod, use the pod's ephemeralcontainers subresource. + items: + description: An EphemeralContainer is a temporary + container that you may add to an existing Pod for + user-initiated activities such as debugging. Ephemeral + containers have no resource or scheduling guarantees, + and they will not be restarted when they exit or + when a Pod is removed or restarted. The kubelet + may evict a Pod if an ephemeral container causes + the Pod to exceed its resource allocation. + properties: + args: + description: 'Arguments to the entrypoint. The + image''s CMD is used if this is not provided. + Variable references $(VAR_NAME) are expanded + using the container''s environment. If a variable + cannot be resolved, the reference in the input + string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + produce the string literal "$(VAR_NAME)".' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The image''s ENTRYPOINT is used if + this is not provided. Variable references $(VAR_NAME) + are expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + env: + description: List of environment variables to + set in the container. Cannot be updated. + items: + description: EnvVar represents an environment + variable present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined + environment variables in the container + and any service environment variables. + If a variable cannot be resolved, the + reference in the input string will be + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' + type: string + valueFrom: + description: Source for the environment + variable's value. Cannot be used if value + is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + ConfigMap or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the + pod: supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of + the container: only resources limits + and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env + vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret + in the pod's namespace + properties: + key: + description: The key of the secret + to select from. Must be a valid + secret key. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + Secret or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined + within a source must be a C_IDENTIFIER. All + invalid keys will be reported as an event when + the container is starting. When a key exists + in multiple sources, the value associated with + the last source will take precedence. Values + defined by an Env with a duplicate key will + take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source + of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be + a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, + Never, IfNotPresent. Defaults to Always if :latest + tag is specified, or IfNotPresent otherwise. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Lifecycle is not allowed for ephemeral + containers. + properties: + postStart: + description: 'PostStart is called immediately + after a container is created. If the handler + fails, the container is terminated and restarted + according to its restart policy. Other management + of the container blocks until the hook completes. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: PreStop is called immediately + before a container is terminated due to + an API request or management event such + as liveness/startup probe failure, preemption, + resource contention, etc. The handler is + not called if the container crashes or exits. + The Pod's termination grace period countdown + begins before the PreStop hook is executed. + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: Probes are not allowed for ephemeral + containers. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the ephemeral container specified + as a DNS_LABEL. This name must be unique among + all containers, init containers and ephemeral + containers. + type: string + ports: + description: Ports are not allowed for ephemeral + containers. + items: + description: ContainerPort represents a network + port in a single container. + properties: + containerPort: + description: Number of port to expose on + the pod's IP address. This must be a valid + port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on + the host. If specified, this must be a + valid port number, 0 < x < 65536. If HostNetwork + is specified, this must match ContainerPort. + Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be + an IANA_SVC_NAME and unique within the + pod. Each named port in a pod must have + a unique name. Name for the port that + can be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be + UDP, TCP, or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: Probes are not allowed for ephemeral + containers. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: Resources are not allowed for ephemeral + containers. Ephemeral containers use spare resources + already allocated to the pod. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum + amount of compute resources allowed. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum + amount of compute resources required. If + Requests is omitted for a container, it + defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'Optional: SecurityContext defines + the security options the ephemeral container + should be run with. If set, the fields of SecurityContext + override the equivalent fields of PodSecurityContext.' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges + than its parent process. This bool directly + controls if the no_new_privs flag will be + set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop + when running containers. Defaults to the + default set of capabilities granted by the + container runtime. Note that this field + cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. + Processes in privileged containers are essentially + equivalent to root on the host. Defaults + to false. Note that this field cannot be + set when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of + proc mount to use for the containers. The + default is DefaultProcMount which uses the + container runtime defaults for readonly + paths and masked paths. This requires the + ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a + read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint + of the container process. Uses runtime default + if unset. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container + must run as a non-root user. If true, the + Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 + (root) and fail to start the container if + it does. If unset or false, no such validation + will be performed. May also be set in PodSecurityContext. + type: boolean + runAsUser: + description: The UID to run the entrypoint + of the container process. Defaults to user + specified in image metadata if unspecified. + May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied + to the container. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in + PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. + properties: + level: + description: Level is SELinux level label + that applies to the container. + type: string + role: + description: Role is a SELinux role label + that applies to the container. + type: string + type: + description: Type is a SELinux type label + that applies to the container. + type: string + user: + description: User is a SELinux user label + that applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by + this container. If seccomp options are provided + at both the pod & container level, the container + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates + a profile defined in a file on the node + should be used. The profile must be + preconfigured on the node to work. Must + be a descending path, relative to the + kubelet's configured seccomp profile + location. Must only be set if type is + "Localhost". + type: string + type: + description: "type indicates which kind + of seccomp profile will be applied. + Valid options are: \n Localhost - a + profile defined in a file on the node + should be used. RuntimeDefault - the + container runtime default profile should + be used. Unconfined - no profile should + be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings + applied to all containers. If unspecified, + the options from the PodSecurityContext + will be used. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where + the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName + field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is + the name of the GMSA credential spec + to use. + type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean + runAsUserName: + description: The UserName in Windows to + run the entrypoint of the container + process. Defaults to the user specified + in image metadata if unspecified. May + also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: Probes are not allowed for ephemeral + containers. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. + If this is not set, reads from stdin in the + container will always result in EOF. Default + is false. + type: boolean + stdinOnce: + description: Whether the container runtime should + close the stdin channel after it has been opened + by a single attach. When stdin is true the stdin + stream will remain open across multiple attach + sessions. + type: boolean + targetContainerName: + description: "If set, the name of the container + from PodSpec that this ephemeral container targets. + The ephemeral container will be run in the namespaces + (IPC, PID, etc) of this container. If not set + then the ephemeral container uses the namespaces + configured in the Pod spec. \n The container + runtime must implement support for this feature." + type: string + terminationMessagePath: + description: 'Optional: Path at which the file + to which the container''s termination message + will be written is mounted into the container''s + filesystem. Message written is intended to be + brief final status, such as an assertion failure + message. Will be truncated by the node if greater + than 4096 bytes. The total message length across + all containers will be limited to 12kb. Defaults + to /dev/termination-log.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message + should be populated. File will use the contents + of terminationMessagePath to populate the container + status message on both success and failure. + FallbackToLogsOnError will use the last chunk + of container log output if the termination message + file is empty and the container exited with + an error. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be + true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block + devices to be used by the container. + items: + description: volumeDevice describes a mapping + of a raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside + of the container that the device will + be mapped to. + type: string + name: + description: name must match the name of + a persistentVolumeClaim in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Subpath mounts are not allowed for + ephemeral containers. Cannot be updated. + items: + description: VolumeMount describes a mounting + of a Volume within a container. + properties: + mountPath: + description: Path within the container at + which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines + how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is + used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of + a Volume. + type: string + readOnly: + description: Mounted read-only if true, + read-write otherwise (false or unspecified). + Defaults to false. + type: boolean + subPath: + description: Path within the volume from + which the container's volume should be + mounted. Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume + from which the container's volume should + be mounted. Behaves similarly to SubPath + but environment variable references $(VAR_NAME) + are expanded using the container's environment. + Defaults to "" (volume's root). SubPathExpr + and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If + not specified, the container runtime's default + will be used, which might be configured in the + container image. Cannot be updated. + type: string + required: + - name + type: object + type: array + hostAliases: + description: HostAliases is an optional list of hosts + and IPs that will be injected into the pod's hosts + file if specified. This is only valid for non-hostNetwork + pods. + items: + description: HostAlias holds the mapping between IP + and hostnames that will be injected as an entry + in the pod's hosts file. + properties: + hostnames: + description: Hostnames for the above IP address. + items: + type: string + type: array + ip: + description: IP address of the host file entry. + type: string + type: object + type: array + hostIPC: + description: 'Use the host''s ipc namespace. Optional: + Default to false.' + type: boolean + hostNetwork: + description: Host networking requested for this pod. + Use the host's network namespace. If this option is + set, the ports that will be used must be specified. + Default to false. + type: boolean + hostPID: + description: 'Use the host''s pid namespace. Optional: + Default to false.' + type: boolean + hostUsers: + description: 'Use the host''s user namespace. Optional: + Default to true. If set to true or not present, the + pod will be run in the host user namespace, useful + for when the pod needs a feature only available to + the host user namespace, such as loading a kernel + module with CAP_SYS_MODULE. When set to false, a new + userns is created for the pod.' + type: boolean + hostname: + description: Specifies the hostname of the Pod If not + specified, the pod's hostname will be set to a system-defined + value. + type: string + imagePullSecrets: + description: 'ImagePullSecrets is an optional list of + references to secrets in the same namespace to use + for pulling any of the images used by this PodSpec. + If specified, these secrets will be passed to individual + puller implementations for them to use. More info: + https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' + items: + description: LocalObjectReference contains enough + information to let you locate the referenced object + inside the same namespace. + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: array + initContainers: + description: List of initialization containers belonging + to the pod. Init containers are executed in order + prior to containers being started. If any init container + fails, the pod is considered to have failed and is + handled according to its restartPolicy. The name for + an init container or normal container must be unique + among all containers. + items: + description: A single application container that you + want to run within a pod. + properties: + args: + description: 'Arguments to the entrypoint. The + container image''s CMD is used if this is not + provided. Variable references $(VAR_NAME) are + expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The container image''s ENTRYPOINT is + used if this is not provided. Variable references + $(VAR_NAME) are expanded using the container''s + environment. If a variable cannot be resolved, + the reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + env: + description: List of environment variables to + set in the container. Cannot be updated. + items: + description: EnvVar represents an environment + variable present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined + environment variables in the container + and any service environment variables. + If a variable cannot be resolved, the + reference in the input string will be + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' + type: string + valueFrom: + description: Source for the environment + variable's value. Cannot be used if value + is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + ConfigMap or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the + pod: supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of + the container: only resources limits + and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env + vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret + in the pod's namespace + properties: + key: + description: The key of the secret + to select from. Must be a valid + secret key. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + Secret or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined + within a source must be a C_IDENTIFIER. All + invalid keys will be reported as an event when + the container is starting. When a key exists + in multiple sources, the value associated with + the last source will take precedence. Values + defined by an Env with a duplicate key will + take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source + of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be + a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level + config management to default or override container + images in workload controllers like Deployments + and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, + Never, IfNotPresent. Defaults to Always if :latest + tag is specified, or IfNotPresent otherwise. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system + should take in response to container lifecycle + events. Cannot be updated. + properties: + postStart: + description: 'PostStart is called immediately + after a container is created. If the handler + fails, the container is terminated and restarted + according to its restart policy. Other management + of the container blocks until the hook completes. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: PreStop is called immediately + before a container is terminated due to + an API request or management event such + as liveness/startup probe failure, preemption, + resource contention, etc. The handler is + not called if the container crashes or exits. + The Pod's termination grace period countdown + begins before the PreStop hook is executed. + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. + Container will be restarted if the probe fails. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as + a DNS_LABEL. Each container in a pod must have + a unique name (DNS_LABEL). Cannot be updated. + type: string + ports: + description: List of ports to expose from the + container. Not specifying a port here DOES NOT + prevent that port from being exposed. Any port + which is listening on the default "0.0.0.0" + address inside a container will be accessible + from the network. Modifying this array with + strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. + items: + description: ContainerPort represents a network + port in a single container. + properties: + containerPort: + description: Number of port to expose on + the pod's IP address. This must be a valid + port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on + the host. If specified, this must be a + valid port number, 0 < x < 65536. If HostNetwork + is specified, this must match ContainerPort. + Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be + an IANA_SVC_NAME and unique within the + pod. Each named port in a pod must have + a unique name. Name for the port that + can be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be + UDP, TCP, or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service + readiness. Container will be removed from service + endpoints if the probe fails. Cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: 'Compute Resources required by this + container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum + amount of compute resources allowed. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum + amount of compute resources required. If + Requests is omitted for a container, it + defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'SecurityContext defines the security + options the container should be run with. If + set, the fields of SecurityContext override + the equivalent fields of PodSecurityContext. + More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges + than its parent process. This bool directly + controls if the no_new_privs flag will be + set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop + when running containers. Defaults to the + default set of capabilities granted by the + container runtime. Note that this field + cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. + Processes in privileged containers are essentially + equivalent to root on the host. Defaults + to false. Note that this field cannot be + set when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of + proc mount to use for the containers. The + default is DefaultProcMount which uses the + container runtime defaults for readonly + paths and masked paths. This requires the + ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a + read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint + of the container process. Uses runtime default + if unset. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container + must run as a non-root user. If true, the + Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 + (root) and fail to start the container if + it does. If unset or false, no such validation + will be performed. May also be set in PodSecurityContext. + type: boolean + runAsUser: + description: The UID to run the entrypoint + of the container process. Defaults to user + specified in image metadata if unspecified. + May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied + to the container. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in + PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. + properties: + level: + description: Level is SELinux level label + that applies to the container. + type: string + role: + description: Role is a SELinux role label + that applies to the container. + type: string + type: + description: Type is a SELinux type label + that applies to the container. + type: string + user: + description: User is a SELinux user label + that applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by + this container. If seccomp options are provided + at both the pod & container level, the container + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates + a profile defined in a file on the node + should be used. The profile must be + preconfigured on the node to work. Must + be a descending path, relative to the + kubelet's configured seccomp profile + location. Must only be set if type is + "Localhost". + type: string + type: + description: "type indicates which kind + of seccomp profile will be applied. + Valid options are: \n Localhost - a + profile defined in a file on the node + should be used. RuntimeDefault - the + container runtime default profile should + be used. Unconfined - no profile should + be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings + applied to all containers. If unspecified, + the options from the PodSecurityContext + will be used. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where + the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName + field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is + the name of the GMSA credential spec + to use. + type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean + runAsUserName: + description: The UserName in Windows to + run the entrypoint of the container + process. Defaults to the user specified + in image metadata if unspecified. May + also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: StartupProbe indicates that the Pod + has successfully initialized. If specified, + no other probes are executed until this completes + successfully. If this probe fails, the Pod will + be restarted, just as if the livenessProbe failed. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. + If this is not set, reads from stdin in the + container will always result in EOF. Default + is false. + type: boolean + stdinOnce: + description: Whether the container runtime should + close the stdin channel after it has been opened + by a single attach. When stdin is true the stdin + stream will remain open across multiple attach + sessions. + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file + to which the container''s termination message + will be written is mounted into the container''s + filesystem. Message written is intended to be + brief final status, such as an assertion failure + message. Will be truncated by the node if greater + than 4096 bytes. The total message length across + all containers will be limited to 12kb. Defaults + to /dev/termination-log.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message + should be populated. File will use the contents + of terminationMessagePath to populate the container + status message on both success and failure. + FallbackToLogsOnError will use the last chunk + of container log output if the termination message + file is empty and the container exited with + an error. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be + true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block + devices to be used by the container. + items: + description: volumeDevice describes a mapping + of a raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside + of the container that the device will + be mapped to. + type: string + name: + description: name must match the name of + a persistentVolumeClaim in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Cannot be updated. + items: + description: VolumeMount describes a mounting + of a Volume within a container. + properties: + mountPath: + description: Path within the container at + which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines + how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is + used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of + a Volume. + type: string + readOnly: + description: Mounted read-only if true, + read-write otherwise (false or unspecified). + Defaults to false. + type: boolean + subPath: + description: Path within the volume from + which the container's volume should be + mounted. Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume + from which the container's volume should + be mounted. Behaves similarly to SubPath + but environment variable references $(VAR_NAME) + are expanded using the container's environment. + Defaults to "" (volume's root). SubPathExpr + and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If + not specified, the container runtime's default + will be used, which might be configured in the + container image. Cannot be updated. + type: string + required: + - name + type: object + type: array + nodeName: + description: NodeName is a request to schedule this + pod onto a specific node. If it is non-empty, the + scheduler simply schedules this pod onto that node, + assuming that it fits resource requirements. + type: string + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must + be true for the pod to fit on a node. Selector which + must match a node''s labels for the pod to be scheduled + on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + x-kubernetes-map-type: atomic + os: + description: "Specifies the OS of the containers in + the pod. Some pod and container fields are restricted + if this is set. \n If the OS field is set to linux, + the following fields must be unset: -securityContext.windowsOptions + \n If the OS field is set to windows, following fields + must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers + - spec.securityContext.seLinuxOptions - spec.securityContext." + properties: + name: + description: 'Name is the name of the operating + system. The currently supported values are linux + and windows. Additional value may be defined in + future and can be one of: https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration + Clients should expect to handle additional values + and treat unrecognized values in this field as + os: null' + type: string + required: + - name + type: object + overhead: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Overhead represents the resource overhead + associated with running a pod for a given RuntimeClass. + This field will be autopopulated at admission time + by the RuntimeClass admission controller. If the RuntimeClass + admission controller is enabled, overhead must not + be set in Pod create requests. The RuntimeClass admission + controller will reject Pod create requests which have + the overhead already set. + type: object + preemptionPolicy: + description: PreemptionPolicy is the Policy for preempting + pods with lower priority. One of Never, PreemptLowerPriority. + Defaults to PreemptLowerPriority if unset. + type: string + priority: + description: The priority value. Various system components + use this field to find the priority of the pod. When + Priority Admission Controller is enabled, it prevents + users from setting this field. The admission controller + populates this field from PriorityClassName. The higher + the value, the higher the priority. + format: int32 + type: integer + priorityClassName: + description: If specified, indicates the pod's priority. + "system-node-critical" and "system-cluster-critical" + are two special keywords which indicate the highest + priorities with the former being the highest priority. + Any other name must be defined by creating a PriorityClass + object with that name. If not specified, the pod priority + will be default or zero if there is no default. + type: string + readinessGates: + description: 'If specified, all readiness gates will + be evaluated for pod readiness. A pod is ready when + all its containers are ready AND all conditions specified + in the readiness gates have status equal to "True" + More info: https://git.k8s.io/enhancements/keps/sig-network/580-pod-readiness-gates' + items: + description: PodReadinessGate contains the reference + to a pod condition + properties: + conditionType: + description: ConditionType refers to a condition + in the pod's condition list with matching type. + type: string + required: + - conditionType + type: object + type: array + restartPolicy: + description: 'Restart policy for all containers within + the pod. One of Always, OnFailure, Never. Default + to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy' + type: string + runtimeClassName: + description: 'RuntimeClassName refers to a RuntimeClass + object in the node.k8s.io group, which should be used + to run this pod. If no RuntimeClass resource matches + the named class, the pod will not be run. If unset + or empty, the "legacy" RuntimeClass will be used, + which is an implicit class with an empty definition + that uses the default runtime handler. More info: + https://git.k8s.' + type: string + schedulerName: + description: If specified, the pod will be dispatched + by specified scheduler. If not specified, the pod + will be dispatched by default scheduler. + type: string + securityContext: + description: 'SecurityContext holds pod-level security + attributes and common container settings. Optional: + Defaults to empty. See type description for default + values of each field.' + properties: + fsGroup: + description: "A special supplemental group that + applies to all containers in a pod. Some volume + types allow the Kubelet to change the ownership + of that volume to be owned by the pod: \n 1. The + owning GID will be the FSGroup 2. The setgid bit + is set (new files created in the volume will be + owned by FSGroup) 3." + format: int64 + type: integer + fsGroupChangePolicy: + description: 'fsGroupChangePolicy defines behavior + of changing ownership and permission of the volume + before being exposed inside Pod. This field will + only apply to volume types which support fsGroup + based ownership(and permissions). It will have + no effect on ephemeral volume types such as: secret, + configmaps and emptydir. Valid values are "OnRootMismatch" + and "Always". If not specified, "Always" is used.' + type: string + runAsGroup: + description: The GID to run the entrypoint of the + container process. Uses runtime default if unset. + May also be set in SecurityContext. If set in + both SecurityContext and PodSecurityContext, the + value specified in SecurityContext takes precedence + for that container. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run + as a non-root user. If true, the Kubelet will + validate the image at runtime to ensure that it + does not run as UID 0 (root) and fail to start + the container if it does. If unset or false, no + such validation will be performed. May also be + set in SecurityContext. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the + container process. Defaults to user specified + in image metadata if unspecified. May also be + set in SecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in + SecurityContext takes precedence for that container. + Note that this field cannot be set when spec.os.name + is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to + all containers. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in SecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence + for that container. Note that this field cannot + be set when spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that + applies to the container. + type: string + role: + description: Role is a SELinux role label that + applies to the container. + type: string + type: + description: Type is a SELinux type label that + applies to the container. + type: string + user: + description: User is a SELinux user label that + applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by the containers + in this pod. Note that this field cannot be set + when spec.os.name is windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile + defined in a file on the node should be used. + The profile must be preconfigured on the node + to work. Must be a descending path, relative + to the kubelet's configured seccomp profile + location. Must only be set if type is "Localhost". + type: string + type: + description: "type indicates which kind of seccomp + profile will be applied. Valid options are: + \n Localhost - a profile defined in a file + on the node should be used. RuntimeDefault + - the container runtime default profile should + be used. Unconfined - no profile should be + applied." + type: string + required: + - type + type: object + supplementalGroups: + description: A list of groups applied to the first + process run in each container, in addition to + the container's primary GID. If unspecified, + no groups will be added to any container. Note + that this field cannot be set when spec.os.name + is windows. + items: + format: int64 + type: integer + type: array + sysctls: + description: Sysctls hold a list of namespaced sysctls + used for the pod. Pods with unsupported sysctls + (by the container runtime) might fail to launch. + Note that this field cannot be set when spec.os.name + is windows. + items: + description: Sysctl defines a kernel parameter + to be set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + windowsOptions: + description: The Windows specific settings applied + to all containers. If unspecified, the options + within a container's SecurityContext will be used. + If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the + GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name + of the GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container + should be run as a 'Host Process' container. + This field is alpha-level and will only be + honored by components that enable the WindowsHostProcessContainers + feature flag. Setting this field without the + feature flag will result in errors when validating + the Pod. + type: boolean + runAsUserName: + description: The UserName in Windows to run + the entrypoint of the container process. Defaults + to the user specified in image metadata if + unspecified. May also be set in PodSecurityContext. + If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. + type: string + type: object + type: object + serviceAccount: + description: 'DeprecatedServiceAccount is a depreciated + alias for ServiceAccountName. Deprecated: Use serviceAccountName + instead.' + type: string + serviceAccountName: + description: 'ServiceAccountName is the name of the + ServiceAccount to use to run this pod. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' + type: string + setHostnameAsFQDN: + description: If true the pod's hostname will be configured + as the pod's FQDN, rather than the leaf name (the + default). In Linux containers, this means setting + the FQDN in the hostname field of the kernel (the + nodename field of struct utsname). + type: boolean + shareProcessNamespace: + description: 'Share a single process namespace between + all of the containers in a pod. When this is set containers + will be able to view and signal processes from other + containers in the same pod, and the first process + in each container will not be assigned PID 1. HostPID + and ShareProcessNamespace cannot both be set. Optional: + Default to false.' + type: boolean + subdomain: + description: If specified, the fully qualified Pod hostname + will be "...svc.". If not specified, the pod will not have + a domainname at all. + type: string + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully. May be decreased in delete + request. Value must be non-negative integer. The value + zero indicates stop immediately via the kill signal + (no opportunity to shut down). If this value is nil, + the default grace period will be used instead. + format: int64 + type: integer + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is attached to + tolerates any taint that matches the triple + using the matching operator . + properties: + effect: + description: Effect indicates the taint effect + to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, + PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration + applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; + this combination means to match all values and + all keys. + type: string + operator: + description: Operator represents a key's relationship + to the value. Valid operators are Exists and + Equal. Defaults to Equal. Exists is equivalent + to wildcard for value, so that a pod can tolerate + all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the + period of time the toleration (which must be + of effect NoExecute, otherwise this field is + ignored) tolerates the taint. By default, it + is not set, which means tolerate the taint forever + (do not evict). Zero and negative values will + be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration + matches to. If the operator is Exists, the value + should be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: TopologySpreadConstraints describes how + a group of pods ought to spread across topology domains. + Scheduler will schedule pods in a way which abides + by the constraints. All topologySpreadConstraints + are ANDed. + items: + description: TopologySpreadConstraint specifies how + to spread matching pods among the given topology. + properties: + labelSelector: + description: LabelSelector is used to find matching + pods. Pods that match this label selector are + counted to determine the number of pods in their + corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label + keys to select the pods over which spreading + will be calculated. The keys are used to lookup + values from the incoming pod labels, those key-value + labels are ANDed with labelSelector to select + the group of existing pods over which spreading + will be calculated for the incoming pod. Keys + that don't exist in the incoming pod labels + will be ignored. + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: MaxSkew describes the degree to which + pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference between + the number of matching pods in the target topology + and the global minimum. The global minimum is + the minimum number of matching pods in an eligible + domain or zero if the number of eligible domains + is less than MinDomains. + format: int32 + type: integer + minDomains: + description: MinDomains indicates a minimum number + of eligible domains. When the number of eligible + domains with matching topology keys is less + than minDomains, Pod Topology Spread treats + "global minimum" as 0, and then the calculation + of Skew is performed. And when the number of + eligible domains with matching topology keys + equals or greater than minDomains, this value + has no effect on scheduling. + format: int32 + type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how + we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options + are: - Honor: only nodes matching nodeAffinity/nodeSelector + are included in the calculations. - Ignore: + nodeAffinity/nodeSelector are ignored. All nodes + are included in the calculations. \n If this + value is nil, the behavior is equivalent to + the Honor policy." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how we + will treat node taints when calculating pod + topology spread skew. Options are: - Honor: + nodes without taints, along with tainted nodes + for which the incoming pod has a toleration, + are included. - Ignore: node taints are ignored. + All nodes are included. \n If this value is + nil, the behavior is equivalent to the Ignore + policy." + type: string + topologyKey: + description: TopologyKey is the key of node labels. + Nodes that have a label with this key and identical + values are considered to be in the same topology. + We consider each as a "bucket", + and try to put balanced number of pods into + each bucket. We define a domain as a particular + instance of a topology. + type: string + whenUnsatisfiable: + description: WhenUnsatisfiable indicates how to + deal with a pod if it doesn't satisfy the spread + constraint. - DoNotSchedule (default) tells + the scheduler not to schedule it. - ScheduleAnyway + tells the scheduler to schedule the pod in any + location, but giving higher precedence to topologies + that would help reduce the skew. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + x-kubernetes-list-map-keys: + - topologyKey + - whenUnsatisfiable + x-kubernetes-list-type: map + volumes: + description: 'List of volumes that can be mounted by + containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes' + items: + description: Volume represents a named volume in a + pod that may be accessed by any container in the + pod. + properties: + awsElasticBlockStore: + description: 'awsElasticBlockStore represents + an AWS Disk resource that is attached to a kubelet''s + host machine and then exposed to the pod. More + info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + properties: + fsType: + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + partition: + description: 'partition is the partition in + the volume that you want to mount. If omitted, + the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify + the partition as "1". Similarly, the volume + partition for /dev/sda is "0" (or you can + leave the property empty).' + format: int32 + type: integer + readOnly: + description: 'readOnly value true will force + the readOnly setting in VolumeMounts. More + info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + type: boolean + volumeID: + description: 'volumeID is unique ID of the + persistent disk resource in AWS (Amazon + EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + type: string + required: + - volumeID + type: object + azureDisk: + description: azureDisk represents an Azure Data + Disk mount on the host and bind mount to the + pod. + properties: + cachingMode: + description: 'cachingMode is the Host Caching + mode: None, Read Only, Read Write.' + type: string + diskName: + description: diskName is the Name of the data + disk in the blob storage + type: string + diskURI: + description: diskURI is the URI of data disk + in the blob storage + type: string + fsType: + description: fsType is Filesystem type to + mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. + type: string + kind: + description: 'kind expected values are Shared: + multiple blob disks per storage account Dedicated: + single blob disk per storage account Managed: + azure managed data disk (only in managed + availability set). defaults to shared' + type: string + readOnly: + description: readOnly Defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + description: azureFile represents an Azure File + Service mount on the host and bind mount to + the pod. + properties: + readOnly: + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + secretName: + description: secretName is the name of secret + that contains Azure Storage Account Name + and Key + type: string + shareName: + description: shareName is the azure share + Name + type: string + required: + - secretName + - shareName + type: object + cephfs: + description: cephFS represents a Ceph FS mount + on the host that shares a pod's lifetime + properties: + monitors: + description: 'monitors is Required: Monitors + is a collection of Ceph monitors More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + items: + type: string + type: array + path: + description: 'path is Optional: Used as the + mounted root, rather than the full Ceph + tree, default is /' + type: string + readOnly: + description: 'readOnly is Optional: Defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: boolean + secretFile: + description: 'secretFile is Optional: SecretFile + is the path to key ring for User, default + is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: string + secretRef: + description: 'secretRef is Optional: SecretRef + is reference to the authentication secret + for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: 'user is optional: User is the + rados user name, default is admin More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: string + required: + - monitors + type: object + cinder: + description: 'cinder represents a cinder volume + attached and mounted on kubelets host machine. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + properties: + fsType: + description: 'fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://examples.k8s.io/mysql-cinder-pd/README.md' + type: string + readOnly: + description: 'readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + type: boolean + secretRef: + description: 'secretRef is optional: points + to a secret object containing parameters + used to connect to OpenStack.' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + description: 'volumeID used to identify the + volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + type: string + required: + - volumeID + type: object + configMap: + description: configMap represents a configMap + that should populate this volume + properties: + defaultMode: + description: 'defaultMode is optional: mode + bits used to set permissions on created + files by default. Must be an octal value + between 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. + Directories within the path are not affected + by this setting.' + format: int32 + type: integer + items: + description: items if unspecified, each key-value + pair in the Data field of the referenced + ConfigMap will be projected into the volume + as a file whose name is the key and content + is the value. If specified, the listed keys + will be projected into the specified paths, + and unlisted keys will not be present. + items: + description: Maps a string key to a path + within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode + bits used to set permissions on this + file. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal + and decimal values, JSON requires + decimal values for mode bits. If not + specified, the volume defaultMode + will be used.' + format: int32 + type: integer + path: + description: path is the relative path + of the file to map the key to. May + not be an absolute path. May not contain + the path element '..'. May not start + with the string '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: optional specify whether the + ConfigMap or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + description: csi (Container Storage Interface) + represents ephemeral storage that is handled + by certain external CSI drivers (Beta feature). + properties: + driver: + description: driver is the name of the CSI + driver that handles this volume. Consult + with your admin for the correct name as + registered in the cluster. + type: string + fsType: + description: fsType to mount. Ex. "ext4", + "xfs", "ntfs". If not provided, the empty + value is passed to the associated CSI driver + which will determine the default filesystem + to apply. + type: string + nodePublishSecretRef: + description: nodePublishSecretRef is a reference + to the secret object containing sensitive + information to pass to the CSI driver to + complete the CSI NodePublishVolume and NodeUnpublishVolume + calls. This field is optional, and may + be empty if no secret is required. If the + secret object contains more than one secret, + all secret references are passed. + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + description: readOnly specifies a read-only + configuration for the volume. Defaults to + false (read/write). + type: boolean + volumeAttributes: + additionalProperties: + type: string + description: volumeAttributes stores driver-specific + properties that are passed to the CSI driver. + Consult your driver's documentation for + supported values. + type: object + required: + - driver + type: object + downwardAPI: + description: downwardAPI represents downward API + about the pod that should populate this volume + properties: + defaultMode: + description: 'Optional: mode bits to use on + created files by default. Must be a Optional: + mode bits used to set permissions on created + files by default. Must be an octal value + between 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. + Directories within the path are not affected + by this setting.' + format: int32 + type: integer + items: + description: Items is a list of downward API + volume file + items: + description: DownwardAPIVolumeFile represents + information to create the file containing + the pod field + properties: + fieldRef: + description: 'Required: Selects a field + of the pod: only annotations, labels, + name and namespace are supported.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: 'Optional: mode bits used + to set permissions on this file, must + be an octal value between 0000 and + 0777 or a decimal value between 0 + and 511. YAML accepts both octal and + decimal values, JSON requires decimal + values for mode bits. If not specified, + the volume defaultMode will be used.' + format: int32 + type: integer + path: + description: 'Required: Path is the + relative path name of the file to + be created. Must not be absolute or + contain the ''..'' path. Must be utf-8 + encoded. The first item of the relative + path must not start with ''..''' + type: string + resourceFieldRef: + description: 'Selects a resource of + the container: only resources limits + and requests (limits.cpu, limits.memory, + requests.cpu and requests.memory) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env + vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + type: object + emptyDir: + description: 'emptyDir represents a temporary + directory that shares a pod''s lifetime. More + info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + properties: + medium: + description: 'medium represents what type + of storage medium should back this directory. + The default is "" which means to use the + node''s default medium. Must be an empty + string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + description: 'sizeLimit is the total amount + of local storage required for this EmptyDir + volume. The size limit is also applicable + for memory medium. The maximum usage on + memory medium EmptyDir would be the minimum + value between the SizeLimit specified here + and the sum of memory limits of all containers + in a pod. The default is nil which means + that the limit is undefined. More info: + http://kubernetes.' + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + description: ephemeral represents a volume that + is handled by a cluster storage driver. The + volume's lifecycle is tied to the pod that defines + it - it will be created before the pod starts, + and deleted when the pod is removed. + properties: + volumeClaimTemplate: + description: Will be used to create a stand-alone + PVC to provision the volume. The pod in + which this EphemeralVolumeSource is embedded + will be the owner of the PVC, i.e. the PVC + will be deleted together with the pod. The + name of the PVC will be `-` where `` is the name + from the `PodSpec.Volumes` array entry. + properties: + metadata: + description: May contain labels and annotations + that will be copied into the PVC when + creating it. No other fields are allowed + and will be rejected during validation. + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + description: The specification for the + PersistentVolumeClaim. The entire content + is copied unchanged into the PVC that + gets created from this template. The + same fields as in a PersistentVolumeClaim + are also valid here. + properties: + accessModes: + description: 'accessModes contains + the desired access modes the volume + should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' + items: + type: string + type: array + dataSource: + description: 'dataSource field can + be used to specify either: * An + existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external + controller can support the specified + data source, it will create a new + volume based on the contents of + the specified data source.' + properties: + apiGroup: + description: APIGroup is the group + for the resource being referenced. + If APIGroup is not specified, + the specified Kind must be in + the core API group. For any + other third-party types, APIGroup + is required. + type: string + kind: + description: Kind is the type + of resource being referenced + type: string + name: + description: Name is the name + of resource being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: dataSourceRef specifies + the object from which to populate + the volume with data, if a non-empty + volume is desired. This may be any + local object from a non-empty API + group (non core object) or a PersistentVolumeClaim + object. When this field is specified, + volume binding will only succeed + if the type of the specified object + matches some installed volume populator + or dynamic provisioner. + properties: + apiGroup: + description: APIGroup is the group + for the resource being referenced. + If APIGroup is not specified, + the specified Kind must be in + the core API group. For any + other third-party types, APIGroup + is required. + type: string + kind: + description: Kind is the type + of resource being referenced + type: string + name: + description: Name is the name + of resource being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + resources: + description: 'resources represents + the minimum resources the volume + should have. If RecoverVolumeExpansionFailure + feature is enabled users are allowed + to specify resource requirements + that are lower than previous value + but must still be higher than capacity + recorded in the status field of + the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes + the maximum amount of compute + resources allowed. More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes + the minimum amount of compute + resources required. If Requests + is omitted for a container, + it defaults to Limits if that + is explicitly specified, otherwise + to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + selector: + description: selector is a label query + over volumes to consider for binding. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: 'storageClassName is + the name of the StorageClass required + by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' + type: string + volumeMode: + description: volumeMode defines what + type of volume is required by the + claim. Value of Filesystem is implied + when not included in claim spec. + type: string + volumeName: + description: volumeName is the binding + reference to the PersistentVolume + backing this claim. + type: string + type: object + required: + - spec + type: object + type: object + fc: + description: fc represents a Fibre Channel resource + that is attached to a kubelet's host machine + and then exposed to the pod. + properties: + fsType: + description: 'fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. TODO: how do we prevent + errors in the filesystem from compromising + the machine' + type: string + lun: + description: 'lun is Optional: FC target lun + number' + format: int32 + type: integer + readOnly: + description: 'readOnly is Optional: Defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts.' + type: boolean + targetWWNs: + description: 'targetWWNs is Optional: FC target + worldwide names (WWNs)' + items: + type: string + type: array + wwids: + description: 'wwids Optional: FC volume world + wide identifiers (wwids) Either wwids or + combination of targetWWNs and lun must be + set, but not both simultaneously.' + items: + type: string + type: array + type: object + flexVolume: + description: flexVolume represents a generic volume + resource that is provisioned/attached using + an exec based plugin. + properties: + driver: + description: driver is the name of the driver + to use for this volume. + type: string + fsType: + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". The default filesystem depends + on FlexVolume script. + type: string + options: + additionalProperties: + type: string + description: 'options is Optional: this field + holds extra command options if any.' + type: object + readOnly: + description: 'readOnly is Optional: defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts.' + type: boolean + secretRef: + description: 'secretRef is Optional: secretRef + is reference to the secret object containing + sensitive information to pass to the plugin + scripts. This may be empty if no secret + object is specified. If the secret object + contains more than one secret, all secrets + are passed to the plugin scripts.' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + description: flocker represents a Flocker volume + attached to a kubelet's host machine. This depends + on the Flocker control service being running + properties: + datasetName: + description: datasetName is Name of the dataset + stored as metadata -> name on the dataset + for Flocker should be considered as deprecated + type: string + datasetUUID: + description: datasetUUID is the UUID of the + dataset. This is unique identifier of a + Flocker dataset + type: string + type: object + gcePersistentDisk: + description: 'gcePersistentDisk represents a GCE + Disk resource that is attached to a kubelet''s + host machine and then exposed to the pod. More + info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + properties: + fsType: + description: 'fsType is filesystem type of + the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + partition: + description: 'partition is the partition in + the volume that you want to mount. If omitted, + the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify + the partition as "1". Similarly, the volume + partition for /dev/sda is "0" (or you can + leave the property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + format: int32 + type: integer + pdName: + description: 'pdName is unique name of the + PD resource in GCE. Used to identify the + disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + type: string + readOnly: + description: 'readOnly here will force the + ReadOnly setting in VolumeMounts. Defaults + to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + type: boolean + required: + - pdName + type: object + gitRepo: + description: 'gitRepo represents a git repository + at a particular revision. DEPRECATED: GitRepo + is deprecated. To provision a container with + a git repo, mount an EmptyDir into an InitContainer + that clones the repo using git, then mount the + EmptyDir into the Pod''s container.' + properties: + directory: + description: directory is the target directory + name. Must not contain or start with '..'. If + '.' is supplied, the volume directory will + be the git repository. Otherwise, if specified, + the volume will contain the git repository + in the subdirectory with the given name. + type: string + repository: + description: repository is the URL + type: string + revision: + description: revision is the commit hash for + the specified revision. + type: string + required: + - repository + type: object + glusterfs: + description: 'glusterfs represents a Glusterfs + mount on the host that shares a pod''s lifetime. + More info: https://examples.k8s.io/volumes/glusterfs/README.md' + properties: + endpoints: + description: 'endpoints is the endpoint name + that details Glusterfs topology. More info: + https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: string + path: + description: 'path is the Glusterfs volume + path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: string + readOnly: + description: 'readOnly here will force the + Glusterfs volume to be mounted with read-only + permissions. Defaults to false. More info: + https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: boolean + required: + - endpoints + - path + type: object + hostPath: + description: 'hostPath represents a pre-existing + file or directory on the host machine that is + directly exposed to the container. This is generally + used for system agents or other privileged things + that are allowed to see the host machine. Most + containers will NOT need this. More info: https://kubernetes.' + properties: + path: + description: 'path of the directory on the + host. If the path is a symlink, it will + follow the link to the real path. More info: + https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + type: string + type: + description: 'type for HostPath Volume Defaults + to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + type: string + required: + - path + type: object + iscsi: + description: 'iscsi represents an ISCSI Disk resource + that is attached to a kubelet''s host machine + and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' + properties: + chapAuthDiscovery: + description: chapAuthDiscovery defines whether + support iSCSI Discovery CHAP authentication + type: boolean + chapAuthSession: + description: chapAuthSession defines whether + support iSCSI Session CHAP authentication + type: boolean + fsType: + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#iscsi + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + initiatorName: + description: initiatorName is the custom iSCSI + Initiator Name. If initiatorName is specified + with iscsiInterface simultaneously, new + iSCSI interface : will be created for the connection. + type: string + iqn: + description: iqn is the target iSCSI Qualified + Name. + type: string + iscsiInterface: + description: iscsiInterface is the interface + Name that uses an iSCSI transport. Defaults + to 'default' (tcp). + type: string + lun: + description: lun represents iSCSI Target Lun + number. + format: int32 + type: integer + portals: + description: portals is the iSCSI Target Portal + List. The portal is either an IP or ip_addr:port + if the port is other than default (typically + TCP ports 860 and 3260). + items: + type: string + type: array + readOnly: + description: readOnly here will force the + ReadOnly setting in VolumeMounts. Defaults + to false. + type: boolean + secretRef: + description: secretRef is the CHAP Secret + for iSCSI target and initiator authentication + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + description: targetPortal is iSCSI Target + Portal. The Portal is either an IP or ip_addr:port + if the port is other than default (typically + TCP ports 860 and 3260). + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + description: 'name of the volume. Must be a DNS_LABEL + and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + nfs: + description: 'nfs represents an NFS mount on the + host that shares a pod''s lifetime More info: + https://kubernetes.io/docs/concepts/storage/volumes#nfs' + properties: + path: + description: 'path that is exported by the + NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: string + readOnly: + description: 'readOnly here will force the + NFS export to be mounted with read-only + permissions. Defaults to false. More info: + https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: boolean + server: + description: 'server is the hostname or IP + address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + description: 'persistentVolumeClaimVolumeSource + represents a reference to a PersistentVolumeClaim + in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + properties: + claimName: + description: 'claimName is the name of a PersistentVolumeClaim + in the same namespace as the pod using this + volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + type: string + readOnly: + description: readOnly Will force the ReadOnly + setting in VolumeMounts. Default false. + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + description: photonPersistentDisk represents a + PhotonController persistent disk attached and + mounted on kubelets host machine + properties: + fsType: + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. + type: string + pdID: + description: pdID is the ID that identifies + Photon Controller persistent disk + type: string + required: + - pdID + type: object + portworxVolume: + description: portworxVolume represents a portworx + volume attached and mounted on kubelets host + machine + properties: + fsType: + description: fSType represents the filesystem + type to mount Must be a filesystem type + supported by the host operating system. + Ex. "ext4", "xfs". Implicitly inferred to + be "ext4" if unspecified. + type: string + readOnly: + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + volumeID: + description: volumeID uniquely identifies + a Portworx volume + type: string + required: + - volumeID + type: object + projected: + description: projected items for all in one resources + secrets, configmaps, and downward API + properties: + defaultMode: + description: defaultMode are the mode bits + used to set permissions on created files + by default. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. Directories within the path are + not affected by this setting. + format: int32 + type: integer + sources: + description: sources is the list of volume + projections + items: + description: Projection that may be projected + along with other supported volume types + properties: + configMap: + description: configMap information about + the configMap data to project + properties: + items: + description: items if unspecified, + each key-value pair in the Data + field of the referenced ConfigMap + will be projected into the volume + as a file whose name is the key + and content is the value. If specified, + the listed keys will be projected + into the specified paths, and + unlisted keys will not be present. + items: + description: Maps a string key + to a path within a volume. + properties: + key: + description: key is the key + to project. + type: string + mode: + description: 'mode is Optional: + mode bits used to set permissions + on this file. Must be an + octal value between 0000 + and 0777 or a decimal value + between 0 and 511. YAML + accepts both octal and decimal + values, JSON requires decimal + values for mode bits. If + not specified, the volume + defaultMode will be used.' + format: int32 + type: integer + path: + description: path is the relative + path of the file to map + the key to. May not be an + absolute path. May not contain + the path element '..'. May + not start with the string + '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: optional specify whether + the ConfigMap or its keys must + be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + description: downwardAPI information + about the downwardAPI data to project + properties: + items: + description: Items is a list of + DownwardAPIVolume file + items: + description: DownwardAPIVolumeFile + represents information to create + the file containing the pod + field + properties: + fieldRef: + description: 'Required: Selects + a field of the pod: only + annotations, labels, name + and namespace are supported.' + properties: + apiVersion: + description: Version of + the schema the FieldPath + is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the + field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: 'Optional: mode + bits used to set permissions + on this file, must be an + octal value between 0000 + and 0777 or a decimal value + between 0 and 511. YAML + accepts both octal and decimal + values, JSON requires decimal + values for mode bits. If + not specified, the volume + defaultMode will be used.' + format: int32 + type: integer + path: + description: 'Required: Path + is the relative path name + of the file to be created. + Must not be absolute or + contain the ''..'' path. + Must be utf-8 encoded. The + first item of the relative + path must not start with + ''..''' + type: string + resourceFieldRef: + description: 'Selects a resource + of the container: only resources + limits and requests (limits.cpu, + limits.memory, requests.cpu + and requests.memory) are + currently supported.' + properties: + containerName: + description: 'Container + name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies + the output format of + the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: + resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + type: object + secret: + description: secret information about + the secret data to project + properties: + items: + description: items if unspecified, + each key-value pair in the Data + field of the referenced Secret + will be projected into the volume + as a file whose name is the key + and content is the value. If specified, + the listed keys will be projected + into the specified paths, and + unlisted keys will not be present. + items: + description: Maps a string key + to a path within a volume. + properties: + key: + description: key is the key + to project. + type: string + mode: + description: 'mode is Optional: + mode bits used to set permissions + on this file. Must be an + octal value between 0000 + and 0777 or a decimal value + between 0 and 511. YAML + accepts both octal and decimal + values, JSON requires decimal + values for mode bits. If + not specified, the volume + defaultMode will be used.' + format: int32 + type: integer + path: + description: path is the relative + path of the file to map + the key to. May not be an + absolute path. May not contain + the path element '..'. May + not start with the string + '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: optional field specify + whether the Secret or its key + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + description: serviceAccountToken is + information about the serviceAccountToken + data to project + properties: + audience: + description: audience is the intended + audience of the token. A recipient + of a token must identify itself + with an identifier specified in + the audience of the token, and + otherwise should reject the token. + The audience defaults to the identifier + of the apiserver. + type: string + expirationSeconds: + description: expirationSeconds is + the requested duration of validity + of the service account token. + As the token approaches expiration, + the kubelet volume plugin will + proactively rotate the service + account token. The kubelet will + start trying to rotate the token + if the token is older than 80 + percent of its time to live or + if the token is older than 24 + hours.Defaults to 1 hour and must + be at least 10 minutes. + format: int64 + type: integer + path: + description: path is the path relative + to the mount point of the file + to project the token into. + type: string + required: + - path + type: object + type: object + type: array + type: object + quobyte: + description: quobyte represents a Quobyte mount + on the host that shares a pod's lifetime + properties: + group: + description: group to map volume access to + Default is no group + type: string + readOnly: + description: readOnly here will force the + Quobyte volume to be mounted with read-only + permissions. Defaults to false. + type: boolean + registry: + description: registry represents a single + or multiple Quobyte Registry services specified + as a string as host:port pair (multiple + entries are separated with commas) which + acts as the central registry for volumes + type: string + tenant: + description: tenant owning the given Quobyte + volume in the Backend Used with dynamically + provisioned Quobyte volumes, value is set + by the plugin + type: string + user: + description: user to map volume access to + Defaults to serivceaccount user + type: string + volume: + description: volume is a string that references + an already created Quobyte volume by name. + type: string + required: + - registry + - volume + type: object + rbd: + description: 'rbd represents a Rados Block Device + mount on the host that shares a pod''s lifetime. + More info: https://examples.k8s.io/volumes/rbd/README.md' + properties: + fsType: + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#rbd + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + image: + description: 'image is the rados image name. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + keyring: + description: 'keyring is the path to key ring + for RBDUser. Default is /etc/ceph/keyring. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + monitors: + description: 'monitors is a collection of + Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + items: + type: string + type: array + pool: + description: 'pool is the rados pool name. + Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + readOnly: + description: 'readOnly here will force the + ReadOnly setting in VolumeMounts. Defaults + to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: boolean + secretRef: + description: 'secretRef is name of the authentication + secret for RBDUser. If provided overrides + keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: 'user is the rados user name. + Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + required: + - image + - monitors + type: object + scaleIO: + description: scaleIO represents a ScaleIO persistent + volume attached and mounted on Kubernetes nodes. + properties: + fsType: + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Default is "xfs". + type: string + gateway: + description: gateway is the host address of + the ScaleIO API Gateway. + type: string + protectionDomain: + description: protectionDomain is the name + of the ScaleIO Protection Domain for the + configured storage. + type: string + readOnly: + description: readOnly Defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + secretRef: + description: secretRef references to the secret + for ScaleIO user and other sensitive information. + If this is not provided, Login operation + will fail. + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + description: sslEnabled Flag enable/disable + SSL communication with Gateway, default + false + type: boolean + storageMode: + description: storageMode indicates whether + the storage for a volume should be ThickProvisioned + or ThinProvisioned. Default is ThinProvisioned. + type: string + storagePool: + description: storagePool is the ScaleIO Storage + Pool associated with the protection domain. + type: string + system: + description: system is the name of the storage + system as configured in ScaleIO. + type: string + volumeName: + description: volumeName is the name of a volume + already created in the ScaleIO system that + is associated with this volume source. + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + description: 'secret represents a secret that + should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + properties: + defaultMode: + description: 'defaultMode is Optional: mode + bits used to set permissions on created + files by default. Must be an octal value + between 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. + Directories within the path are not affected + by this setting.' + format: int32 + type: integer + items: + description: items If unspecified, each key-value + pair in the Data field of the referenced + Secret will be projected into the volume + as a file whose name is the key and content + is the value. If specified, the listed keys + will be projected into the specified paths, + and unlisted keys will not be present. + items: + description: Maps a string key to a path + within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode + bits used to set permissions on this + file. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal + and decimal values, JSON requires + decimal values for mode bits. If not + specified, the volume defaultMode + will be used.' + format: int32 + type: integer + path: + description: path is the relative path + of the file to map the key to. May + not be an absolute path. May not contain + the path element '..'. May not start + with the string '..'. + type: string + required: + - key + - path + type: object + type: array + optional: + description: optional field specify whether + the Secret or its keys must be defined + type: boolean + secretName: + description: 'secretName is the name of the + secret in the pod''s namespace to use. More + info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + type: string + type: object + storageos: + description: storageOS represents a StorageOS + volume attached and mounted on Kubernetes nodes. + properties: + fsType: + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. + type: string + readOnly: + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + secretRef: + description: secretRef specifies the secret + to use for obtaining the StorageOS API credentials. If + not specified, default values will be attempted. + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + description: volumeName is the human-readable + name of the StorageOS volume. Volume names + are only unique within a namespace. + type: string + volumeNamespace: + description: volumeNamespace specifies the + scope of the volume within StorageOS. If + no namespace is specified then the Pod's + namespace will be used. This allows the + Kubernetes name scoping to be mirrored within + StorageOS for tighter integration. Set VolumeName + to any name to override the default behaviour. + Set to "default" if you are not using namespaces + within StorageOS. + type: string + type: object + vsphereVolume: + description: vsphereVolume represents a vSphere + volume attached and mounted on kubelets host + machine + properties: + fsType: + description: fsType is filesystem type to + mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. + type: string + storagePolicyID: + description: storagePolicyID is the storage + Policy Based Management (SPBM) profile ID + associated with the StoragePolicyName. + type: string + storagePolicyName: + description: storagePolicyName is the storage + Policy Based Management (SPBM) profile name. + type: string + volumePath: + description: volumePath is the path that identifies + vSphere volume vmdk + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + required: + - containers + type: object + type: object + type: object + description: 'A map of TFReplicaType (type) to ReplicaSpec (value). + Specifies the TF cluster configuration. For example, { "PS": ReplicaSpec, + "Worker": ReplicaSpec, }' + type: object + required: + - tfReplicaSpecs + type: object + status: + description: Most recently observed status of the TFJob. Populated by + the system. Read-only. + properties: + completionTime: + description: Represents time when the job was completed. It is not + guaranteed to be set in happens-before order across separate operations. + It is represented in RFC3339 form and is in UTC. + format: date-time + type: string + conditions: + description: Conditions is an array of current observed job conditions. + items: + description: JobCondition describes the state of the job at a certain + point. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + lastUpdateTime: + description: The last time this condition was updated. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of job condition. + type: string + required: + - status + - type + type: object + type: array + lastReconcileTime: + description: Represents last time when the job was reconciled. It + is not guaranteed to be set in happens-before order across separate + operations. It is represented in RFC3339 form and is in UTC. + format: date-time + type: string + replicaStatuses: + additionalProperties: + description: ReplicaStatus represents the current observed state + of the replica. + properties: + active: + description: The number of actively running pods. + format: int32 + type: integer + failed: + description: The number of pods which reached phase Failed. + format: int32 + type: integer + labelSelector: + description: 'Deprecated: Use Selector instead' + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. This + array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + selector: + description: A Selector is a label query over a set of resources. + The result of matchLabels and matchExpressions are ANDed. + An empty Selector matches all objects. A null Selector matches + no objects. + type: string + succeeded: + description: The number of pods which reached phase Succeeded. + format: int32 + type: integer + type: object + description: ReplicaStatuses is map of ReplicaType and ReplicaStatus, + specifies the status of each replica. + type: object + startTime: + description: Represents time when the job was acknowledged by the + job controller. It is not guaranteed to be set in happens-before + order across separate operations. It is represented in RFC3339 form + and is in UTC. + format: date-time + type: string + required: + - conditions + - replicaStatuses + type: object + type: object + served: true + storage: true + subresources: + status: {} +YAML + +depends_on = [ovh_cloud_project_kube.ovh_kube_cluster, ovh_cloud_project_kube_nodepool.control_plane_pool] +} + +resource "kubectl_manifest" "kubeflow-training-operator-crd-xgboostjobs" { + yaml_body = < matches + that of any node on which a pod of the set + of pods is running + properties: + labelSelector: + description: A label query over a set + of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set + of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this field + and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the same + node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the anti-affinity + expressions specified by this field, but it + may choose a node that violates one or more + of the expressions. The node that is most + preferred is the one with the greatest sum + of weights, i.e. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added + per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: A label query over a + set of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the + set of namespaces that the term + applies to. The term is applied + to the union of the namespaces selected + by this field and the ones listed + in the namespaces field. null selector + and null or empty namespaces list + means "this pod's namespace". An + empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies + a static list of namespace names + that the term applies to. The term + is applied to the union of the namespaces + listed in this field and the ones + selected by namespaceSelector. null + or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching + the corresponding podAffinityTerm, in + the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements + specified by this field are not met at scheduling + time, the pod will not be scheduled onto the + node. If the anti-affinity requirements specified + by this field cease to be met at some point + during pod execution (e.g. due to a pod label + update), the system may or may not try to + eventually evict the pod from its node. + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this pod + should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is + defined as running on a node whose value + of the label with key matches + that of any node on which a pod of the set + of pods is running + properties: + labelSelector: + description: A label query over a set + of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set + of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this field + and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + automountServiceAccountToken: + description: AutomountServiceAccountToken indicates + whether a service account token should be automatically + mounted. + type: boolean + containers: + description: List of containers belonging to the pod. + Containers cannot currently be added or removed. There + must be at least one container in a Pod. Cannot be + updated. + items: + description: A single application container that you + want to run within a pod. + properties: + args: + description: 'Arguments to the entrypoint. The + container image''s CMD is used if this is not + provided. Variable references $(VAR_NAME) are + expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The container image''s ENTRYPOINT is + used if this is not provided. Variable references + $(VAR_NAME) are expanded using the container''s + environment. If a variable cannot be resolved, + the reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + env: + description: List of environment variables to + set in the container. Cannot be updated. + items: + description: EnvVar represents an environment + variable present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined + environment variables in the container + and any service environment variables. + If a variable cannot be resolved, the + reference in the input string will be + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' + type: string + valueFrom: + description: Source for the environment + variable's value. Cannot be used if value + is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + ConfigMap or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the + pod: supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of + the container: only resources limits + and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env + vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret + in the pod's namespace + properties: + key: + description: The key of the secret + to select from. Must be a valid + secret key. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + Secret or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined + within a source must be a C_IDENTIFIER. All + invalid keys will be reported as an event when + the container is starting. When a key exists + in multiple sources, the value associated with + the last source will take precedence. Values + defined by an Env with a duplicate key will + take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source + of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be + a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level + config management to default or override container + images in workload controllers like Deployments + and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, + Never, IfNotPresent. Defaults to Always if :latest + tag is specified, or IfNotPresent otherwise. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system + should take in response to container lifecycle + events. Cannot be updated. + properties: + postStart: + description: 'PostStart is called immediately + after a container is created. If the handler + fails, the container is terminated and restarted + according to its restart policy. Other management + of the container blocks until the hook completes. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: PreStop is called immediately + before a container is terminated due to + an API request or management event such + as liveness/startup probe failure, preemption, + resource contention, etc. The handler is + not called if the container crashes or exits. + The Pod's termination grace period countdown + begins before the PreStop hook is executed. + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. + Container will be restarted if the probe fails. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as + a DNS_LABEL. Each container in a pod must have + a unique name (DNS_LABEL). Cannot be updated. + type: string + ports: + description: List of ports to expose from the + container. Not specifying a port here DOES NOT + prevent that port from being exposed. Any port + which is listening on the default "0.0.0.0" + address inside a container will be accessible + from the network. Modifying this array with + strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. + items: + description: ContainerPort represents a network + port in a single container. + properties: + containerPort: + description: Number of port to expose on + the pod's IP address. This must be a valid + port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on + the host. If specified, this must be a + valid port number, 0 < x < 65536. If HostNetwork + is specified, this must match ContainerPort. + Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be + an IANA_SVC_NAME and unique within the + pod. Each named port in a pod must have + a unique name. Name for the port that + can be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be + UDP, TCP, or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service + readiness. Container will be removed from service + endpoints if the probe fails. Cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: 'Compute Resources required by this + container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum + amount of compute resources allowed. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum + amount of compute resources required. If + Requests is omitted for a container, it + defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'SecurityContext defines the security + options the container should be run with. If + set, the fields of SecurityContext override + the equivalent fields of PodSecurityContext. + More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges + than its parent process. This bool directly + controls if the no_new_privs flag will be + set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop + when running containers. Defaults to the + default set of capabilities granted by the + container runtime. Note that this field + cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. + Processes in privileged containers are essentially + equivalent to root on the host. Defaults + to false. Note that this field cannot be + set when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of + proc mount to use for the containers. The + default is DefaultProcMount which uses the + container runtime defaults for readonly + paths and masked paths. This requires the + ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a + read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint + of the container process. Uses runtime default + if unset. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container + must run as a non-root user. If true, the + Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 + (root) and fail to start the container if + it does. If unset or false, no such validation + will be performed. May also be set in PodSecurityContext. + type: boolean + runAsUser: + description: The UID to run the entrypoint + of the container process. Defaults to user + specified in image metadata if unspecified. + May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied + to the container. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in + PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. + properties: + level: + description: Level is SELinux level label + that applies to the container. + type: string + role: + description: Role is a SELinux role label + that applies to the container. + type: string + type: + description: Type is a SELinux type label + that applies to the container. + type: string + user: + description: User is a SELinux user label + that applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by + this container. If seccomp options are provided + at both the pod & container level, the container + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates + a profile defined in a file on the node + should be used. The profile must be + preconfigured on the node to work. Must + be a descending path, relative to the + kubelet's configured seccomp profile + location. Must only be set if type is + "Localhost". + type: string + type: + description: "type indicates which kind + of seccomp profile will be applied. + Valid options are: \n Localhost - a + profile defined in a file on the node + should be used. RuntimeDefault - the + container runtime default profile should + be used. Unconfined - no profile should + be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings + applied to all containers. If unspecified, + the options from the PodSecurityContext + will be used. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where + the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName + field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is + the name of the GMSA credential spec + to use. + type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean + runAsUserName: + description: The UserName in Windows to + run the entrypoint of the container + process. Defaults to the user specified + in image metadata if unspecified. May + also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: StartupProbe indicates that the Pod + has successfully initialized. If specified, + no other probes are executed until this completes + successfully. If this probe fails, the Pod will + be restarted, just as if the livenessProbe failed. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. + If this is not set, reads from stdin in the + container will always result in EOF. Default + is false. + type: boolean + stdinOnce: + description: Whether the container runtime should + close the stdin channel after it has been opened + by a single attach. When stdin is true the stdin + stream will remain open across multiple attach + sessions. + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file + to which the container''s termination message + will be written is mounted into the container''s + filesystem. Message written is intended to be + brief final status, such as an assertion failure + message. Will be truncated by the node if greater + than 4096 bytes. The total message length across + all containers will be limited to 12kb. Defaults + to /dev/termination-log.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message + should be populated. File will use the contents + of terminationMessagePath to populate the container + status message on both success and failure. + FallbackToLogsOnError will use the last chunk + of container log output if the termination message + file is empty and the container exited with + an error. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be + true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block + devices to be used by the container. + items: + description: volumeDevice describes a mapping + of a raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside + of the container that the device will + be mapped to. + type: string + name: + description: name must match the name of + a persistentVolumeClaim in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Cannot be updated. + items: + description: VolumeMount describes a mounting + of a Volume within a container. + properties: + mountPath: + description: Path within the container at + which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines + how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is + used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of + a Volume. + type: string + readOnly: + description: Mounted read-only if true, + read-write otherwise (false or unspecified). + Defaults to false. + type: boolean + subPath: + description: Path within the volume from + which the container's volume should be + mounted. Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume + from which the container's volume should + be mounted. Behaves similarly to SubPath + but environment variable references $(VAR_NAME) + are expanded using the container's environment. + Defaults to "" (volume's root). SubPathExpr + and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If + not specified, the container runtime's default + will be used, which might be configured in the + container image. Cannot be updated. + type: string + required: + - name + type: object + type: array + dnsConfig: + description: Specifies the DNS parameters of a pod. + Parameters specified here will be merged to the generated + DNS configuration based on DNSPolicy. + properties: + nameservers: + description: A list of DNS name server IP addresses. + This will be appended to the base nameservers + generated from DNSPolicy. Duplicated nameservers + will be removed. + items: + type: string + type: array + options: + description: A list of DNS resolver options. This + will be merged with the base options generated + from DNSPolicy. Duplicated entries will be removed. + Resolution options given in Options will override + those that appear in the base DNSPolicy. + items: + description: PodDNSConfigOption defines DNS resolver + options of a pod. + properties: + name: + description: Required. + type: string + value: + type: string + type: object + type: array + searches: + description: A list of DNS search domains for host-name + lookup. This will be appended to the base search + paths generated from DNSPolicy. Duplicated search + paths will be removed. + items: + type: string + type: array + type: object + dnsPolicy: + description: Set DNS policy for the pod. Defaults to + "ClusterFirst". Valid values are 'ClusterFirstWithHostNet', + 'ClusterFirst', 'Default' or 'None'. DNS parameters + given in DNSConfig will be merged with the policy + selected with DNSPolicy. To have DNS options set along + with hostNetwork, you have to specify DNS policy explicitly + to 'ClusterFirstWithHostNet'. + type: string + enableServiceLinks: + description: 'EnableServiceLinks indicates whether information + about services should be injected into pod''s environment + variables, matching the syntax of Docker links. Optional: + Defaults to true.' + type: boolean + ephemeralContainers: + description: List of ephemeral containers run in this + pod. Ephemeral containers may be run in an existing + pod to perform user-initiated actions such as debugging. + This list cannot be specified when creating a pod, + and it cannot be modified by updating the pod spec. + In order to add an ephemeral container to an existing + pod, use the pod's ephemeralcontainers subresource. + items: + description: An EphemeralContainer is a temporary + container that you may add to an existing Pod for + user-initiated activities such as debugging. Ephemeral + containers have no resource or scheduling guarantees, + and they will not be restarted when they exit or + when a Pod is removed or restarted. The kubelet + may evict a Pod if an ephemeral container causes + the Pod to exceed its resource allocation. + properties: + args: + description: 'Arguments to the entrypoint. The + image''s CMD is used if this is not provided. + Variable references $(VAR_NAME) are expanded + using the container''s environment. If a variable + cannot be resolved, the reference in the input + string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + produce the string literal "$(VAR_NAME)".' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The image''s ENTRYPOINT is used if + this is not provided. Variable references $(VAR_NAME) + are expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + env: + description: List of environment variables to + set in the container. Cannot be updated. + items: + description: EnvVar represents an environment + variable present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined + environment variables in the container + and any service environment variables. + If a variable cannot be resolved, the + reference in the input string will be + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' + type: string + valueFrom: + description: Source for the environment + variable's value. Cannot be used if value + is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + ConfigMap or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the + pod: supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of + the container: only resources limits + and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env + vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret + in the pod's namespace + properties: + key: + description: The key of the secret + to select from. Must be a valid + secret key. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + Secret or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined + within a source must be a C_IDENTIFIER. All + invalid keys will be reported as an event when + the container is starting. When a key exists + in multiple sources, the value associated with + the last source will take precedence. Values + defined by an Env with a duplicate key will + take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source + of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be + a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, + Never, IfNotPresent. Defaults to Always if :latest + tag is specified, or IfNotPresent otherwise. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Lifecycle is not allowed for ephemeral + containers. + properties: + postStart: + description: 'PostStart is called immediately + after a container is created. If the handler + fails, the container is terminated and restarted + according to its restart policy. Other management + of the container blocks until the hook completes. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: PreStop is called immediately + before a container is terminated due to + an API request or management event such + as liveness/startup probe failure, preemption, + resource contention, etc. The handler is + not called if the container crashes or exits. + The Pod's termination grace period countdown + begins before the PreStop hook is executed. + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: Probes are not allowed for ephemeral + containers. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the ephemeral container specified + as a DNS_LABEL. This name must be unique among + all containers, init containers and ephemeral + containers. + type: string + ports: + description: Ports are not allowed for ephemeral + containers. + items: + description: ContainerPort represents a network + port in a single container. + properties: + containerPort: + description: Number of port to expose on + the pod's IP address. This must be a valid + port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on + the host. If specified, this must be a + valid port number, 0 < x < 65536. If HostNetwork + is specified, this must match ContainerPort. + Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be + an IANA_SVC_NAME and unique within the + pod. Each named port in a pod must have + a unique name. Name for the port that + can be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be + UDP, TCP, or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: Probes are not allowed for ephemeral + containers. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: Resources are not allowed for ephemeral + containers. Ephemeral containers use spare resources + already allocated to the pod. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum + amount of compute resources allowed. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum + amount of compute resources required. If + Requests is omitted for a container, it + defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'Optional: SecurityContext defines + the security options the ephemeral container + should be run with. If set, the fields of SecurityContext + override the equivalent fields of PodSecurityContext.' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges + than its parent process. This bool directly + controls if the no_new_privs flag will be + set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop + when running containers. Defaults to the + default set of capabilities granted by the + container runtime. Note that this field + cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. + Processes in privileged containers are essentially + equivalent to root on the host. Defaults + to false. Note that this field cannot be + set when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of + proc mount to use for the containers. The + default is DefaultProcMount which uses the + container runtime defaults for readonly + paths and masked paths. This requires the + ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a + read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint + of the container process. Uses runtime default + if unset. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container + must run as a non-root user. If true, the + Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 + (root) and fail to start the container if + it does. If unset or false, no such validation + will be performed. May also be set in PodSecurityContext. + type: boolean + runAsUser: + description: The UID to run the entrypoint + of the container process. Defaults to user + specified in image metadata if unspecified. + May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied + to the container. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in + PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. + properties: + level: + description: Level is SELinux level label + that applies to the container. + type: string + role: + description: Role is a SELinux role label + that applies to the container. + type: string + type: + description: Type is a SELinux type label + that applies to the container. + type: string + user: + description: User is a SELinux user label + that applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by + this container. If seccomp options are provided + at both the pod & container level, the container + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates + a profile defined in a file on the node + should be used. The profile must be + preconfigured on the node to work. Must + be a descending path, relative to the + kubelet's configured seccomp profile + location. Must only be set if type is + "Localhost". + type: string + type: + description: "type indicates which kind + of seccomp profile will be applied. + Valid options are: \n Localhost - a + profile defined in a file on the node + should be used. RuntimeDefault - the + container runtime default profile should + be used. Unconfined - no profile should + be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings + applied to all containers. If unspecified, + the options from the PodSecurityContext + will be used. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where + the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName + field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is + the name of the GMSA credential spec + to use. + type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean + runAsUserName: + description: The UserName in Windows to + run the entrypoint of the container + process. Defaults to the user specified + in image metadata if unspecified. May + also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: Probes are not allowed for ephemeral + containers. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. + If this is not set, reads from stdin in the + container will always result in EOF. Default + is false. + type: boolean + stdinOnce: + description: Whether the container runtime should + close the stdin channel after it has been opened + by a single attach. When stdin is true the stdin + stream will remain open across multiple attach + sessions. + type: boolean + targetContainerName: + description: "If set, the name of the container + from PodSpec that this ephemeral container targets. + The ephemeral container will be run in the namespaces + (IPC, PID, etc) of this container. If not set + then the ephemeral container uses the namespaces + configured in the Pod spec. \n The container + runtime must implement support for this feature." + type: string + terminationMessagePath: + description: 'Optional: Path at which the file + to which the container''s termination message + will be written is mounted into the container''s + filesystem. Message written is intended to be + brief final status, such as an assertion failure + message. Will be truncated by the node if greater + than 4096 bytes. The total message length across + all containers will be limited to 12kb. Defaults + to /dev/termination-log.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message + should be populated. File will use the contents + of terminationMessagePath to populate the container + status message on both success and failure. + FallbackToLogsOnError will use the last chunk + of container log output if the termination message + file is empty and the container exited with + an error. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be + true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block + devices to be used by the container. + items: + description: volumeDevice describes a mapping + of a raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside + of the container that the device will + be mapped to. + type: string + name: + description: name must match the name of + a persistentVolumeClaim in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Subpath mounts are not allowed for + ephemeral containers. Cannot be updated. + items: + description: VolumeMount describes a mounting + of a Volume within a container. + properties: + mountPath: + description: Path within the container at + which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines + how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is + used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of + a Volume. + type: string + readOnly: + description: Mounted read-only if true, + read-write otherwise (false or unspecified). + Defaults to false. + type: boolean + subPath: + description: Path within the volume from + which the container's volume should be + mounted. Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume + from which the container's volume should + be mounted. Behaves similarly to SubPath + but environment variable references $(VAR_NAME) + are expanded using the container's environment. + Defaults to "" (volume's root). SubPathExpr + and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If + not specified, the container runtime's default + will be used, which might be configured in the + container image. Cannot be updated. + type: string + required: + - name + type: object + type: array + hostAliases: + description: HostAliases is an optional list of hosts + and IPs that will be injected into the pod's hosts + file if specified. This is only valid for non-hostNetwork + pods. + items: + description: HostAlias holds the mapping between IP + and hostnames that will be injected as an entry + in the pod's hosts file. + properties: + hostnames: + description: Hostnames for the above IP address. + items: + type: string + type: array + ip: + description: IP address of the host file entry. + type: string + type: object + type: array + hostIPC: + description: 'Use the host''s ipc namespace. Optional: + Default to false.' + type: boolean + hostNetwork: + description: Host networking requested for this pod. + Use the host's network namespace. If this option is + set, the ports that will be used must be specified. + Default to false. + type: boolean + hostPID: + description: 'Use the host''s pid namespace. Optional: + Default to false.' + type: boolean + hostUsers: + description: 'Use the host''s user namespace. Optional: + Default to true. If set to true or not present, the + pod will be run in the host user namespace, useful + for when the pod needs a feature only available to + the host user namespace, such as loading a kernel + module with CAP_SYS_MODULE. When set to false, a new + userns is created for the pod.' + type: boolean + hostname: + description: Specifies the hostname of the Pod If not + specified, the pod's hostname will be set to a system-defined + value. + type: string + imagePullSecrets: + description: 'ImagePullSecrets is an optional list of + references to secrets in the same namespace to use + for pulling any of the images used by this PodSpec. + If specified, these secrets will be passed to individual + puller implementations for them to use. More info: + https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' + items: + description: LocalObjectReference contains enough + information to let you locate the referenced object + inside the same namespace. + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: array + initContainers: + description: List of initialization containers belonging + to the pod. Init containers are executed in order + prior to containers being started. If any init container + fails, the pod is considered to have failed and is + handled according to its restartPolicy. The name for + an init container or normal container must be unique + among all containers. + items: + description: A single application container that you + want to run within a pod. + properties: + args: + description: 'Arguments to the entrypoint. The + container image''s CMD is used if this is not + provided. Variable references $(VAR_NAME) are + expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The container image''s ENTRYPOINT is + used if this is not provided. Variable references + $(VAR_NAME) are expanded using the container''s + environment. If a variable cannot be resolved, + the reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + env: + description: List of environment variables to + set in the container. Cannot be updated. + items: + description: EnvVar represents an environment + variable present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined + environment variables in the container + and any service environment variables. + If a variable cannot be resolved, the + reference in the input string will be + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' + type: string + valueFrom: + description: Source for the environment + variable's value. Cannot be used if value + is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + ConfigMap or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the + pod: supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of + the container: only resources limits + and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env + vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret + in the pod's namespace + properties: + key: + description: The key of the secret + to select from. Must be a valid + secret key. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + Secret or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined + within a source must be a C_IDENTIFIER. All + invalid keys will be reported as an event when + the container is starting. When a key exists + in multiple sources, the value associated with + the last source will take precedence. Values + defined by an Env with a duplicate key will + take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source + of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be + a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level + config management to default or override container + images in workload controllers like Deployments + and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, + Never, IfNotPresent. Defaults to Always if :latest + tag is specified, or IfNotPresent otherwise. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system + should take in response to container lifecycle + events. Cannot be updated. + properties: + postStart: + description: 'PostStart is called immediately + after a container is created. If the handler + fails, the container is terminated and restarted + according to its restart policy. Other management + of the container blocks until the hook completes. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: PreStop is called immediately + before a container is terminated due to + an API request or management event such + as liveness/startup probe failure, preemption, + resource contention, etc. The handler is + not called if the container crashes or exits. + The Pod's termination grace period countdown + begins before the PreStop hook is executed. + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. + Container will be restarted if the probe fails. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as + a DNS_LABEL. Each container in a pod must have + a unique name (DNS_LABEL). Cannot be updated. + type: string + ports: + description: List of ports to expose from the + container. Not specifying a port here DOES NOT + prevent that port from being exposed. Any port + which is listening on the default "0.0.0.0" + address inside a container will be accessible + from the network. Modifying this array with + strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. + items: + description: ContainerPort represents a network + port in a single container. + properties: + containerPort: + description: Number of port to expose on + the pod's IP address. This must be a valid + port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on + the host. If specified, this must be a + valid port number, 0 < x < 65536. If HostNetwork + is specified, this must match ContainerPort. + Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be + an IANA_SVC_NAME and unique within the + pod. Each named port in a pod must have + a unique name. Name for the port that + can be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be + UDP, TCP, or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service + readiness. Container will be removed from service + endpoints if the probe fails. Cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: 'Compute Resources required by this + container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum + amount of compute resources allowed. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum + amount of compute resources required. If + Requests is omitted for a container, it + defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'SecurityContext defines the security + options the container should be run with. If + set, the fields of SecurityContext override + the equivalent fields of PodSecurityContext. + More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges + than its parent process. This bool directly + controls if the no_new_privs flag will be + set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop + when running containers. Defaults to the + default set of capabilities granted by the + container runtime. Note that this field + cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. + Processes in privileged containers are essentially + equivalent to root on the host. Defaults + to false. Note that this field cannot be + set when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of + proc mount to use for the containers. The + default is DefaultProcMount which uses the + container runtime defaults for readonly + paths and masked paths. This requires the + ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a + read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint + of the container process. Uses runtime default + if unset. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container + must run as a non-root user. If true, the + Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 + (root) and fail to start the container if + it does. If unset or false, no such validation + will be performed. May also be set in PodSecurityContext. + type: boolean + runAsUser: + description: The UID to run the entrypoint + of the container process. Defaults to user + specified in image metadata if unspecified. + May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied + to the container. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in + PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. + properties: + level: + description: Level is SELinux level label + that applies to the container. + type: string + role: + description: Role is a SELinux role label + that applies to the container. + type: string + type: + description: Type is a SELinux type label + that applies to the container. + type: string + user: + description: User is a SELinux user label + that applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by + this container. If seccomp options are provided + at both the pod & container level, the container + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates + a profile defined in a file on the node + should be used. The profile must be + preconfigured on the node to work. Must + be a descending path, relative to the + kubelet's configured seccomp profile + location. Must only be set if type is + "Localhost". + type: string + type: + description: "type indicates which kind + of seccomp profile will be applied. + Valid options are: \n Localhost - a + profile defined in a file on the node + should be used. RuntimeDefault - the + container runtime default profile should + be used. Unconfined - no profile should + be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings + applied to all containers. If unspecified, + the options from the PodSecurityContext + will be used. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where + the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName + field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is + the name of the GMSA credential spec + to use. + type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean + runAsUserName: + description: The UserName in Windows to + run the entrypoint of the container + process. Defaults to the user specified + in image metadata if unspecified. May + also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: StartupProbe indicates that the Pod + has successfully initialized. If specified, + no other probes are executed until this completes + successfully. If this probe fails, the Pod will + be restarted, just as if the livenessProbe failed. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. This is a beta field and requires + enabling GRPCContainerProbe feature gate. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. + If this is not set, reads from stdin in the + container will always result in EOF. Default + is false. + type: boolean + stdinOnce: + description: Whether the container runtime should + close the stdin channel after it has been opened + by a single attach. When stdin is true the stdin + stream will remain open across multiple attach + sessions. + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file + to which the container''s termination message + will be written is mounted into the container''s + filesystem. Message written is intended to be + brief final status, such as an assertion failure + message. Will be truncated by the node if greater + than 4096 bytes. The total message length across + all containers will be limited to 12kb. Defaults + to /dev/termination-log.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message + should be populated. File will use the contents + of terminationMessagePath to populate the container + status message on both success and failure. + FallbackToLogsOnError will use the last chunk + of container log output if the termination message + file is empty and the container exited with + an error. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be + true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block + devices to be used by the container. + items: + description: volumeDevice describes a mapping + of a raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside + of the container that the device will + be mapped to. + type: string + name: + description: name must match the name of + a persistentVolumeClaim in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Cannot be updated. + items: + description: VolumeMount describes a mounting + of a Volume within a container. + properties: + mountPath: + description: Path within the container at + which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines + how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is + used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of + a Volume. + type: string + readOnly: + description: Mounted read-only if true, + read-write otherwise (false or unspecified). + Defaults to false. + type: boolean + subPath: + description: Path within the volume from + which the container's volume should be + mounted. Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume + from which the container's volume should + be mounted. Behaves similarly to SubPath + but environment variable references $(VAR_NAME) + are expanded using the container's environment. + Defaults to "" (volume's root). SubPathExpr + and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If + not specified, the container runtime's default + will be used, which might be configured in the + container image. Cannot be updated. + type: string + required: + - name + type: object + type: array + nodeName: + description: NodeName is a request to schedule this + pod onto a specific node. If it is non-empty, the + scheduler simply schedules this pod onto that node, + assuming that it fits resource requirements. + type: string + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must + be true for the pod to fit on a node. Selector which + must match a node''s labels for the pod to be scheduled + on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + x-kubernetes-map-type: atomic + os: + description: "Specifies the OS of the containers in + the pod. Some pod and container fields are restricted + if this is set. \n If the OS field is set to linux, + the following fields must be unset: -securityContext.windowsOptions + \n If the OS field is set to windows, following fields + must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers + - spec.securityContext.seLinuxOptions - spec.securityContext." + properties: + name: + description: 'Name is the name of the operating + system. The currently supported values are linux + and windows. Additional value may be defined in + future and can be one of: https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration + Clients should expect to handle additional values + and treat unrecognized values in this field as + os: null' + type: string + required: + - name + type: object + overhead: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Overhead represents the resource overhead + associated with running a pod for a given RuntimeClass. + This field will be autopopulated at admission time + by the RuntimeClass admission controller. If the RuntimeClass + admission controller is enabled, overhead must not + be set in Pod create requests. The RuntimeClass admission + controller will reject Pod create requests which have + the overhead already set. + type: object + preemptionPolicy: + description: PreemptionPolicy is the Policy for preempting + pods with lower priority. One of Never, PreemptLowerPriority. + Defaults to PreemptLowerPriority if unset. + type: string + priority: + description: The priority value. Various system components + use this field to find the priority of the pod. When + Priority Admission Controller is enabled, it prevents + users from setting this field. The admission controller + populates this field from PriorityClassName. The higher + the value, the higher the priority. + format: int32 + type: integer + priorityClassName: + description: If specified, indicates the pod's priority. + "system-node-critical" and "system-cluster-critical" + are two special keywords which indicate the highest + priorities with the former being the highest priority. + Any other name must be defined by creating a PriorityClass + object with that name. If not specified, the pod priority + will be default or zero if there is no default. + type: string + readinessGates: + description: 'If specified, all readiness gates will + be evaluated for pod readiness. A pod is ready when + all its containers are ready AND all conditions specified + in the readiness gates have status equal to "True" + More info: https://git.k8s.io/enhancements/keps/sig-network/580-pod-readiness-gates' + items: + description: PodReadinessGate contains the reference + to a pod condition + properties: + conditionType: + description: ConditionType refers to a condition + in the pod's condition list with matching type. + type: string + required: + - conditionType + type: object + type: array + restartPolicy: + description: 'Restart policy for all containers within + the pod. One of Always, OnFailure, Never. Default + to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy' + type: string + runtimeClassName: + description: 'RuntimeClassName refers to a RuntimeClass + object in the node.k8s.io group, which should be used + to run this pod. If no RuntimeClass resource matches + the named class, the pod will not be run. If unset + or empty, the "legacy" RuntimeClass will be used, + which is an implicit class with an empty definition + that uses the default runtime handler. More info: + https://git.k8s.' + type: string + schedulerName: + description: If specified, the pod will be dispatched + by specified scheduler. If not specified, the pod + will be dispatched by default scheduler. + type: string + securityContext: + description: 'SecurityContext holds pod-level security + attributes and common container settings. Optional: + Defaults to empty. See type description for default + values of each field.' + properties: + fsGroup: + description: "A special supplemental group that + applies to all containers in a pod. Some volume + types allow the Kubelet to change the ownership + of that volume to be owned by the pod: \n 1. The + owning GID will be the FSGroup 2. The setgid bit + is set (new files created in the volume will be + owned by FSGroup) 3." + format: int64 + type: integer + fsGroupChangePolicy: + description: 'fsGroupChangePolicy defines behavior + of changing ownership and permission of the volume + before being exposed inside Pod. This field will + only apply to volume types which support fsGroup + based ownership(and permissions). It will have + no effect on ephemeral volume types such as: secret, + configmaps and emptydir. Valid values are "OnRootMismatch" + and "Always". If not specified, "Always" is used.' + type: string + runAsGroup: + description: The GID to run the entrypoint of the + container process. Uses runtime default if unset. + May also be set in SecurityContext. If set in + both SecurityContext and PodSecurityContext, the + value specified in SecurityContext takes precedence + for that container. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run + as a non-root user. If true, the Kubelet will + validate the image at runtime to ensure that it + does not run as UID 0 (root) and fail to start + the container if it does. If unset or false, no + such validation will be performed. May also be + set in SecurityContext. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the + container process. Defaults to user specified + in image metadata if unspecified. May also be + set in SecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in + SecurityContext takes precedence for that container. + Note that this field cannot be set when spec.os.name + is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to + all containers. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in SecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence + for that container. Note that this field cannot + be set when spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that + applies to the container. + type: string + role: + description: Role is a SELinux role label that + applies to the container. + type: string + type: + description: Type is a SELinux type label that + applies to the container. + type: string + user: + description: User is a SELinux user label that + applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by the containers + in this pod. Note that this field cannot be set + when spec.os.name is windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile + defined in a file on the node should be used. + The profile must be preconfigured on the node + to work. Must be a descending path, relative + to the kubelet's configured seccomp profile + location. Must only be set if type is "Localhost". + type: string + type: + description: "type indicates which kind of seccomp + profile will be applied. Valid options are: + \n Localhost - a profile defined in a file + on the node should be used. RuntimeDefault + - the container runtime default profile should + be used. Unconfined - no profile should be + applied." + type: string + required: + - type + type: object + supplementalGroups: + description: A list of groups applied to the first + process run in each container, in addition to + the container's primary GID. If unspecified, + no groups will be added to any container. Note + that this field cannot be set when spec.os.name + is windows. + items: + format: int64 + type: integer + type: array + sysctls: + description: Sysctls hold a list of namespaced sysctls + used for the pod. Pods with unsupported sysctls + (by the container runtime) might fail to launch. + Note that this field cannot be set when spec.os.name + is windows. + items: + description: Sysctl defines a kernel parameter + to be set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + windowsOptions: + description: The Windows specific settings applied + to all containers. If unspecified, the options + within a container's SecurityContext will be used. + If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the + GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name + of the GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container + should be run as a 'Host Process' container. + This field is alpha-level and will only be + honored by components that enable the WindowsHostProcessContainers + feature flag. Setting this field without the + feature flag will result in errors when validating + the Pod. + type: boolean + runAsUserName: + description: The UserName in Windows to run + the entrypoint of the container process. Defaults + to the user specified in image metadata if + unspecified. May also be set in PodSecurityContext. + If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. + type: string + type: object + type: object + serviceAccount: + description: 'DeprecatedServiceAccount is a depreciated + alias for ServiceAccountName. Deprecated: Use serviceAccountName + instead.' + type: string + serviceAccountName: + description: 'ServiceAccountName is the name of the + ServiceAccount to use to run this pod. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' + type: string + setHostnameAsFQDN: + description: If true the pod's hostname will be configured + as the pod's FQDN, rather than the leaf name (the + default). In Linux containers, this means setting + the FQDN in the hostname field of the kernel (the + nodename field of struct utsname). + type: boolean + shareProcessNamespace: + description: 'Share a single process namespace between + all of the containers in a pod. When this is set containers + will be able to view and signal processes from other + containers in the same pod, and the first process + in each container will not be assigned PID 1. HostPID + and ShareProcessNamespace cannot both be set. Optional: + Default to false.' + type: boolean + subdomain: + description: If specified, the fully qualified Pod hostname + will be "...svc.". If not specified, the pod will not have + a domainname at all. + type: string + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully. May be decreased in delete + request. Value must be non-negative integer. The value + zero indicates stop immediately via the kill signal + (no opportunity to shut down). If this value is nil, + the default grace period will be used instead. + format: int64 + type: integer + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is attached to + tolerates any taint that matches the triple + using the matching operator . + properties: + effect: + description: Effect indicates the taint effect + to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, + PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration + applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; + this combination means to match all values and + all keys. + type: string + operator: + description: Operator represents a key's relationship + to the value. Valid operators are Exists and + Equal. Defaults to Equal. Exists is equivalent + to wildcard for value, so that a pod can tolerate + all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the + period of time the toleration (which must be + of effect NoExecute, otherwise this field is + ignored) tolerates the taint. By default, it + is not set, which means tolerate the taint forever + (do not evict). Zero and negative values will + be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration + matches to. If the operator is Exists, the value + should be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: TopologySpreadConstraints describes how + a group of pods ought to spread across topology domains. + Scheduler will schedule pods in a way which abides + by the constraints. All topologySpreadConstraints + are ANDed. + items: + description: TopologySpreadConstraint specifies how + to spread matching pods among the given topology. + properties: + labelSelector: + description: LabelSelector is used to find matching + pods. Pods that match this label selector are + counted to determine the number of pods in their + corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label + keys to select the pods over which spreading + will be calculated. The keys are used to lookup + values from the incoming pod labels, those key-value + labels are ANDed with labelSelector to select + the group of existing pods over which spreading + will be calculated for the incoming pod. Keys + that don't exist in the incoming pod labels + will be ignored. + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: MaxSkew describes the degree to which + pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference between + the number of matching pods in the target topology + and the global minimum. The global minimum is + the minimum number of matching pods in an eligible + domain or zero if the number of eligible domains + is less than MinDomains. + format: int32 + type: integer + minDomains: + description: MinDomains indicates a minimum number + of eligible domains. When the number of eligible + domains with matching topology keys is less + than minDomains, Pod Topology Spread treats + "global minimum" as 0, and then the calculation + of Skew is performed. And when the number of + eligible domains with matching topology keys + equals or greater than minDomains, this value + has no effect on scheduling. + format: int32 + type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how + we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options + are: - Honor: only nodes matching nodeAffinity/nodeSelector + are included in the calculations. - Ignore: + nodeAffinity/nodeSelector are ignored. All nodes + are included in the calculations. \n If this + value is nil, the behavior is equivalent to + the Honor policy." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how we + will treat node taints when calculating pod + topology spread skew. Options are: - Honor: + nodes without taints, along with tainted nodes + for which the incoming pod has a toleration, + are included. - Ignore: node taints are ignored. + All nodes are included. \n If this value is + nil, the behavior is equivalent to the Ignore + policy." + type: string + topologyKey: + description: TopologyKey is the key of node labels. + Nodes that have a label with this key and identical + values are considered to be in the same topology. + We consider each as a "bucket", + and try to put balanced number of pods into + each bucket. We define a domain as a particular + instance of a topology. + type: string + whenUnsatisfiable: + description: WhenUnsatisfiable indicates how to + deal with a pod if it doesn't satisfy the spread + constraint. - DoNotSchedule (default) tells + the scheduler not to schedule it. - ScheduleAnyway + tells the scheduler to schedule the pod in any + location, but giving higher precedence to topologies + that would help reduce the skew. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + x-kubernetes-list-map-keys: + - topologyKey + - whenUnsatisfiable + x-kubernetes-list-type: map + volumes: + description: 'List of volumes that can be mounted by + containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes' + items: + description: Volume represents a named volume in a + pod that may be accessed by any container in the + pod. + properties: + awsElasticBlockStore: + description: 'awsElasticBlockStore represents + an AWS Disk resource that is attached to a kubelet''s + host machine and then exposed to the pod. More + info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + properties: + fsType: + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + partition: + description: 'partition is the partition in + the volume that you want to mount. If omitted, + the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify + the partition as "1". Similarly, the volume + partition for /dev/sda is "0" (or you can + leave the property empty).' + format: int32 + type: integer + readOnly: + description: 'readOnly value true will force + the readOnly setting in VolumeMounts. More + info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + type: boolean + volumeID: + description: 'volumeID is unique ID of the + persistent disk resource in AWS (Amazon + EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + type: string + required: + - volumeID + type: object + azureDisk: + description: azureDisk represents an Azure Data + Disk mount on the host and bind mount to the + pod. + properties: + cachingMode: + description: 'cachingMode is the Host Caching + mode: None, Read Only, Read Write.' + type: string + diskName: + description: diskName is the Name of the data + disk in the blob storage + type: string + diskURI: + description: diskURI is the URI of data disk + in the blob storage + type: string + fsType: + description: fsType is Filesystem type to + mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. + type: string + kind: + description: 'kind expected values are Shared: + multiple blob disks per storage account Dedicated: + single blob disk per storage account Managed: + azure managed data disk (only in managed + availability set). defaults to shared' + type: string + readOnly: + description: readOnly Defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + description: azureFile represents an Azure File + Service mount on the host and bind mount to + the pod. + properties: + readOnly: + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + secretName: + description: secretName is the name of secret + that contains Azure Storage Account Name + and Key + type: string + shareName: + description: shareName is the azure share + Name + type: string + required: + - secretName + - shareName + type: object + cephfs: + description: cephFS represents a Ceph FS mount + on the host that shares a pod's lifetime + properties: + monitors: + description: 'monitors is Required: Monitors + is a collection of Ceph monitors More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + items: + type: string + type: array + path: + description: 'path is Optional: Used as the + mounted root, rather than the full Ceph + tree, default is /' + type: string + readOnly: + description: 'readOnly is Optional: Defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: boolean + secretFile: + description: 'secretFile is Optional: SecretFile + is the path to key ring for User, default + is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: string + secretRef: + description: 'secretRef is Optional: SecretRef + is reference to the authentication secret + for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: 'user is optional: User is the + rados user name, default is admin More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: string + required: + - monitors + type: object + cinder: + description: 'cinder represents a cinder volume + attached and mounted on kubelets host machine. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + properties: + fsType: + description: 'fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://examples.k8s.io/mysql-cinder-pd/README.md' + type: string + readOnly: + description: 'readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + type: boolean + secretRef: + description: 'secretRef is optional: points + to a secret object containing parameters + used to connect to OpenStack.' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + description: 'volumeID used to identify the + volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + type: string + required: + - volumeID + type: object + configMap: + description: configMap represents a configMap + that should populate this volume + properties: + defaultMode: + description: 'defaultMode is optional: mode + bits used to set permissions on created + files by default. Must be an octal value + between 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. + Directories within the path are not affected + by this setting.' + format: int32 + type: integer + items: + description: items if unspecified, each key-value + pair in the Data field of the referenced + ConfigMap will be projected into the volume + as a file whose name is the key and content + is the value. If specified, the listed keys + will be projected into the specified paths, + and unlisted keys will not be present. + items: + description: Maps a string key to a path + within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode + bits used to set permissions on this + file. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal + and decimal values, JSON requires + decimal values for mode bits. If not + specified, the volume defaultMode + will be used.' + format: int32 + type: integer + path: + description: path is the relative path + of the file to map the key to. May + not be an absolute path. May not contain + the path element '..'. May not start + with the string '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: optional specify whether the + ConfigMap or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + description: csi (Container Storage Interface) + represents ephemeral storage that is handled + by certain external CSI drivers (Beta feature). + properties: + driver: + description: driver is the name of the CSI + driver that handles this volume. Consult + with your admin for the correct name as + registered in the cluster. + type: string + fsType: + description: fsType to mount. Ex. "ext4", + "xfs", "ntfs". If not provided, the empty + value is passed to the associated CSI driver + which will determine the default filesystem + to apply. + type: string + nodePublishSecretRef: + description: nodePublishSecretRef is a reference + to the secret object containing sensitive + information to pass to the CSI driver to + complete the CSI NodePublishVolume and NodeUnpublishVolume + calls. This field is optional, and may + be empty if no secret is required. If the + secret object contains more than one secret, + all secret references are passed. + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + description: readOnly specifies a read-only + configuration for the volume. Defaults to + false (read/write). + type: boolean + volumeAttributes: + additionalProperties: + type: string + description: volumeAttributes stores driver-specific + properties that are passed to the CSI driver. + Consult your driver's documentation for + supported values. + type: object + required: + - driver + type: object + downwardAPI: + description: downwardAPI represents downward API + about the pod that should populate this volume + properties: + defaultMode: + description: 'Optional: mode bits to use on + created files by default. Must be a Optional: + mode bits used to set permissions on created + files by default. Must be an octal value + between 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. + Directories within the path are not affected + by this setting.' + format: int32 + type: integer + items: + description: Items is a list of downward API + volume file + items: + description: DownwardAPIVolumeFile represents + information to create the file containing + the pod field + properties: + fieldRef: + description: 'Required: Selects a field + of the pod: only annotations, labels, + name and namespace are supported.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: 'Optional: mode bits used + to set permissions on this file, must + be an octal value between 0000 and + 0777 or a decimal value between 0 + and 511. YAML accepts both octal and + decimal values, JSON requires decimal + values for mode bits. If not specified, + the volume defaultMode will be used.' + format: int32 + type: integer + path: + description: 'Required: Path is the + relative path name of the file to + be created. Must not be absolute or + contain the ''..'' path. Must be utf-8 + encoded. The first item of the relative + path must not start with ''..''' + type: string + resourceFieldRef: + description: 'Selects a resource of + the container: only resources limits + and requests (limits.cpu, limits.memory, + requests.cpu and requests.memory) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env + vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + type: object + emptyDir: + description: 'emptyDir represents a temporary + directory that shares a pod''s lifetime. More + info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + properties: + medium: + description: 'medium represents what type + of storage medium should back this directory. + The default is "" which means to use the + node''s default medium. Must be an empty + string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + description: 'sizeLimit is the total amount + of local storage required for this EmptyDir + volume. The size limit is also applicable + for memory medium. The maximum usage on + memory medium EmptyDir would be the minimum + value between the SizeLimit specified here + and the sum of memory limits of all containers + in a pod. The default is nil which means + that the limit is undefined. More info: + http://kubernetes.' + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + description: ephemeral represents a volume that + is handled by a cluster storage driver. The + volume's lifecycle is tied to the pod that defines + it - it will be created before the pod starts, + and deleted when the pod is removed. + properties: + volumeClaimTemplate: + description: Will be used to create a stand-alone + PVC to provision the volume. The pod in + which this EphemeralVolumeSource is embedded + will be the owner of the PVC, i.e. the PVC + will be deleted together with the pod. The + name of the PVC will be `-` where `` is the name + from the `PodSpec.Volumes` array entry. + properties: + metadata: + description: May contain labels and annotations + that will be copied into the PVC when + creating it. No other fields are allowed + and will be rejected during validation. + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + description: The specification for the + PersistentVolumeClaim. The entire content + is copied unchanged into the PVC that + gets created from this template. The + same fields as in a PersistentVolumeClaim + are also valid here. + properties: + accessModes: + description: 'accessModes contains + the desired access modes the volume + should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' + items: + type: string + type: array + dataSource: + description: 'dataSource field can + be used to specify either: * An + existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external + controller can support the specified + data source, it will create a new + volume based on the contents of + the specified data source.' + properties: + apiGroup: + description: APIGroup is the group + for the resource being referenced. + If APIGroup is not specified, + the specified Kind must be in + the core API group. For any + other third-party types, APIGroup + is required. + type: string + kind: + description: Kind is the type + of resource being referenced + type: string + name: + description: Name is the name + of resource being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: dataSourceRef specifies + the object from which to populate + the volume with data, if a non-empty + volume is desired. This may be any + local object from a non-empty API + group (non core object) or a PersistentVolumeClaim + object. When this field is specified, + volume binding will only succeed + if the type of the specified object + matches some installed volume populator + or dynamic provisioner. + properties: + apiGroup: + description: APIGroup is the group + for the resource being referenced. + If APIGroup is not specified, + the specified Kind must be in + the core API group. For any + other third-party types, APIGroup + is required. + type: string + kind: + description: Kind is the type + of resource being referenced + type: string + name: + description: Name is the name + of resource being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + resources: + description: 'resources represents + the minimum resources the volume + should have. If RecoverVolumeExpansionFailure + feature is enabled users are allowed + to specify resource requirements + that are lower than previous value + but must still be higher than capacity + recorded in the status field of + the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes + the maximum amount of compute + resources allowed. More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes + the minimum amount of compute + resources required. If Requests + is omitted for a container, + it defaults to Limits if that + is explicitly specified, otherwise + to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + selector: + description: selector is a label query + over volumes to consider for binding. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: 'storageClassName is + the name of the StorageClass required + by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' + type: string + volumeMode: + description: volumeMode defines what + type of volume is required by the + claim. Value of Filesystem is implied + when not included in claim spec. + type: string + volumeName: + description: volumeName is the binding + reference to the PersistentVolume + backing this claim. + type: string + type: object + required: + - spec + type: object + type: object + fc: + description: fc represents a Fibre Channel resource + that is attached to a kubelet's host machine + and then exposed to the pod. + properties: + fsType: + description: 'fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. TODO: how do we prevent + errors in the filesystem from compromising + the machine' + type: string + lun: + description: 'lun is Optional: FC target lun + number' + format: int32 + type: integer + readOnly: + description: 'readOnly is Optional: Defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts.' + type: boolean + targetWWNs: + description: 'targetWWNs is Optional: FC target + worldwide names (WWNs)' + items: + type: string + type: array + wwids: + description: 'wwids Optional: FC volume world + wide identifiers (wwids) Either wwids or + combination of targetWWNs and lun must be + set, but not both simultaneously.' + items: + type: string + type: array + type: object + flexVolume: + description: flexVolume represents a generic volume + resource that is provisioned/attached using + an exec based plugin. + properties: + driver: + description: driver is the name of the driver + to use for this volume. + type: string + fsType: + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". The default filesystem depends + on FlexVolume script. + type: string + options: + additionalProperties: + type: string + description: 'options is Optional: this field + holds extra command options if any.' + type: object + readOnly: + description: 'readOnly is Optional: defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts.' + type: boolean + secretRef: + description: 'secretRef is Optional: secretRef + is reference to the secret object containing + sensitive information to pass to the plugin + scripts. This may be empty if no secret + object is specified. If the secret object + contains more than one secret, all secrets + are passed to the plugin scripts.' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + description: flocker represents a Flocker volume + attached to a kubelet's host machine. This depends + on the Flocker control service being running + properties: + datasetName: + description: datasetName is Name of the dataset + stored as metadata -> name on the dataset + for Flocker should be considered as deprecated + type: string + datasetUUID: + description: datasetUUID is the UUID of the + dataset. This is unique identifier of a + Flocker dataset + type: string + type: object + gcePersistentDisk: + description: 'gcePersistentDisk represents a GCE + Disk resource that is attached to a kubelet''s + host machine and then exposed to the pod. More + info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + properties: + fsType: + description: 'fsType is filesystem type of + the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + partition: + description: 'partition is the partition in + the volume that you want to mount. If omitted, + the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify + the partition as "1". Similarly, the volume + partition for /dev/sda is "0" (or you can + leave the property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + format: int32 + type: integer + pdName: + description: 'pdName is unique name of the + PD resource in GCE. Used to identify the + disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + type: string + readOnly: + description: 'readOnly here will force the + ReadOnly setting in VolumeMounts. Defaults + to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + type: boolean + required: + - pdName + type: object + gitRepo: + description: 'gitRepo represents a git repository + at a particular revision. DEPRECATED: GitRepo + is deprecated. To provision a container with + a git repo, mount an EmptyDir into an InitContainer + that clones the repo using git, then mount the + EmptyDir into the Pod''s container.' + properties: + directory: + description: directory is the target directory + name. Must not contain or start with '..'. If + '.' is supplied, the volume directory will + be the git repository. Otherwise, if specified, + the volume will contain the git repository + in the subdirectory with the given name. + type: string + repository: + description: repository is the URL + type: string + revision: + description: revision is the commit hash for + the specified revision. + type: string + required: + - repository + type: object + glusterfs: + description: 'glusterfs represents a Glusterfs + mount on the host that shares a pod''s lifetime. + More info: https://examples.k8s.io/volumes/glusterfs/README.md' + properties: + endpoints: + description: 'endpoints is the endpoint name + that details Glusterfs topology. More info: + https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: string + path: + description: 'path is the Glusterfs volume + path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: string + readOnly: + description: 'readOnly here will force the + Glusterfs volume to be mounted with read-only + permissions. Defaults to false. More info: + https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: boolean + required: + - endpoints + - path + type: object + hostPath: + description: 'hostPath represents a pre-existing + file or directory on the host machine that is + directly exposed to the container. This is generally + used for system agents or other privileged things + that are allowed to see the host machine. Most + containers will NOT need this. More info: https://kubernetes.' + properties: + path: + description: 'path of the directory on the + host. If the path is a symlink, it will + follow the link to the real path. More info: + https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + type: string + type: + description: 'type for HostPath Volume Defaults + to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + type: string + required: + - path + type: object + iscsi: + description: 'iscsi represents an ISCSI Disk resource + that is attached to a kubelet''s host machine + and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' + properties: + chapAuthDiscovery: + description: chapAuthDiscovery defines whether + support iSCSI Discovery CHAP authentication + type: boolean + chapAuthSession: + description: chapAuthSession defines whether + support iSCSI Session CHAP authentication + type: boolean + fsType: + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#iscsi + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + initiatorName: + description: initiatorName is the custom iSCSI + Initiator Name. If initiatorName is specified + with iscsiInterface simultaneously, new + iSCSI interface : will be created for the connection. + type: string + iqn: + description: iqn is the target iSCSI Qualified + Name. + type: string + iscsiInterface: + description: iscsiInterface is the interface + Name that uses an iSCSI transport. Defaults + to 'default' (tcp). + type: string + lun: + description: lun represents iSCSI Target Lun + number. + format: int32 + type: integer + portals: + description: portals is the iSCSI Target Portal + List. The portal is either an IP or ip_addr:port + if the port is other than default (typically + TCP ports 860 and 3260). + items: + type: string + type: array + readOnly: + description: readOnly here will force the + ReadOnly setting in VolumeMounts. Defaults + to false. + type: boolean + secretRef: + description: secretRef is the CHAP Secret + for iSCSI target and initiator authentication + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + description: targetPortal is iSCSI Target + Portal. The Portal is either an IP or ip_addr:port + if the port is other than default (typically + TCP ports 860 and 3260). + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + description: 'name of the volume. Must be a DNS_LABEL + and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + nfs: + description: 'nfs represents an NFS mount on the + host that shares a pod''s lifetime More info: + https://kubernetes.io/docs/concepts/storage/volumes#nfs' + properties: + path: + description: 'path that is exported by the + NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: string + readOnly: + description: 'readOnly here will force the + NFS export to be mounted with read-only + permissions. Defaults to false. More info: + https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: boolean + server: + description: 'server is the hostname or IP + address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + description: 'persistentVolumeClaimVolumeSource + represents a reference to a PersistentVolumeClaim + in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + properties: + claimName: + description: 'claimName is the name of a PersistentVolumeClaim + in the same namespace as the pod using this + volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + type: string + readOnly: + description: readOnly Will force the ReadOnly + setting in VolumeMounts. Default false. + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + description: photonPersistentDisk represents a + PhotonController persistent disk attached and + mounted on kubelets host machine + properties: + fsType: + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. + type: string + pdID: + description: pdID is the ID that identifies + Photon Controller persistent disk + type: string + required: + - pdID + type: object + portworxVolume: + description: portworxVolume represents a portworx + volume attached and mounted on kubelets host + machine + properties: + fsType: + description: fSType represents the filesystem + type to mount Must be a filesystem type + supported by the host operating system. + Ex. "ext4", "xfs". Implicitly inferred to + be "ext4" if unspecified. + type: string + readOnly: + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + volumeID: + description: volumeID uniquely identifies + a Portworx volume + type: string + required: + - volumeID + type: object + projected: + description: projected items for all in one resources + secrets, configmaps, and downward API + properties: + defaultMode: + description: defaultMode are the mode bits + used to set permissions on created files + by default. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. Directories within the path are + not affected by this setting. + format: int32 + type: integer + sources: + description: sources is the list of volume + projections + items: + description: Projection that may be projected + along with other supported volume types + properties: + configMap: + description: configMap information about + the configMap data to project + properties: + items: + description: items if unspecified, + each key-value pair in the Data + field of the referenced ConfigMap + will be projected into the volume + as a file whose name is the key + and content is the value. If specified, + the listed keys will be projected + into the specified paths, and + unlisted keys will not be present. + items: + description: Maps a string key + to a path within a volume. + properties: + key: + description: key is the key + to project. + type: string + mode: + description: 'mode is Optional: + mode bits used to set permissions + on this file. Must be an + octal value between 0000 + and 0777 or a decimal value + between 0 and 511. YAML + accepts both octal and decimal + values, JSON requires decimal + values for mode bits. If + not specified, the volume + defaultMode will be used.' + format: int32 + type: integer + path: + description: path is the relative + path of the file to map + the key to. May not be an + absolute path. May not contain + the path element '..'. May + not start with the string + '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: optional specify whether + the ConfigMap or its keys must + be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + description: downwardAPI information + about the downwardAPI data to project + properties: + items: + description: Items is a list of + DownwardAPIVolume file + items: + description: DownwardAPIVolumeFile + represents information to create + the file containing the pod + field + properties: + fieldRef: + description: 'Required: Selects + a field of the pod: only + annotations, labels, name + and namespace are supported.' + properties: + apiVersion: + description: Version of + the schema the FieldPath + is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the + field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: 'Optional: mode + bits used to set permissions + on this file, must be an + octal value between 0000 + and 0777 or a decimal value + between 0 and 511. YAML + accepts both octal and decimal + values, JSON requires decimal + values for mode bits. If + not specified, the volume + defaultMode will be used.' + format: int32 + type: integer + path: + description: 'Required: Path + is the relative path name + of the file to be created. + Must not be absolute or + contain the ''..'' path. + Must be utf-8 encoded. The + first item of the relative + path must not start with + ''..''' + type: string + resourceFieldRef: + description: 'Selects a resource + of the container: only resources + limits and requests (limits.cpu, + limits.memory, requests.cpu + and requests.memory) are + currently supported.' + properties: + containerName: + description: 'Container + name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies + the output format of + the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: + resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + type: object + secret: + description: secret information about + the secret data to project + properties: + items: + description: items if unspecified, + each key-value pair in the Data + field of the referenced Secret + will be projected into the volume + as a file whose name is the key + and content is the value. If specified, + the listed keys will be projected + into the specified paths, and + unlisted keys will not be present. + items: + description: Maps a string key + to a path within a volume. + properties: + key: + description: key is the key + to project. + type: string + mode: + description: 'mode is Optional: + mode bits used to set permissions + on this file. Must be an + octal value between 0000 + and 0777 or a decimal value + between 0 and 511. YAML + accepts both octal and decimal + values, JSON requires decimal + values for mode bits. If + not specified, the volume + defaultMode will be used.' + format: int32 + type: integer + path: + description: path is the relative + path of the file to map + the key to. May not be an + absolute path. May not contain + the path element '..'. May + not start with the string + '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: optional field specify + whether the Secret or its key + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + description: serviceAccountToken is + information about the serviceAccountToken + data to project + properties: + audience: + description: audience is the intended + audience of the token. A recipient + of a token must identify itself + with an identifier specified in + the audience of the token, and + otherwise should reject the token. + The audience defaults to the identifier + of the apiserver. + type: string + expirationSeconds: + description: expirationSeconds is + the requested duration of validity + of the service account token. + As the token approaches expiration, + the kubelet volume plugin will + proactively rotate the service + account token. The kubelet will + start trying to rotate the token + if the token is older than 80 + percent of its time to live or + if the token is older than 24 + hours.Defaults to 1 hour and must + be at least 10 minutes. + format: int64 + type: integer + path: + description: path is the path relative + to the mount point of the file + to project the token into. + type: string + required: + - path + type: object + type: object + type: array + type: object + quobyte: + description: quobyte represents a Quobyte mount + on the host that shares a pod's lifetime + properties: + group: + description: group to map volume access to + Default is no group + type: string + readOnly: + description: readOnly here will force the + Quobyte volume to be mounted with read-only + permissions. Defaults to false. + type: boolean + registry: + description: registry represents a single + or multiple Quobyte Registry services specified + as a string as host:port pair (multiple + entries are separated with commas) which + acts as the central registry for volumes + type: string + tenant: + description: tenant owning the given Quobyte + volume in the Backend Used with dynamically + provisioned Quobyte volumes, value is set + by the plugin + type: string + user: + description: user to map volume access to + Defaults to serivceaccount user + type: string + volume: + description: volume is a string that references + an already created Quobyte volume by name. + type: string + required: + - registry + - volume + type: object + rbd: + description: 'rbd represents a Rados Block Device + mount on the host that shares a pod''s lifetime. + More info: https://examples.k8s.io/volumes/rbd/README.md' + properties: + fsType: + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#rbd + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + image: + description: 'image is the rados image name. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + keyring: + description: 'keyring is the path to key ring + for RBDUser. Default is /etc/ceph/keyring. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + monitors: + description: 'monitors is a collection of + Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + items: + type: string + type: array + pool: + description: 'pool is the rados pool name. + Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + readOnly: + description: 'readOnly here will force the + ReadOnly setting in VolumeMounts. Defaults + to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: boolean + secretRef: + description: 'secretRef is name of the authentication + secret for RBDUser. If provided overrides + keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: 'user is the rados user name. + Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + required: + - image + - monitors + type: object + scaleIO: + description: scaleIO represents a ScaleIO persistent + volume attached and mounted on Kubernetes nodes. + properties: + fsType: + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Default is "xfs". + type: string + gateway: + description: gateway is the host address of + the ScaleIO API Gateway. + type: string + protectionDomain: + description: protectionDomain is the name + of the ScaleIO Protection Domain for the + configured storage. + type: string + readOnly: + description: readOnly Defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + secretRef: + description: secretRef references to the secret + for ScaleIO user and other sensitive information. + If this is not provided, Login operation + will fail. + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + description: sslEnabled Flag enable/disable + SSL communication with Gateway, default + false + type: boolean + storageMode: + description: storageMode indicates whether + the storage for a volume should be ThickProvisioned + or ThinProvisioned. Default is ThinProvisioned. + type: string + storagePool: + description: storagePool is the ScaleIO Storage + Pool associated with the protection domain. + type: string + system: + description: system is the name of the storage + system as configured in ScaleIO. + type: string + volumeName: + description: volumeName is the name of a volume + already created in the ScaleIO system that + is associated with this volume source. + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + description: 'secret represents a secret that + should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + properties: + defaultMode: + description: 'defaultMode is Optional: mode + bits used to set permissions on created + files by default. Must be an octal value + between 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. + Directories within the path are not affected + by this setting.' + format: int32 + type: integer + items: + description: items If unspecified, each key-value + pair in the Data field of the referenced + Secret will be projected into the volume + as a file whose name is the key and content + is the value. If specified, the listed keys + will be projected into the specified paths, + and unlisted keys will not be present. + items: + description: Maps a string key to a path + within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode + bits used to set permissions on this + file. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal + and decimal values, JSON requires + decimal values for mode bits. If not + specified, the volume defaultMode + will be used.' + format: int32 + type: integer + path: + description: path is the relative path + of the file to map the key to. May + not be an absolute path. May not contain + the path element '..'. May not start + with the string '..'. + type: string + required: + - key + - path + type: object + type: array + optional: + description: optional field specify whether + the Secret or its keys must be defined + type: boolean + secretName: + description: 'secretName is the name of the + secret in the pod''s namespace to use. More + info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + type: string + type: object + storageos: + description: storageOS represents a StorageOS + volume attached and mounted on Kubernetes nodes. + properties: + fsType: + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. + type: string + readOnly: + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + secretRef: + description: secretRef specifies the secret + to use for obtaining the StorageOS API credentials. If + not specified, default values will be attempted. + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + description: volumeName is the human-readable + name of the StorageOS volume. Volume names + are only unique within a namespace. + type: string + volumeNamespace: + description: volumeNamespace specifies the + scope of the volume within StorageOS. If + no namespace is specified then the Pod's + namespace will be used. This allows the + Kubernetes name scoping to be mirrored within + StorageOS for tighter integration. Set VolumeName + to any name to override the default behaviour. + Set to "default" if you are not using namespaces + within StorageOS. + type: string + type: object + vsphereVolume: + description: vsphereVolume represents a vSphere + volume attached and mounted on kubelets host + machine + properties: + fsType: + description: fsType is filesystem type to + mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. + type: string + storagePolicyID: + description: storagePolicyID is the storage + Policy Based Management (SPBM) profile ID + associated with the StoragePolicyName. + type: string + storagePolicyName: + description: storagePolicyName is the storage + Policy Based Management (SPBM) profile name. + type: string + volumePath: + description: volumePath is the path that identifies + vSphere volume vmdk + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + required: + - containers + type: object + type: object + type: object + type: object + required: + - xgbReplicaSpecs + type: object + status: + description: JobStatus represents the current observed state of the training + Job. + properties: + completionTime: + description: Represents time when the job was completed. It is not + guaranteed to be set in happens-before order across separate operations. + It is represented in RFC3339 form and is in UTC. + format: date-time + type: string + conditions: + description: Conditions is an array of current observed job conditions. + items: + description: JobCondition describes the state of the job at a certain + point. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + lastUpdateTime: + description: The last time this condition was updated. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of job condition. + type: string + required: + - status + - type + type: object + type: array + lastReconcileTime: + description: Represents last time when the job was reconciled. It + is not guaranteed to be set in happens-before order across separate + operations. It is represented in RFC3339 form and is in UTC. + format: date-time + type: string + replicaStatuses: + additionalProperties: + description: ReplicaStatus represents the current observed state + of the replica. + properties: + active: + description: The number of actively running pods. + format: int32 + type: integer + failed: + description: The number of pods which reached phase Failed. + format: int32 + type: integer + labelSelector: + description: 'Deprecated: Use Selector instead' + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. This + array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + selector: + description: A Selector is a label query over a set of resources. + The result of matchLabels and matchExpressions are ANDed. + An empty Selector matches all objects. A null Selector matches + no objects. + type: string + succeeded: + description: The number of pods which reached phase Succeeded. + format: int32 + type: integer + type: object + description: ReplicaStatuses is map of ReplicaType and ReplicaStatus, + specifies the status of each replica. + type: object + startTime: + description: Represents time when the job was acknowledged by the + job controller. It is not guaranteed to be set in happens-before + order across separate operations. It is represented in RFC3339 form + and is in UTC. + format: date-time + type: string + required: + - conditions + - replicaStatuses + type: object + type: object + served: true + storage: true + subresources: + status: {} +YAML + +depends_on = [ovh_cloud_project_kube.ovh_kube_cluster, ovh_cloud_project_kube_nodepool.control_plane_pool] +} + +resource "kubectl_manifest" "kubeflow-training-operator-serviceaccount-training-operator" { + yaml_body = <- + Privileged mode disables most security mechanisms and must not be allowed. This policy + ensures Pods do not call for privileged mode. +spec: + validationFailureAction: enforce + background: true + rules: + - name: privileged-containers + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged, + spec.containers[*].securityContext.allowPrivilegeEscalation, spec.initContainers[*].securityContext.privileged, + spec.initContainers[*].securityContext.allowPrivilegeEscalation and must be unset or set to `false`. + pattern: + spec: + =(ephemeralContainers): + - =(securityContext): + =(privileged): "false" + =(initContainers): + - =(securityContext): + =(privileged): "false" + containers: + - =(securityContext): + =(privileged): "false" + =(ephemeralContainers): + - =(securityContext): + =(allowPrivilegeEscalation): "false" + =(initContainers): + - =(securityContext): + =(allowPrivilegeEscalation): "false" + containers: + - =(securityContext): + =(allowPrivilegeEscalation): "false" +YAML + +depends_on = [ovh_cloud_project_kube.ovh_kube_cluster, ovh_cloud_project_kube_nodepool.control_plane_pool, helm_release.kyverno] +} + +resource "kubectl_manifest" "kyverno-disallow-host-path-cluster-policy" { + yaml_body = <- + HostPath volumes let Pods use host directories and volumes in containers. + Using host resources can be used to access shared data or escalate privileges + and should not be allowed. This policy ensures no hostPath volumes are in use. +spec: + validationFailureAction: enforce + background: true + rules: + - name: host-path + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset. + pattern: + spec: + =(volumes): + - X(hostPath): "null" +YAML + +depends_on = [ovh_cloud_project_kube.ovh_kube_cluster, ovh_cloud_project_kube_nodepool.control_plane_pool, helm_release.kyverno] +} \ No newline at end of file diff --git a/use-cases/kubeflow/output.tf b/use-cases/kubeflow/output.tf new file mode 100644 index 00000000..29438400 --- /dev/null +++ b/use-cases/kubeflow/output.tf @@ -0,0 +1,21 @@ +output "ovh_kube_cluster_kubeconfig" { + description = "OVHcloud MKS cluster kubeconfig" + value = ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig + sensitive = true +} + +output "kubeflow_url" { + description = "Kubeflow URL" + value = "https://kubeflow.${var.ovh_dns_domain}" +} + +output "kubeflow_user" { + description = "Kubeflow default user" + value = "user@${var.ovh_dns_domain}" +} + +output "kubeflow_password" { + description = "Kubeflow default user password" + value = "ovhkubeflow123!" + sensitive = true +} \ No newline at end of file diff --git a/use-cases/kubeflow/ovh_kube_cluster.tf b/use-cases/kubeflow/ovh_kube_cluster.tf new file mode 100644 index 00000000..ffeedaae --- /dev/null +++ b/use-cases/kubeflow/ovh_kube_cluster.tf @@ -0,0 +1,82 @@ +resource "ovh_cloud_project_kube" "ovh_kube_cluster" { + service_name = "${var.ovh_os_project_id}" + name = "${var.ovh_kube_cluster_name}" + region = "${var.ovh_os_region_name}" + version = "${var.ovh_kube_version}" + + private_network_id = tolist(ovh_cloud_project_network_private.private-net.regions_attributes[*].openstackid)[0] + + private_network_configuration { + default_vrack_gateway = "" + private_network_routing_as_default = false + } + + depends_on = [ovh_cloud_project_network_private_subnet.private-subnet] +} + +resource "ovh_cloud_project_kube_nodepool" "control_plane_pool" { + service_name = "${var.ovh_os_project_id}" + kube_id = ovh_cloud_project_kube.ovh_kube_cluster.id + name = "${var.ovh_kube_cluster_name}-control-plane" + flavor_name = "${var.kubeflow_control_plane_flavor}" + autoscale = "${var.kubeflow_control_plane_autoscale}" + desired_nodes = var.kubeflow_control_plane_desired_nodes + max_nodes = var.kubeflow_control_plane_max_nodes + min_nodes = var.kubeflow_control_plane_min_nodes + + template { + metadata { + annotations = {} + finalizers = [] + labels = { + kubeflow = "control-plane" + } + } + spec { + unschedulable = false + taints = [ + { + effect = "NoSchedule" + key = "kubeflow" + value = "control-plane" + } + ] + } + } +} + +resource "ovh_cloud_project_kube_nodepool" "worker_cpu_pool" { + service_name = "${var.ovh_os_project_id}" + kube_id = ovh_cloud_project_kube.ovh_kube_cluster.id + name = "${var.ovh_kube_cluster_name}-worker-cpu" + flavor_name = "${var.kubeflow_cpu_worker_flavor}" + autoscale = "${var.kubeflow_cpu_worker_autoscale}" + desired_nodes = var.kubeflow_cpu_worker_desired_nodes + max_nodes = var.kubeflow_cpu_worker_max_nodes + min_nodes = var.kubeflow_cpu_worker_min_nodes +} + +resource "ovh_cloud_project_kube_nodepool" "worker_gpu_pool" { + service_name = "${var.ovh_os_project_id}" + kube_id = ovh_cloud_project_kube.ovh_kube_cluster.id + name = "${var.ovh_kube_cluster_name}-worker-gpu" + flavor_name = "${var.kubeflow_gpu_worker_flavor}" + autoscale = "${var.kubeflow_gpu_worker_autoscale}" + max_nodes = var.kubeflow_gpu_worker_max_nodes + min_nodes = var.kubeflow_gpu_worker_min_nodes + + template { + metadata { + annotations = {} + finalizers = [] + labels = { + "node.k8s.ovh/type" = "gpu" + "nvidia.com/gpu" = "ovh" + } + } + spec { + unschedulable = false + taints = [] + } + } +} \ No newline at end of file diff --git a/use-cases/kubeflow/ovh_mysql_db.tf b/use-cases/kubeflow/ovh_mysql_db.tf new file mode 100644 index 00000000..beb25d80 --- /dev/null +++ b/use-cases/kubeflow/ovh_mysql_db.tf @@ -0,0 +1,60 @@ +resource "ovh_cloud_project_database" "mysql" { + service_name = "${var.ovh_os_project_id}" + description = "${var.ovh_mysql_name}-mysql" + engine = "mysql" + version = "${var.ovh_mysql_version}" + plan = "business" + + nodes { + region = "${var.ovh_mysql_region}" + network_id = tolist(ovh_cloud_project_network_private.private-net.regions_attributes[*].openstackid)[0] + subnet_id = ovh_cloud_project_network_private_subnet.private-subnet.id + } + + nodes { + region = "${var.ovh_mysql_region}" + network_id = tolist(ovh_cloud_project_network_private.private-net.regions_attributes[*].openstackid)[0] + subnet_id = ovh_cloud_project_network_private_subnet.private-subnet.id + } + + flavor = "db1-4" + + advanced_configuration = { + "mysql.sql_mode": "ERROR_FOR_DIVISION_BY_ZERO,NO_ENGINE_SUBSTITUTION,NO_ZERO_DATE,NO_ZERO_IN_DATE,STRICT_ALL_TABLES", + "mysql.sql_require_primary_key": "false" + } + + timeouts { + create = "30m" + update = "30m" + delete = "30m" + } +} + +resource "ovh_cloud_project_database_ip_restriction" "iprestriction-mysql" { + service_name = "${var.ovh_os_project_id}" + engine = "mysql" + cluster_id = ovh_cloud_project_database.mysql.id + ip = ovh_cloud_project_network_private_subnet.private-subnet.network +} + +resource "ovh_cloud_project_database_user" "kubeflow-mysql-user" { + service_name = ovh_cloud_project_database.mysql.service_name + engine = ovh_cloud_project_database.mysql.engine + cluster_id = ovh_cloud_project_database.mysql.id + name = "kubeflow" +} + +resource "ovh_cloud_project_database_user" "katib-mysql-user" { + service_name = ovh_cloud_project_database.mysql.service_name + engine = ovh_cloud_project_database.mysql.engine + cluster_id = ovh_cloud_project_database.mysql.id + name = "katib" +} + +resource "ovh_cloud_project_database_database" "katib-database" { + service_name = ovh_cloud_project_database.mysql.service_name + engine = ovh_cloud_project_database.mysql.engine + cluster_id = ovh_cloud_project_database.mysql.id + name = "katib" +} \ No newline at end of file diff --git a/use-cases/kubeflow/ovh_private_network.tf b/use-cases/kubeflow/ovh_private_network.tf new file mode 100644 index 00000000..14386f13 --- /dev/null +++ b/use-cases/kubeflow/ovh_private_network.tf @@ -0,0 +1,17 @@ +resource "ovh_cloud_project_network_private" "private-net" { + service_name = "${var.ovh_os_project_id}" + name = "${var.ovh_kube_cluster_name}-private-network" + vlan_id = "${var.ovh_os_private_network_vlan_id}" + regions = ["${var.ovh_os_region_name}"] +} + +resource "ovh_cloud_project_network_private_subnet" "private-subnet" { + service_name = "${var.ovh_os_project_id}" + network_id = ovh_cloud_project_network_private.private-net.id + region = "${var.ovh_os_region_name}" + start = "192.168.168.2" + end = "192.168.168.254" + network = "192.168.168.0/24" + dhcp = true + no_gateway = false +} \ No newline at end of file diff --git a/use-cases/kubeflow/ovh_s3_bucket.tf b/use-cases/kubeflow/ovh_s3_bucket.tf new file mode 100644 index 00000000..36df87e9 --- /dev/null +++ b/use-cases/kubeflow/ovh_s3_bucket.tf @@ -0,0 +1,16 @@ +resource "ovh_cloud_project_user" "s3_admin_user" { + service_name = "${var.ovh_os_project_id}" + description = "${var.ovh_s3_bucket_name} user" + role_name = "objectstore_operator" +} + +resource "ovh_cloud_project_user_s3_credential" "s3_admin_cred"{ + service_name = "${var.ovh_os_project_id}" + user_id = ovh_cloud_project_user.s3_admin_user.id +} + +resource "aws_s3_bucket" "bucket"{ + bucket = "${var.ovh_s3_bucket_name}-${var.ovh_os_project_id}" + + force_destroy = true +} \ No newline at end of file diff --git a/use-cases/kubeflow/provider.tf b/use-cases/kubeflow/provider.tf new file mode 100644 index 00000000..3008d259 --- /dev/null +++ b/use-cases/kubeflow/provider.tf @@ -0,0 +1,63 @@ +terraform { + required_providers { + ovh = { + source = "ovh/ovh" + version = "0.37.0" + } + + helm = { + source = "hashicorp/helm" + version = "2.11.0" + } + + kubernetes = { + source = "hashicorp/kubernetes" + version = "2.23.0" + } + + kubectl = { + source = "gavinbunney/kubectl" + } + + aws = { + source = "hashicorp/aws" + version = "5.17.0" + } + } +} + +provider "helm" { + kubernetes { + host = ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig_attributes[0].host + client_certificate = base64decode(ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig_attributes[0].client_certificate) + client_key = base64decode(ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig_attributes[0].client_key) + cluster_ca_certificate = base64decode(ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig_attributes[0].cluster_ca_certificate) + } +} + +provider "kubernetes" { + host = ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig_attributes[0].host + client_certificate = base64decode(ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig_attributes[0].client_certificate) + client_key = base64decode(ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig_attributes[0].client_key) + cluster_ca_certificate = base64decode(ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig_attributes[0].cluster_ca_certificate) +} + +provider "kubectl" { + host = ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig_attributes[0].host + client_certificate = base64decode(ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig_attributes[0].client_certificate) + client_key = base64decode(ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig_attributes[0].client_key) + cluster_ca_certificate = base64decode(ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig_attributes[0].cluster_ca_certificate) +} + +provider "aws" { + region = "${var.ovh_s3_region_name}" + access_key = "${ovh_cloud_project_user_s3_credential.s3_admin_cred.access_key_id}" + secret_key = "${ovh_cloud_project_user_s3_credential.s3_admin_cred.secret_access_key}" + + skip_credentials_validation = true + skip_requesting_account_id = true + skip_region_validation = true + endpoints { + s3 = "https://s3.${var.ovh_s3_region_name}.io.cloud.ovh.net" + } +} \ No newline at end of file diff --git a/use-cases/kubeflow/variables.tf b/use-cases/kubeflow/variables.tf new file mode 100644 index 00000000..1e0aa02f --- /dev/null +++ b/use-cases/kubeflow/variables.tf @@ -0,0 +1,151 @@ +variable ovh_os_project_id { + type = string +} + +variable ovh_os_region_name { + type = string + default = "GRA11" +} + +variable ovh_os_private_network_vlan_id { + type = string + default = "10" +} + +variable ovh_kube_cluster_name { + type = string + default = "mks-kubeflow" +} + +variable ovh_kube_version { + type = string + default = "1.29" +} + +variable kubeflow_control_plane_flavor { + type = string + default = "b3-8" +} + +variable kubeflow_control_plane_autoscale { + type = string + default = "false" +} + +variable kubeflow_control_plane_desired_nodes { + type = number + default = 3 +} + +variable kubeflow_control_plane_max_nodes { + type = number + default = 10 +} + +variable kubeflow_control_plane_min_nodes { + type = number + default = 3 +} + +variable kubeflow_cpu_worker_flavor { + type = string + default = "c3-8" +} + +variable kubeflow_cpu_worker_autoscale { + type = string + default = "false" +} + +variable kubeflow_cpu_worker_desired_nodes { + type = number + default = 2 +} + +variable kubeflow_cpu_worker_max_nodes { + type = number + default = 10 +} + +variable kubeflow_cpu_worker_min_nodes { + type = number + default = 2 +} + +variable kubeflow_gpu_worker_flavor { + type = string + default = "t2-45" +} + +variable kubeflow_gpu_worker_autoscale { + type = string + default = "true" +} + +variable kubeflow_gpu_worker_max_nodes { + type = number + default = 5 +} + +variable kubeflow_gpu_worker_min_nodes { + type = number + default = 0 +} + +variable ovh_api_dns_application_key { + type = string +} + +variable ovh_api_dns_application_secret { + type = string +} + +variable ovh_api_dns_consumer_key { + type = string +} + +variable ovh_dns_domain { + type = string +} + +variable letsencrypt_issuer { + type = string + default = "letsencrypt-staging" +} + +variable ovh_mysql_name { + type = string + default = "mks-kubeflow" +} + +variable ovh_mysql_version { + type = string + default = "8" +} + +variable ovh_mysql_region { + type = string + default = "GRA" +} + +variable ovh_s3_bucket_name { + type = string + default = "mks-kubeflow" +} + +variable ovh_s3_region_name { + type = string + default = "gra" +} + +variable kubeflow_default_user_name { + type = string + default = "user" +} + +# Use bcrypt to hash the password +# python3 -c 'from passlib.hash import bcrypt; import getpass; print(bcrypt.using(rounds=12, ident="2y").hash(getpass.getpass()))' +variable kubeflow_default_user_password_hash { + type = string + default = "$2y$12$DQDRh8mTqZeWSL4ZUm76.uBzmWmhuHH/IpyPw2cSy1ZUSjQSB7VFa" +} \ No newline at end of file From a8ca31068112f1913f9dab92679c91e31fbda09d Mon Sep 17 00:00:00 2001 From: Simon Guyennet Date: Mon, 4 Nov 2024 15:31:32 +0100 Subject: [PATCH 02/16] Bump providers version --- use-cases/kubeflow/provider.tf | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/use-cases/kubeflow/provider.tf b/use-cases/kubeflow/provider.tf index 3008d259..c1c552a3 100644 --- a/use-cases/kubeflow/provider.tf +++ b/use-cases/kubeflow/provider.tf @@ -2,26 +2,32 @@ terraform { required_providers { ovh = { source = "ovh/ovh" - version = "0.37.0" + version = "1.0.0" } helm = { source = "hashicorp/helm" - version = "2.11.0" + version = "2.16.1" } kubernetes = { source = "hashicorp/kubernetes" - version = "2.23.0" + version = "2.33.0" } kubectl = { source = "gavinbunney/kubectl" + version = "1.14.0" } aws = { source = "hashicorp/aws" - version = "5.17.0" + version = "5.74.0" + } + + random = { + source = "hashicorp/random" + version = "3.6.3" } } } From 0267be939e668e7c33d57e054cb397d33fbe3475 Mon Sep 17 00:00:00 2001 From: Simon Guyennet Date: Mon, 4 Nov 2024 15:40:15 +0100 Subject: [PATCH 03/16] Use high perf object storage --- use-cases/kubeflow/provider.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/use-cases/kubeflow/provider.tf b/use-cases/kubeflow/provider.tf index c1c552a3..4b74eba6 100644 --- a/use-cases/kubeflow/provider.tf +++ b/use-cases/kubeflow/provider.tf @@ -64,6 +64,6 @@ provider "aws" { skip_requesting_account_id = true skip_region_validation = true endpoints { - s3 = "https://s3.${var.ovh_s3_region_name}.io.cloud.ovh.net" + s3 = "https://s3.${var.ovh_s3_region_name}.perf.cloud.ovh.net" } } \ No newline at end of file From 71c7a03f5535349e6842429645cf5c502ef81189 Mon Sep 17 00:00:00 2001 From: Simon Guyennet Date: Mon, 4 Nov 2024 15:41:51 +0100 Subject: [PATCH 04/16] Remove openstack ID variable --- use-cases/kubeflow/kubectl_kubeflow_kubeflow.tf | 4 ++-- use-cases/kubeflow/ovh_kube_cluster.tf | 4 ---- use-cases/kubeflow/ovh_mysql_db.tf | 2 -- use-cases/kubeflow/ovh_private_network.tf | 2 -- use-cases/kubeflow/ovh_s3_bucket.tf | 11 ++++++++--- use-cases/kubeflow/variables.tf | 4 ---- 6 files changed, 10 insertions(+), 17 deletions(-) diff --git a/use-cases/kubeflow/kubectl_kubeflow_kubeflow.tf b/use-cases/kubeflow/kubectl_kubeflow_kubeflow.tf index cae508f0..54fbead9 100644 --- a/use-cases/kubeflow/kubectl_kubeflow_kubeflow.tf +++ b/use-cases/kubeflow/kubectl_kubeflow_kubeflow.tf @@ -4371,7 +4371,7 @@ data: minioServiceHost: "s3.${var.ovh_s3_region_name}.io.cloud.ovh.net" minioServicePort: "443" minioServiceRegion: "${var.ovh_s3_region_name}" - bucketName: "${var.ovh_s3_bucket_name}-${var.ovh_os_project_id}" + bucketName: "${var.ovh_s3_bucket_name}-${random_string.bucket_name_suffix.result}" cacheDb: cachedb cacheImage: gcr.io/google-containers/busybox cacheNodeRestrictions: "false" @@ -4409,7 +4409,7 @@ data: archiveLogs: true s3: endpoint: "s3.${var.ovh_s3_region_name}.io.cloud.ovh.net:443" - bucket: "${var.ovh_s3_bucket_name}-${var.ovh_os_project_id}" + bucket: "${var.ovh_s3_bucket_name}-${random_string.bucket_name_suffix.result}" # keyFormat is a format pattern to define how artifacts will be organized in a bucket. # It can reference workflow metadata variables such as workflow.namespace, workflow.name, # pod.name. Can also use strftime formating of workflow.creationTimestamp so that workflow diff --git a/use-cases/kubeflow/ovh_kube_cluster.tf b/use-cases/kubeflow/ovh_kube_cluster.tf index ffeedaae..e3bef709 100644 --- a/use-cases/kubeflow/ovh_kube_cluster.tf +++ b/use-cases/kubeflow/ovh_kube_cluster.tf @@ -1,5 +1,4 @@ resource "ovh_cloud_project_kube" "ovh_kube_cluster" { - service_name = "${var.ovh_os_project_id}" name = "${var.ovh_kube_cluster_name}" region = "${var.ovh_os_region_name}" version = "${var.ovh_kube_version}" @@ -15,7 +14,6 @@ resource "ovh_cloud_project_kube" "ovh_kube_cluster" { } resource "ovh_cloud_project_kube_nodepool" "control_plane_pool" { - service_name = "${var.ovh_os_project_id}" kube_id = ovh_cloud_project_kube.ovh_kube_cluster.id name = "${var.ovh_kube_cluster_name}-control-plane" flavor_name = "${var.kubeflow_control_plane_flavor}" @@ -46,7 +44,6 @@ resource "ovh_cloud_project_kube_nodepool" "control_plane_pool" { } resource "ovh_cloud_project_kube_nodepool" "worker_cpu_pool" { - service_name = "${var.ovh_os_project_id}" kube_id = ovh_cloud_project_kube.ovh_kube_cluster.id name = "${var.ovh_kube_cluster_name}-worker-cpu" flavor_name = "${var.kubeflow_cpu_worker_flavor}" @@ -57,7 +54,6 @@ resource "ovh_cloud_project_kube_nodepool" "worker_cpu_pool" { } resource "ovh_cloud_project_kube_nodepool" "worker_gpu_pool" { - service_name = "${var.ovh_os_project_id}" kube_id = ovh_cloud_project_kube.ovh_kube_cluster.id name = "${var.ovh_kube_cluster_name}-worker-gpu" flavor_name = "${var.kubeflow_gpu_worker_flavor}" diff --git a/use-cases/kubeflow/ovh_mysql_db.tf b/use-cases/kubeflow/ovh_mysql_db.tf index beb25d80..df97642f 100644 --- a/use-cases/kubeflow/ovh_mysql_db.tf +++ b/use-cases/kubeflow/ovh_mysql_db.tf @@ -1,5 +1,4 @@ resource "ovh_cloud_project_database" "mysql" { - service_name = "${var.ovh_os_project_id}" description = "${var.ovh_mysql_name}-mysql" engine = "mysql" version = "${var.ovh_mysql_version}" @@ -32,7 +31,6 @@ resource "ovh_cloud_project_database" "mysql" { } resource "ovh_cloud_project_database_ip_restriction" "iprestriction-mysql" { - service_name = "${var.ovh_os_project_id}" engine = "mysql" cluster_id = ovh_cloud_project_database.mysql.id ip = ovh_cloud_project_network_private_subnet.private-subnet.network diff --git a/use-cases/kubeflow/ovh_private_network.tf b/use-cases/kubeflow/ovh_private_network.tf index 14386f13..73f1169f 100644 --- a/use-cases/kubeflow/ovh_private_network.tf +++ b/use-cases/kubeflow/ovh_private_network.tf @@ -1,12 +1,10 @@ resource "ovh_cloud_project_network_private" "private-net" { - service_name = "${var.ovh_os_project_id}" name = "${var.ovh_kube_cluster_name}-private-network" vlan_id = "${var.ovh_os_private_network_vlan_id}" regions = ["${var.ovh_os_region_name}"] } resource "ovh_cloud_project_network_private_subnet" "private-subnet" { - service_name = "${var.ovh_os_project_id}" network_id = ovh_cloud_project_network_private.private-net.id region = "${var.ovh_os_region_name}" start = "192.168.168.2" diff --git a/use-cases/kubeflow/ovh_s3_bucket.tf b/use-cases/kubeflow/ovh_s3_bucket.tf index 36df87e9..3048ef72 100644 --- a/use-cases/kubeflow/ovh_s3_bucket.tf +++ b/use-cases/kubeflow/ovh_s3_bucket.tf @@ -1,16 +1,21 @@ resource "ovh_cloud_project_user" "s3_admin_user" { - service_name = "${var.ovh_os_project_id}" description = "${var.ovh_s3_bucket_name} user" role_name = "objectstore_operator" } resource "ovh_cloud_project_user_s3_credential" "s3_admin_cred"{ - service_name = "${var.ovh_os_project_id}" user_id = ovh_cloud_project_user.s3_admin_user.id } +resource "random_string" "bucket_name_suffix" { + length = 16 + special = false + lower = true + upper = false +} + resource "aws_s3_bucket" "bucket"{ - bucket = "${var.ovh_s3_bucket_name}-${var.ovh_os_project_id}" + bucket = "${var.ovh_s3_bucket_name}-${random_string.bucket_name_suffix.result}" force_destroy = true } \ No newline at end of file diff --git a/use-cases/kubeflow/variables.tf b/use-cases/kubeflow/variables.tf index 1e0aa02f..9017b2f0 100644 --- a/use-cases/kubeflow/variables.tf +++ b/use-cases/kubeflow/variables.tf @@ -1,7 +1,3 @@ -variable ovh_os_project_id { - type = string -} - variable ovh_os_region_name { type = string default = "GRA11" From addacaed2a512bc8b275285c402096015451ec28 Mon Sep 17 00:00:00 2001 From: Simon Guyennet Date: Mon, 4 Nov 2024 17:01:32 +0100 Subject: [PATCH 05/16] Update documentation --- use-cases/kubeflow/README.md | 50 +++++++++++++++++++++++++----------- 1 file changed, 35 insertions(+), 15 deletions(-) diff --git a/use-cases/kubeflow/README.md b/use-cases/kubeflow/README.md index 69744e90..5163d40b 100644 --- a/use-cases/kubeflow/README.md +++ b/use-cases/kubeflow/README.md @@ -1,5 +1,7 @@ # Kubeflow on OVHcloud Public Cloud +The purpose of this tutorial is to deploy KubeFlow in an OVHcloud Managed Kubernetes cluster with all the essential tools. + This Terraform will create and configure: * A private network @@ -41,32 +43,27 @@ vim ovhrc.sh ```bash export OVH_ENDPOINT="ovh-eu" -export OVH_BASEURL="https://eu.api.ovh.com/1.0/" export OVH_APPLICATION_KEY="" export OVH_APPLICATION_SECRET="" export OVH_CONSUMER_KEY="" -export OVH_CLOUD_PROJECT_SERVICE="$OS_TENANT_ID" - -export TF_VAR_ovh_api_dns_application_key="" -export TF_VAR_ovh_api_dns_application_secret="" -export TF_VAR_ovh_api_dns_consumer_key="" +export OVH_CLOUD_PROJECT_SERVICE="" ``` -You can create a second token for the DNS configuration with limited permissions: +You should create a second OVHcloud credential specific for the DNS configuration with limited permissions: https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/ovh.md#creating-ovh-credentials -## Customize the deployment - -Configure Terraform with the public cloud project ID: - ```bash -vim terraform.tfvars +vim ovhrc.sh ``` ```bash -ovh_os_project_id = +export TF_VAR_ovh_api_dns_application_key="" +export TF_VAR_ovh_api_dns_application_secret="" +export TF_VAR_ovh_api_dns_consumer_key="" ``` +## Customize the deployment + Configure Terraform with your OVH domain name: ```bash @@ -88,12 +85,35 @@ terraform plan terraform apply ``` -## Get the Kubeflow default user password +## Access to the Kubeflow UI + +Get the Kubeflow URL: ```bash -terraform output kubeflow_password +KUBEFLOW_URL=$(terraform output kubeflow_url) +echo $KUBEFLOW_URL ``` +Get the username and password: + +```bash +KUBEFLOW_USER=$(terraform output kubeflow_user) +KUBEFLOW_PASSWORD=$(terraform output kubeflow_password) +echo $KUBEFLOW_USER +echo $KUBEFLOW_PASSWORD +``` + +You can now access to the KubeFlow URL with the user and password. + +## Pipeline example + +In the menu on the left, click on `Experiments (KFP)` and create a new experiment. + +Click on `Pipelines` and choose one of the existing pipeline (example: `[Tutorial] Data passing in python components`). +To launch the pipeline click on `Create Run` and choose in which experiment you would like to run the pipeline. + +After a while the status of the run should turn green. You can see the logs of the run in your object storage. + ## Troubleshoot ### Access the Kubernetes cluster From 2dcffba5f5ef8509499cf977849be66233346d2e Mon Sep 17 00:00:00 2001 From: Simon Guyennet Date: Wed, 6 Nov 2024 15:52:54 +0100 Subject: [PATCH 06/16] Fix S3 provider configuration --- use-cases/kubeflow/README.md | 18 +++++++++++++++++- .../kubeflow/kubectl_kubeflow_kubeflow.tf | 4 ++-- use-cases/kubeflow/ovh_s3_bucket.tf | 9 --------- use-cases/kubeflow/provider.tf | 4 ++-- use-cases/kubeflow/variables.tf | 8 ++++++++ 5 files changed, 29 insertions(+), 14 deletions(-) diff --git a/use-cases/kubeflow/README.md b/use-cases/kubeflow/README.md index 5163d40b..5587d25b 100644 --- a/use-cases/kubeflow/README.md +++ b/use-cases/kubeflow/README.md @@ -29,7 +29,7 @@ As we are going to configure the infrastructure using a private network, your pu ## Configure the deployment -### Configure the OVHcloud Terraform provider +### Configure the Terraform providers Create an OVHcloud API token: @@ -62,6 +62,22 @@ export TF_VAR_ovh_api_dns_application_secret="" export TF_VAR_ovh_api_dns_consumer_key="" ``` +Create an object storage user: +https://help.ovhcloud.com/csm/en-public-cloud-storage-s3-identity-access-management?id=kb_article_view&sysparm_article=KB0047362 + +Configure Terraform with the object storage user: + +```bash +export TF_VAR_ovh_s3_access_key="" +export TF_VAR_ovh_s3_secret_key="" +``` + +Create a default Kubernetes configuration file if you don't already have one: + +```bash +[ ! -f ~/.kube/config ] && { mkdir -p ~/.kube; touch ~/.kube/config; } +``` + ## Customize the deployment Configure Terraform with your OVH domain name: diff --git a/use-cases/kubeflow/kubectl_kubeflow_kubeflow.tf b/use-cases/kubeflow/kubectl_kubeflow_kubeflow.tf index 54fbead9..885e549e 100644 --- a/use-cases/kubeflow/kubectl_kubeflow_kubeflow.tf +++ b/use-cases/kubeflow/kubectl_kubeflow_kubeflow.tf @@ -4461,8 +4461,8 @@ metadata: name: mlpipeline-minio-artifact namespace: kubeflow stringData: - accesskey: "${ovh_cloud_project_user_s3_credential.s3_admin_cred.access_key_id}" - secretkey: "${ovh_cloud_project_user_s3_credential.s3_admin_cred.secret_access_key}" + accesskey: "${var.ovh_s3_access_key}" + secretkey: "${var.ovh_s3_secret_key}" YAML depends_on = [ovh_cloud_project_kube.ovh_kube_cluster, ovh_cloud_project_kube_nodepool.control_plane_pool, kubectl_manifest.kubeflow-kubeflow-namespace] diff --git a/use-cases/kubeflow/ovh_s3_bucket.tf b/use-cases/kubeflow/ovh_s3_bucket.tf index 3048ef72..0ef35786 100644 --- a/use-cases/kubeflow/ovh_s3_bucket.tf +++ b/use-cases/kubeflow/ovh_s3_bucket.tf @@ -1,12 +1,3 @@ -resource "ovh_cloud_project_user" "s3_admin_user" { - description = "${var.ovh_s3_bucket_name} user" - role_name = "objectstore_operator" -} - -resource "ovh_cloud_project_user_s3_credential" "s3_admin_cred"{ - user_id = ovh_cloud_project_user.s3_admin_user.id -} - resource "random_string" "bucket_name_suffix" { length = 16 special = false diff --git a/use-cases/kubeflow/provider.tf b/use-cases/kubeflow/provider.tf index 4b74eba6..7f4c4086 100644 --- a/use-cases/kubeflow/provider.tf +++ b/use-cases/kubeflow/provider.tf @@ -57,8 +57,8 @@ provider "kubectl" { provider "aws" { region = "${var.ovh_s3_region_name}" - access_key = "${ovh_cloud_project_user_s3_credential.s3_admin_cred.access_key_id}" - secret_key = "${ovh_cloud_project_user_s3_credential.s3_admin_cred.secret_access_key}" + access_key = "${var.ovh_s3_access_key}" + secret_key = "${var.ovh_s3_secret_key}" skip_credentials_validation = true skip_requesting_account_id = true diff --git a/use-cases/kubeflow/variables.tf b/use-cases/kubeflow/variables.tf index 9017b2f0..f88a394e 100644 --- a/use-cases/kubeflow/variables.tf +++ b/use-cases/kubeflow/variables.tf @@ -18,6 +18,14 @@ variable ovh_kube_version { default = "1.29" } +variable ovh_s3_access_key { + type = string +} + +variable ovh_s3_secret_key { + type = string +} + variable kubeflow_control_plane_flavor { type = string default = "b3-8" From 48e34de745506e6a7741f1ac42a7fadf08a02b8b Mon Sep 17 00:00:00 2001 From: Aurelie Vache Date: Fri, 8 Nov 2024 14:06:24 +0000 Subject: [PATCH 07/16] feat: organize the terraform code in modules in orde to first create the aws s3 token nd then pass it to the kubeflow module --- use-cases/kubeflow/README.md | 12 +- .../kubeflow}/helm_external_dns.tf | 0 .../{ => modules/kubeflow}/helm_kyverno.tf | 0 .../kubeflow}/helm_nvidia_operator.tf | 0 .../kubectl_kubeflow_admission_webhook.tf | 0 .../kubeflow}/kubectl_kubeflow_authservice.tf | 0 .../kubectl_kubeflow_cert_manager.tf | 0 .../kubeflow}/kubectl_kubeflow_dashboard.tf | 0 .../kubeflow}/kubectl_kubeflow_dex.tf | 0 .../kubeflow}/kubectl_kubeflow_istio.tf | 0 .../kubeflow}/kubectl_kubeflow_katib.tf | 0 .../kubeflow}/kubectl_kubeflow_knative.tf | 0 .../kubeflow}/kubectl_kubeflow_kserve.tf | 0 .../kubeflow}/kubectl_kubeflow_kubeflow.tf | 0 .../kubeflow}/kubectl_kubeflow_notebooks.tf | 0 .../kubectl_kubeflow_profiles_kfam.tf | 0 .../kubectl_kubeflow_pvc_viewer_controller.tf | 0 ...kubectl_kubeflow_tensorboard_controller.tf | 0 .../kubectl_kubeflow_tensorboards_web_app.tf | 0 .../kubectl_kubeflow_training_operator.tf | 0 .../kubectl_kubeflow_user_namespace.tf | 0 .../kubectl_kubeflow_volumes_web_app.tf | 0 .../kubeflow}/kubectl_kyverno_policies.tf | 0 use-cases/kubeflow/modules/kubeflow/output.tf | 21 +++ .../kubeflow}/ovh_kube_cluster.tf | 0 .../{ => modules/kubeflow}/ovh_mysql_db.tf | 0 .../kubeflow}/ovh_private_network.tf | 0 .../{ => modules/kubeflow}/ovh_s3_bucket.tf | 0 .../kubeflow/modules/kubeflow/provider.tf | 56 +++++++ .../kubeflow/modules/kubeflow/variables.tf | 155 ++++++++++++++++++ use-cases/kubeflow/modules/s3_user/output.tf | 7 + .../kubeflow/modules/s3_user/ovh_s3_user.tf | 8 + .../kubeflow/modules/s3_user/provider.tf | 8 + .../kubeflow/modules/s3_user/variables.tf | 4 + use-cases/kubeflow/output.tf | 8 +- use-cases/kubeflow/provider.tf | 53 +----- use-cases/kubeflow/root.tf | 13 ++ use-cases/kubeflow/variables.tf | 138 +--------------- 38 files changed, 280 insertions(+), 203 deletions(-) rename use-cases/kubeflow/{ => modules/kubeflow}/helm_external_dns.tf (100%) rename use-cases/kubeflow/{ => modules/kubeflow}/helm_kyverno.tf (100%) rename use-cases/kubeflow/{ => modules/kubeflow}/helm_nvidia_operator.tf (100%) rename use-cases/kubeflow/{ => modules/kubeflow}/kubectl_kubeflow_admission_webhook.tf (100%) rename use-cases/kubeflow/{ => modules/kubeflow}/kubectl_kubeflow_authservice.tf (100%) rename use-cases/kubeflow/{ => modules/kubeflow}/kubectl_kubeflow_cert_manager.tf (100%) rename use-cases/kubeflow/{ => modules/kubeflow}/kubectl_kubeflow_dashboard.tf (100%) rename use-cases/kubeflow/{ => modules/kubeflow}/kubectl_kubeflow_dex.tf (100%) rename use-cases/kubeflow/{ => modules/kubeflow}/kubectl_kubeflow_istio.tf (100%) rename use-cases/kubeflow/{ => modules/kubeflow}/kubectl_kubeflow_katib.tf (100%) rename use-cases/kubeflow/{ => modules/kubeflow}/kubectl_kubeflow_knative.tf (100%) rename use-cases/kubeflow/{ => modules/kubeflow}/kubectl_kubeflow_kserve.tf (100%) rename use-cases/kubeflow/{ => modules/kubeflow}/kubectl_kubeflow_kubeflow.tf (100%) rename use-cases/kubeflow/{ => modules/kubeflow}/kubectl_kubeflow_notebooks.tf (100%) rename use-cases/kubeflow/{ => modules/kubeflow}/kubectl_kubeflow_profiles_kfam.tf (100%) rename use-cases/kubeflow/{ => modules/kubeflow}/kubectl_kubeflow_pvc_viewer_controller.tf (100%) rename use-cases/kubeflow/{ => modules/kubeflow}/kubectl_kubeflow_tensorboard_controller.tf (100%) rename use-cases/kubeflow/{ => modules/kubeflow}/kubectl_kubeflow_tensorboards_web_app.tf (100%) rename use-cases/kubeflow/{ => modules/kubeflow}/kubectl_kubeflow_training_operator.tf (100%) rename use-cases/kubeflow/{ => modules/kubeflow}/kubectl_kubeflow_user_namespace.tf (100%) rename use-cases/kubeflow/{ => modules/kubeflow}/kubectl_kubeflow_volumes_web_app.tf (100%) rename use-cases/kubeflow/{ => modules/kubeflow}/kubectl_kyverno_policies.tf (100%) create mode 100644 use-cases/kubeflow/modules/kubeflow/output.tf rename use-cases/kubeflow/{ => modules/kubeflow}/ovh_kube_cluster.tf (100%) rename use-cases/kubeflow/{ => modules/kubeflow}/ovh_mysql_db.tf (100%) rename use-cases/kubeflow/{ => modules/kubeflow}/ovh_private_network.tf (100%) rename use-cases/kubeflow/{ => modules/kubeflow}/ovh_s3_bucket.tf (100%) create mode 100644 use-cases/kubeflow/modules/kubeflow/provider.tf create mode 100644 use-cases/kubeflow/modules/kubeflow/variables.tf create mode 100644 use-cases/kubeflow/modules/s3_user/output.tf create mode 100644 use-cases/kubeflow/modules/s3_user/ovh_s3_user.tf create mode 100644 use-cases/kubeflow/modules/s3_user/provider.tf create mode 100644 use-cases/kubeflow/modules/s3_user/variables.tf create mode 100644 use-cases/kubeflow/root.tf diff --git a/use-cases/kubeflow/README.md b/use-cases/kubeflow/README.md index 5587d25b..8a40627e 100644 --- a/use-cases/kubeflow/README.md +++ b/use-cases/kubeflow/README.md @@ -49,7 +49,7 @@ export OVH_CONSUMER_KEY="" export OVH_CLOUD_PROJECT_SERVICE="" ``` -You should create a second OVHcloud credential specific for the DNS configuration with limited permissions: +You should create a second OVHcloud credential specific for the DNS configuration with limited permissions (better for security): https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/ovh.md#creating-ovh-credentials ```bash @@ -62,16 +62,6 @@ export TF_VAR_ovh_api_dns_application_secret="" export TF_VAR_ovh_api_dns_consumer_key="" ``` -Create an object storage user: -https://help.ovhcloud.com/csm/en-public-cloud-storage-s3-identity-access-management?id=kb_article_view&sysparm_article=KB0047362 - -Configure Terraform with the object storage user: - -```bash -export TF_VAR_ovh_s3_access_key="" -export TF_VAR_ovh_s3_secret_key="" -``` - Create a default Kubernetes configuration file if you don't already have one: ```bash diff --git a/use-cases/kubeflow/helm_external_dns.tf b/use-cases/kubeflow/modules/kubeflow/helm_external_dns.tf similarity index 100% rename from use-cases/kubeflow/helm_external_dns.tf rename to use-cases/kubeflow/modules/kubeflow/helm_external_dns.tf diff --git a/use-cases/kubeflow/helm_kyverno.tf b/use-cases/kubeflow/modules/kubeflow/helm_kyverno.tf similarity index 100% rename from use-cases/kubeflow/helm_kyverno.tf rename to use-cases/kubeflow/modules/kubeflow/helm_kyverno.tf diff --git a/use-cases/kubeflow/helm_nvidia_operator.tf b/use-cases/kubeflow/modules/kubeflow/helm_nvidia_operator.tf similarity index 100% rename from use-cases/kubeflow/helm_nvidia_operator.tf rename to use-cases/kubeflow/modules/kubeflow/helm_nvidia_operator.tf diff --git a/use-cases/kubeflow/kubectl_kubeflow_admission_webhook.tf b/use-cases/kubeflow/modules/kubeflow/kubectl_kubeflow_admission_webhook.tf similarity index 100% rename from use-cases/kubeflow/kubectl_kubeflow_admission_webhook.tf rename to use-cases/kubeflow/modules/kubeflow/kubectl_kubeflow_admission_webhook.tf diff --git a/use-cases/kubeflow/kubectl_kubeflow_authservice.tf b/use-cases/kubeflow/modules/kubeflow/kubectl_kubeflow_authservice.tf similarity index 100% rename from use-cases/kubeflow/kubectl_kubeflow_authservice.tf rename to use-cases/kubeflow/modules/kubeflow/kubectl_kubeflow_authservice.tf diff --git a/use-cases/kubeflow/kubectl_kubeflow_cert_manager.tf b/use-cases/kubeflow/modules/kubeflow/kubectl_kubeflow_cert_manager.tf similarity index 100% rename from use-cases/kubeflow/kubectl_kubeflow_cert_manager.tf rename to use-cases/kubeflow/modules/kubeflow/kubectl_kubeflow_cert_manager.tf diff --git a/use-cases/kubeflow/kubectl_kubeflow_dashboard.tf b/use-cases/kubeflow/modules/kubeflow/kubectl_kubeflow_dashboard.tf similarity index 100% rename from use-cases/kubeflow/kubectl_kubeflow_dashboard.tf rename to use-cases/kubeflow/modules/kubeflow/kubectl_kubeflow_dashboard.tf diff --git a/use-cases/kubeflow/kubectl_kubeflow_dex.tf b/use-cases/kubeflow/modules/kubeflow/kubectl_kubeflow_dex.tf similarity index 100% rename from use-cases/kubeflow/kubectl_kubeflow_dex.tf rename to use-cases/kubeflow/modules/kubeflow/kubectl_kubeflow_dex.tf diff --git a/use-cases/kubeflow/kubectl_kubeflow_istio.tf b/use-cases/kubeflow/modules/kubeflow/kubectl_kubeflow_istio.tf similarity index 100% rename from use-cases/kubeflow/kubectl_kubeflow_istio.tf rename to use-cases/kubeflow/modules/kubeflow/kubectl_kubeflow_istio.tf diff --git a/use-cases/kubeflow/kubectl_kubeflow_katib.tf b/use-cases/kubeflow/modules/kubeflow/kubectl_kubeflow_katib.tf similarity index 100% rename from use-cases/kubeflow/kubectl_kubeflow_katib.tf rename to use-cases/kubeflow/modules/kubeflow/kubectl_kubeflow_katib.tf diff --git a/use-cases/kubeflow/kubectl_kubeflow_knative.tf b/use-cases/kubeflow/modules/kubeflow/kubectl_kubeflow_knative.tf similarity index 100% rename from use-cases/kubeflow/kubectl_kubeflow_knative.tf rename to use-cases/kubeflow/modules/kubeflow/kubectl_kubeflow_knative.tf diff --git a/use-cases/kubeflow/kubectl_kubeflow_kserve.tf b/use-cases/kubeflow/modules/kubeflow/kubectl_kubeflow_kserve.tf similarity index 100% rename from use-cases/kubeflow/kubectl_kubeflow_kserve.tf rename to use-cases/kubeflow/modules/kubeflow/kubectl_kubeflow_kserve.tf diff --git a/use-cases/kubeflow/kubectl_kubeflow_kubeflow.tf b/use-cases/kubeflow/modules/kubeflow/kubectl_kubeflow_kubeflow.tf similarity index 100% rename from use-cases/kubeflow/kubectl_kubeflow_kubeflow.tf rename to use-cases/kubeflow/modules/kubeflow/kubectl_kubeflow_kubeflow.tf diff --git a/use-cases/kubeflow/kubectl_kubeflow_notebooks.tf b/use-cases/kubeflow/modules/kubeflow/kubectl_kubeflow_notebooks.tf similarity index 100% rename from use-cases/kubeflow/kubectl_kubeflow_notebooks.tf rename to use-cases/kubeflow/modules/kubeflow/kubectl_kubeflow_notebooks.tf diff --git a/use-cases/kubeflow/kubectl_kubeflow_profiles_kfam.tf b/use-cases/kubeflow/modules/kubeflow/kubectl_kubeflow_profiles_kfam.tf similarity index 100% rename from use-cases/kubeflow/kubectl_kubeflow_profiles_kfam.tf rename to use-cases/kubeflow/modules/kubeflow/kubectl_kubeflow_profiles_kfam.tf diff --git a/use-cases/kubeflow/kubectl_kubeflow_pvc_viewer_controller.tf b/use-cases/kubeflow/modules/kubeflow/kubectl_kubeflow_pvc_viewer_controller.tf similarity index 100% rename from use-cases/kubeflow/kubectl_kubeflow_pvc_viewer_controller.tf rename to use-cases/kubeflow/modules/kubeflow/kubectl_kubeflow_pvc_viewer_controller.tf diff --git a/use-cases/kubeflow/kubectl_kubeflow_tensorboard_controller.tf b/use-cases/kubeflow/modules/kubeflow/kubectl_kubeflow_tensorboard_controller.tf similarity index 100% rename from use-cases/kubeflow/kubectl_kubeflow_tensorboard_controller.tf rename to use-cases/kubeflow/modules/kubeflow/kubectl_kubeflow_tensorboard_controller.tf diff --git a/use-cases/kubeflow/kubectl_kubeflow_tensorboards_web_app.tf b/use-cases/kubeflow/modules/kubeflow/kubectl_kubeflow_tensorboards_web_app.tf similarity index 100% rename from use-cases/kubeflow/kubectl_kubeflow_tensorboards_web_app.tf rename to use-cases/kubeflow/modules/kubeflow/kubectl_kubeflow_tensorboards_web_app.tf diff --git a/use-cases/kubeflow/kubectl_kubeflow_training_operator.tf b/use-cases/kubeflow/modules/kubeflow/kubectl_kubeflow_training_operator.tf similarity index 100% rename from use-cases/kubeflow/kubectl_kubeflow_training_operator.tf rename to use-cases/kubeflow/modules/kubeflow/kubectl_kubeflow_training_operator.tf diff --git a/use-cases/kubeflow/kubectl_kubeflow_user_namespace.tf b/use-cases/kubeflow/modules/kubeflow/kubectl_kubeflow_user_namespace.tf similarity index 100% rename from use-cases/kubeflow/kubectl_kubeflow_user_namespace.tf rename to use-cases/kubeflow/modules/kubeflow/kubectl_kubeflow_user_namespace.tf diff --git a/use-cases/kubeflow/kubectl_kubeflow_volumes_web_app.tf b/use-cases/kubeflow/modules/kubeflow/kubectl_kubeflow_volumes_web_app.tf similarity index 100% rename from use-cases/kubeflow/kubectl_kubeflow_volumes_web_app.tf rename to use-cases/kubeflow/modules/kubeflow/kubectl_kubeflow_volumes_web_app.tf diff --git a/use-cases/kubeflow/kubectl_kyverno_policies.tf b/use-cases/kubeflow/modules/kubeflow/kubectl_kyverno_policies.tf similarity index 100% rename from use-cases/kubeflow/kubectl_kyverno_policies.tf rename to use-cases/kubeflow/modules/kubeflow/kubectl_kyverno_policies.tf diff --git a/use-cases/kubeflow/modules/kubeflow/output.tf b/use-cases/kubeflow/modules/kubeflow/output.tf new file mode 100644 index 00000000..29438400 --- /dev/null +++ b/use-cases/kubeflow/modules/kubeflow/output.tf @@ -0,0 +1,21 @@ +output "ovh_kube_cluster_kubeconfig" { + description = "OVHcloud MKS cluster kubeconfig" + value = ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig + sensitive = true +} + +output "kubeflow_url" { + description = "Kubeflow URL" + value = "https://kubeflow.${var.ovh_dns_domain}" +} + +output "kubeflow_user" { + description = "Kubeflow default user" + value = "user@${var.ovh_dns_domain}" +} + +output "kubeflow_password" { + description = "Kubeflow default user password" + value = "ovhkubeflow123!" + sensitive = true +} \ No newline at end of file diff --git a/use-cases/kubeflow/ovh_kube_cluster.tf b/use-cases/kubeflow/modules/kubeflow/ovh_kube_cluster.tf similarity index 100% rename from use-cases/kubeflow/ovh_kube_cluster.tf rename to use-cases/kubeflow/modules/kubeflow/ovh_kube_cluster.tf diff --git a/use-cases/kubeflow/ovh_mysql_db.tf b/use-cases/kubeflow/modules/kubeflow/ovh_mysql_db.tf similarity index 100% rename from use-cases/kubeflow/ovh_mysql_db.tf rename to use-cases/kubeflow/modules/kubeflow/ovh_mysql_db.tf diff --git a/use-cases/kubeflow/ovh_private_network.tf b/use-cases/kubeflow/modules/kubeflow/ovh_private_network.tf similarity index 100% rename from use-cases/kubeflow/ovh_private_network.tf rename to use-cases/kubeflow/modules/kubeflow/ovh_private_network.tf diff --git a/use-cases/kubeflow/ovh_s3_bucket.tf b/use-cases/kubeflow/modules/kubeflow/ovh_s3_bucket.tf similarity index 100% rename from use-cases/kubeflow/ovh_s3_bucket.tf rename to use-cases/kubeflow/modules/kubeflow/ovh_s3_bucket.tf diff --git a/use-cases/kubeflow/modules/kubeflow/provider.tf b/use-cases/kubeflow/modules/kubeflow/provider.tf new file mode 100644 index 00000000..be2b5c06 --- /dev/null +++ b/use-cases/kubeflow/modules/kubeflow/provider.tf @@ -0,0 +1,56 @@ +terraform { + required_providers { + ovh = { + source = "ovh/ovh" + version = "1.0.0" + } + + helm = { + source = "hashicorp/helm" + version = "2.16.1" + } + + kubernetes = { + source = "hashicorp/kubernetes" + version = "2.33.0" + } + + kubectl = { + source = "gavinbunney/kubectl" + version = "1.14.0" + } + + aws = { + source = "hashicorp/aws" + version = "5.74.0" + } + + random = { + source = "hashicorp/random" + version = "3.6.3" + } + } +} + +provider "helm" { + kubernetes { + host = ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig_attributes[0].host + client_certificate = base64decode(ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig_attributes[0].client_certificate) + client_key = base64decode(ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig_attributes[0].client_key) + cluster_ca_certificate = base64decode(ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig_attributes[0].cluster_ca_certificate) + } +} + +provider "kubernetes" { + host = ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig_attributes[0].host + client_certificate = base64decode(ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig_attributes[0].client_certificate) + client_key = base64decode(ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig_attributes[0].client_key) + cluster_ca_certificate = base64decode(ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig_attributes[0].cluster_ca_certificate) +} + +provider "kubectl" { + host = ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig_attributes[0].host + client_certificate = base64decode(ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig_attributes[0].client_certificate) + client_key = base64decode(ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig_attributes[0].client_key) + cluster_ca_certificate = base64decode(ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig_attributes[0].cluster_ca_certificate) +} \ No newline at end of file diff --git a/use-cases/kubeflow/modules/kubeflow/variables.tf b/use-cases/kubeflow/modules/kubeflow/variables.tf new file mode 100644 index 00000000..f88a394e --- /dev/null +++ b/use-cases/kubeflow/modules/kubeflow/variables.tf @@ -0,0 +1,155 @@ +variable ovh_os_region_name { + type = string + default = "GRA11" +} + +variable ovh_os_private_network_vlan_id { + type = string + default = "10" +} + +variable ovh_kube_cluster_name { + type = string + default = "mks-kubeflow" +} + +variable ovh_kube_version { + type = string + default = "1.29" +} + +variable ovh_s3_access_key { + type = string +} + +variable ovh_s3_secret_key { + type = string +} + +variable kubeflow_control_plane_flavor { + type = string + default = "b3-8" +} + +variable kubeflow_control_plane_autoscale { + type = string + default = "false" +} + +variable kubeflow_control_plane_desired_nodes { + type = number + default = 3 +} + +variable kubeflow_control_plane_max_nodes { + type = number + default = 10 +} + +variable kubeflow_control_plane_min_nodes { + type = number + default = 3 +} + +variable kubeflow_cpu_worker_flavor { + type = string + default = "c3-8" +} + +variable kubeflow_cpu_worker_autoscale { + type = string + default = "false" +} + +variable kubeflow_cpu_worker_desired_nodes { + type = number + default = 2 +} + +variable kubeflow_cpu_worker_max_nodes { + type = number + default = 10 +} + +variable kubeflow_cpu_worker_min_nodes { + type = number + default = 2 +} + +variable kubeflow_gpu_worker_flavor { + type = string + default = "t2-45" +} + +variable kubeflow_gpu_worker_autoscale { + type = string + default = "true" +} + +variable kubeflow_gpu_worker_max_nodes { + type = number + default = 5 +} + +variable kubeflow_gpu_worker_min_nodes { + type = number + default = 0 +} + +variable ovh_api_dns_application_key { + type = string +} + +variable ovh_api_dns_application_secret { + type = string +} + +variable ovh_api_dns_consumer_key { + type = string +} + +variable ovh_dns_domain { + type = string +} + +variable letsencrypt_issuer { + type = string + default = "letsencrypt-staging" +} + +variable ovh_mysql_name { + type = string + default = "mks-kubeflow" +} + +variable ovh_mysql_version { + type = string + default = "8" +} + +variable ovh_mysql_region { + type = string + default = "GRA" +} + +variable ovh_s3_bucket_name { + type = string + default = "mks-kubeflow" +} + +variable ovh_s3_region_name { + type = string + default = "gra" +} + +variable kubeflow_default_user_name { + type = string + default = "user" +} + +# Use bcrypt to hash the password +# python3 -c 'from passlib.hash import bcrypt; import getpass; print(bcrypt.using(rounds=12, ident="2y").hash(getpass.getpass()))' +variable kubeflow_default_user_password_hash { + type = string + default = "$2y$12$DQDRh8mTqZeWSL4ZUm76.uBzmWmhuHH/IpyPw2cSy1ZUSjQSB7VFa" +} \ No newline at end of file diff --git a/use-cases/kubeflow/modules/s3_user/output.tf b/use-cases/kubeflow/modules/s3_user/output.tf new file mode 100644 index 00000000..a90f72cf --- /dev/null +++ b/use-cases/kubeflow/modules/s3_user/output.tf @@ -0,0 +1,7 @@ +output "access_key_id" { + value = ovh_cloud_project_user_s3_credential.s3_admin_cred.access_key_id +} + +output "secret_access_key" { + value = ovh_cloud_project_user_s3_credential.s3_admin_cred.secret_access_key +} \ No newline at end of file diff --git a/use-cases/kubeflow/modules/s3_user/ovh_s3_user.tf b/use-cases/kubeflow/modules/s3_user/ovh_s3_user.tf new file mode 100644 index 00000000..a2c4aa17 --- /dev/null +++ b/use-cases/kubeflow/modules/s3_user/ovh_s3_user.tf @@ -0,0 +1,8 @@ +resource "ovh_cloud_project_user" "s3_admin_user" { + description = "${var.ovh_s3_bucket_name} user" + role_name = "objectstore_operator" +} + +resource "ovh_cloud_project_user_s3_credential" "s3_admin_cred"{ + user_id = ovh_cloud_project_user.s3_admin_user.id +} \ No newline at end of file diff --git a/use-cases/kubeflow/modules/s3_user/provider.tf b/use-cases/kubeflow/modules/s3_user/provider.tf new file mode 100644 index 00000000..634a9323 --- /dev/null +++ b/use-cases/kubeflow/modules/s3_user/provider.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + ovh = { + source = "ovh/ovh" + version = "1.0.0" + } + } +} \ No newline at end of file diff --git a/use-cases/kubeflow/modules/s3_user/variables.tf b/use-cases/kubeflow/modules/s3_user/variables.tf new file mode 100644 index 00000000..19f736db --- /dev/null +++ b/use-cases/kubeflow/modules/s3_user/variables.tf @@ -0,0 +1,4 @@ +variable ovh_s3_bucket_name { + type = string + default = "mks-kubeflow" +} diff --git a/use-cases/kubeflow/output.tf b/use-cases/kubeflow/output.tf index 29438400..42d2f3b7 100644 --- a/use-cases/kubeflow/output.tf +++ b/use-cases/kubeflow/output.tf @@ -1,12 +1,8 @@ -output "ovh_kube_cluster_kubeconfig" { - description = "OVHcloud MKS cluster kubeconfig" - value = ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig - sensitive = true -} output "kubeflow_url" { description = "Kubeflow URL" - value = "https://kubeflow.${var.ovh_dns_domain}" + value = module.kubeflow.kubeflow_url + //value = "https://kubeflow.${var.ovh_dns_domain}" } output "kubeflow_user" { diff --git a/use-cases/kubeflow/provider.tf b/use-cases/kubeflow/provider.tf index 7f4c4086..a6f6db69 100644 --- a/use-cases/kubeflow/provider.tf +++ b/use-cases/kubeflow/provider.tf @@ -1,64 +1,17 @@ terraform { required_providers { - ovh = { - source = "ovh/ovh" - version = "1.0.0" - } - - helm = { - source = "hashicorp/helm" - version = "2.16.1" - } - - kubernetes = { - source = "hashicorp/kubernetes" - version = "2.33.0" - } - - kubectl = { - source = "gavinbunney/kubectl" - version = "1.14.0" - } - aws = { source = "hashicorp/aws" version = "5.74.0" } - - random = { - source = "hashicorp/random" - version = "3.6.3" - } } } -provider "helm" { - kubernetes { - host = ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig_attributes[0].host - client_certificate = base64decode(ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig_attributes[0].client_certificate) - client_key = base64decode(ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig_attributes[0].client_key) - cluster_ca_certificate = base64decode(ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig_attributes[0].cluster_ca_certificate) - } -} - -provider "kubernetes" { - host = ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig_attributes[0].host - client_certificate = base64decode(ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig_attributes[0].client_certificate) - client_key = base64decode(ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig_attributes[0].client_key) - cluster_ca_certificate = base64decode(ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig_attributes[0].cluster_ca_certificate) -} - -provider "kubectl" { - host = ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig_attributes[0].host - client_certificate = base64decode(ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig_attributes[0].client_certificate) - client_key = base64decode(ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig_attributes[0].client_key) - cluster_ca_certificate = base64decode(ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig_attributes[0].cluster_ca_certificate) -} - provider "aws" { region = "${var.ovh_s3_region_name}" - access_key = "${var.ovh_s3_access_key}" - secret_key = "${var.ovh_s3_secret_key}" + + access_key = module.s3_user.access_key_id + secret_key = module.s3_user.secret_access_key skip_credentials_validation = true skip_requesting_account_id = true diff --git a/use-cases/kubeflow/root.tf b/use-cases/kubeflow/root.tf new file mode 100644 index 00000000..2df8c11c --- /dev/null +++ b/use-cases/kubeflow/root.tf @@ -0,0 +1,13 @@ +module "s3_user" { + source = "./modules/s3_user" +} + +module "kubeflow" { + source = "./modules/kubeflow" + ovh_s3_access_key = module.s3_user.access_key_id + ovh_s3_secret_key = module.s3_user.secret_access_key + ovh_dns_domain = var.ovh_dns_domain + ovh_api_dns_application_key = var.ovh_api_dns_application_key + ovh_api_dns_consumer_key = var.ovh_api_dns_consumer_key + ovh_api_dns_application_secret = var.ovh_api_dns_application_secret +} \ No newline at end of file diff --git a/use-cases/kubeflow/variables.tf b/use-cases/kubeflow/variables.tf index f88a394e..8a83ff82 100644 --- a/use-cases/kubeflow/variables.tf +++ b/use-cases/kubeflow/variables.tf @@ -1,99 +1,6 @@ -variable ovh_os_region_name { - type = string - default = "GRA11" -} - -variable ovh_os_private_network_vlan_id { - type = string - default = "10" -} - -variable ovh_kube_cluster_name { - type = string - default = "mks-kubeflow" -} - -variable ovh_kube_version { - type = string - default = "1.29" -} - -variable ovh_s3_access_key { - type = string -} - -variable ovh_s3_secret_key { - type = string -} - -variable kubeflow_control_plane_flavor { - type = string - default = "b3-8" -} - -variable kubeflow_control_plane_autoscale { - type = string - default = "false" -} - -variable kubeflow_control_plane_desired_nodes { - type = number - default = 3 -} - -variable kubeflow_control_plane_max_nodes { - type = number - default = 10 -} - -variable kubeflow_control_plane_min_nodes { - type = number - default = 3 -} - -variable kubeflow_cpu_worker_flavor { - type = string - default = "c3-8" -} - -variable kubeflow_cpu_worker_autoscale { - type = string - default = "false" -} - -variable kubeflow_cpu_worker_desired_nodes { - type = number - default = 2 -} - -variable kubeflow_cpu_worker_max_nodes { - type = number - default = 10 -} - -variable kubeflow_cpu_worker_min_nodes { - type = number - default = 2 -} - -variable kubeflow_gpu_worker_flavor { - type = string - default = "t2-45" -} - -variable kubeflow_gpu_worker_autoscale { +variable ovh_s3_region_name { type = string - default = "true" -} - -variable kubeflow_gpu_worker_max_nodes { - type = number - default = 5 -} - -variable kubeflow_gpu_worker_min_nodes { - type = number - default = 0 + default = "gra" } variable ovh_api_dns_application_key { @@ -112,44 +19,3 @@ variable ovh_dns_domain { type = string } -variable letsencrypt_issuer { - type = string - default = "letsencrypt-staging" -} - -variable ovh_mysql_name { - type = string - default = "mks-kubeflow" -} - -variable ovh_mysql_version { - type = string - default = "8" -} - -variable ovh_mysql_region { - type = string - default = "GRA" -} - -variable ovh_s3_bucket_name { - type = string - default = "mks-kubeflow" -} - -variable ovh_s3_region_name { - type = string - default = "gra" -} - -variable kubeflow_default_user_name { - type = string - default = "user" -} - -# Use bcrypt to hash the password -# python3 -c 'from passlib.hash import bcrypt; import getpass; print(bcrypt.using(rounds=12, ident="2y").hash(getpass.getpass()))' -variable kubeflow_default_user_password_hash { - type = string - default = "$2y$12$DQDRh8mTqZeWSL4ZUm76.uBzmWmhuHH/IpyPw2cSy1ZUSjQSB7VFa" -} \ No newline at end of file From 90c859982c374c6a50888e24142abaa9978686ff Mon Sep 17 00:00:00 2001 From: Aurelie Vache Date: Fri, 8 Nov 2024 14:14:40 +0000 Subject: [PATCH 08/16] clean: useless outputs --- use-cases/kubeflow/README.md | 4 +++- use-cases/kubeflow/modules/kubeflow/output.tf | 16 ---------------- use-cases/kubeflow/output.tf | 4 +--- 3 files changed, 4 insertions(+), 20 deletions(-) diff --git a/use-cases/kubeflow/README.md b/use-cases/kubeflow/README.md index 8a40627e..086dba6f 100644 --- a/use-cases/kubeflow/README.md +++ b/use-cases/kubeflow/README.md @@ -111,9 +111,11 @@ echo $KUBEFLOW_PASSWORD You can now access to the KubeFlow URL with the user and password. +You have to wait until the DNS propagation and then you should be able to reach the Kubeflow URL. + ## Pipeline example -In the menu on the left, click on `Experiments (KFP)` and create a new experiment. +In the Kubeflow UI, in the menu on the left, click on `Experiments (KFP)` and create a new experiment. Click on `Pipelines` and choose one of the existing pipeline (example: `[Tutorial] Data passing in python components`). To launch the pipeline click on `Create Run` and choose in which experiment you would like to run the pipeline. diff --git a/use-cases/kubeflow/modules/kubeflow/output.tf b/use-cases/kubeflow/modules/kubeflow/output.tf index 29438400..8861a6a5 100644 --- a/use-cases/kubeflow/modules/kubeflow/output.tf +++ b/use-cases/kubeflow/modules/kubeflow/output.tf @@ -2,20 +2,4 @@ output "ovh_kube_cluster_kubeconfig" { description = "OVHcloud MKS cluster kubeconfig" value = ovh_cloud_project_kube.ovh_kube_cluster.kubeconfig sensitive = true -} - -output "kubeflow_url" { - description = "Kubeflow URL" - value = "https://kubeflow.${var.ovh_dns_domain}" -} - -output "kubeflow_user" { - description = "Kubeflow default user" - value = "user@${var.ovh_dns_domain}" -} - -output "kubeflow_password" { - description = "Kubeflow default user password" - value = "ovhkubeflow123!" - sensitive = true } \ No newline at end of file diff --git a/use-cases/kubeflow/output.tf b/use-cases/kubeflow/output.tf index 42d2f3b7..3d6b68c1 100644 --- a/use-cases/kubeflow/output.tf +++ b/use-cases/kubeflow/output.tf @@ -1,8 +1,6 @@ - output "kubeflow_url" { description = "Kubeflow URL" - value = module.kubeflow.kubeflow_url - //value = "https://kubeflow.${var.ovh_dns_domain}" + value = "https://kubeflow.${var.ovh_dns_domain}" } output "kubeflow_user" { From 7219762814ea9e16bbe98e28c247cfe3c73e82cd Mon Sep 17 00:00:00 2001 From: Aurelie Vache Date: Fri, 8 Nov 2024 14:58:02 +0000 Subject: [PATCH 09/16] fix: missing kubeconfig file in root module --- use-cases/kubeflow/output.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/use-cases/kubeflow/output.tf b/use-cases/kubeflow/output.tf index 3d6b68c1..547a64b9 100644 --- a/use-cases/kubeflow/output.tf +++ b/use-cases/kubeflow/output.tf @@ -12,4 +12,9 @@ output "kubeflow_password" { description = "Kubeflow default user password" value = "ovhkubeflow123!" sensitive = true +} + +output "ovh_kube_cluster_kubeconfig" { + value = module.kubeflow.ovh_kube_cluster_kubeconfig + sensitive = true } \ No newline at end of file From 0e0f7fcbd23d7b4fb3d07c88b71ea8aa926d1d9f Mon Sep 17 00:00:00 2001 From: Simon Guyennet Date: Thu, 21 Nov 2024 16:02:09 +0100 Subject: [PATCH 10/16] fix: database ACL --- use-cases/kubeflow/modules/kubeflow/ovh_mysql_db.tf | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/use-cases/kubeflow/modules/kubeflow/ovh_mysql_db.tf b/use-cases/kubeflow/modules/kubeflow/ovh_mysql_db.tf index df97642f..c8c1c5ff 100644 --- a/use-cases/kubeflow/modules/kubeflow/ovh_mysql_db.tf +++ b/use-cases/kubeflow/modules/kubeflow/ovh_mysql_db.tf @@ -23,6 +23,10 @@ resource "ovh_cloud_project_database" "mysql" { "mysql.sql_require_primary_key": "false" } + ip_restrictions { + ip = ovh_cloud_project_network_private_subnet.private-subnet.network + } + timeouts { create = "30m" update = "30m" @@ -30,12 +34,6 @@ resource "ovh_cloud_project_database" "mysql" { } } -resource "ovh_cloud_project_database_ip_restriction" "iprestriction-mysql" { - engine = "mysql" - cluster_id = ovh_cloud_project_database.mysql.id - ip = ovh_cloud_project_network_private_subnet.private-subnet.network -} - resource "ovh_cloud_project_database_user" "kubeflow-mysql-user" { service_name = ovh_cloud_project_database.mysql.service_name engine = ovh_cloud_project_database.mysql.engine From 33c4c3c24dd48aa821f21bec23e398464fec1cbb Mon Sep 17 00:00:00 2001 From: Simon Guyennet Date: Thu, 21 Nov 2024 16:05:17 +0100 Subject: [PATCH 11/16] fix: troubleshooting --- use-cases/kubeflow/README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/use-cases/kubeflow/README.md b/use-cases/kubeflow/README.md index 086dba6f..ec64872c 100644 --- a/use-cases/kubeflow/README.md +++ b/use-cases/kubeflow/README.md @@ -128,6 +128,5 @@ After a while the status of the run should turn green. You can see the logs of t ```bash terraform output --raw ovh_kube_cluster_kubeconfig > ./kubeconfig -export KUBECONFIG=./kubeconfig -kubectl get nodes +kubectl get nodes --kubeconfig ./kubeconfig ``` \ No newline at end of file From 1240c893ed8c48b0e5476fadc59806bba1e980fb Mon Sep 17 00:00:00 2001 From: Simon Guyennet Date: Thu, 21 Nov 2024 16:09:26 +0100 Subject: [PATCH 12/16] fix: API token for external DNS --- use-cases/kubeflow/README.md | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/use-cases/kubeflow/README.md b/use-cases/kubeflow/README.md index ec64872c..819d129d 100644 --- a/use-cases/kubeflow/README.md +++ b/use-cases/kubeflow/README.md @@ -49,8 +49,20 @@ export OVH_CONSUMER_KEY="" export OVH_CLOUD_PROJECT_SERVICE="" ``` -You should create a second OVHcloud credential specific for the DNS configuration with limited permissions (better for security): -https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/ovh.md#creating-ovh-credentials +You should create a second OVHcloud credential specific for the DNS configuration with limited permissions (better for security). + +Create an API token with the following permissions: +https://www.ovh.com/auth/api/createToken + +``` +GET on /domain/zone +GET on /domain/zone/*/record +GET on /domain/zone/*/record/* +POST on /domain/zone/*/record +DELETE on /domain/zone/*/record/* +GET on /domain/zone/*/soa +POST on /domain/zone/*/refresh +``` ```bash vim ovhrc.sh From f5f7ed9dddb025a9df10563e19236ae6968acf08 Mon Sep 17 00:00:00 2001 From: Simon Guyennet Date: Thu, 21 Nov 2024 16:52:07 +0100 Subject: [PATCH 13/16] fix: pass variables to kubeflow module --- use-cases/kubeflow/root.tf | 26 +++++++ use-cases/kubeflow/variables.tf | 130 +++++++++++++++++++++++++++++++- 2 files changed, 154 insertions(+), 2 deletions(-) diff --git a/use-cases/kubeflow/root.tf b/use-cases/kubeflow/root.tf index 2df8c11c..42ca7dfa 100644 --- a/use-cases/kubeflow/root.tf +++ b/use-cases/kubeflow/root.tf @@ -10,4 +10,30 @@ module "kubeflow" { ovh_api_dns_application_key = var.ovh_api_dns_application_key ovh_api_dns_consumer_key = var.ovh_api_dns_consumer_key ovh_api_dns_application_secret = var.ovh_api_dns_application_secret + ovh_os_region_name = var.ovh_os_region_name + ovh_os_private_network_vlan_id = var.ovh_os_private_network_vlan_id + ovh_kube_cluster_name = var.ovh_kube_cluster_name + ovh_kube_version = var.ovh_kube_version + kubeflow_control_plane_flavor = var.kubeflow_control_plane_flavor + kubeflow_control_plane_autoscale = var.kubeflow_control_plane_autoscale + kubeflow_control_plane_desired_nodes = var.kubeflow_control_plane_desired_nodes + kubeflow_control_plane_max_nodes = var.kubeflow_control_plane_max_nodes + kubeflow_control_plane_min_nodes = var.kubeflow_control_plane_min_nodes + kubeflow_cpu_worker_flavor = var.kubeflow_cpu_worker_flavor + kubeflow_cpu_worker_autoscale = var.kubeflow_cpu_worker_autoscale + kubeflow_cpu_worker_desired_nodes = var.kubeflow_cpu_worker_desired_nodes + kubeflow_cpu_worker_max_nodes = var.kubeflow_cpu_worker_max_nodes + kubeflow_cpu_worker_min_nodes = var.kubeflow_cpu_worker_min_nodes + kubeflow_gpu_worker_flavor = var.kubeflow_gpu_worker_flavor + kubeflow_gpu_worker_autoscale = var.kubeflow_gpu_worker_autoscale + kubeflow_gpu_worker_max_nodes = var.kubeflow_gpu_worker_max_nodes + kubeflow_gpu_worker_min_nodes = var.kubeflow_gpu_worker_min_nodes + letsencrypt_issuer = var.letsencrypt_issuer + ovh_mysql_name = var.ovh_mysql_name + ovh_mysql_version = var.ovh_mysql_version + ovh_mysql_region = var.ovh_mysql_region + ovh_s3_bucket_name = var.ovh_s3_bucket_name + ovh_s3_region_name = var.ovh_s3_region_name + kubeflow_default_user_name = var.kubeflow_default_user_name + kubeflow_default_user_password_hash = var.kubeflow_default_user_password_hash } \ No newline at end of file diff --git a/use-cases/kubeflow/variables.tf b/use-cases/kubeflow/variables.tf index 8a83ff82..9017b2f0 100644 --- a/use-cases/kubeflow/variables.tf +++ b/use-cases/kubeflow/variables.tf @@ -1,6 +1,91 @@ -variable ovh_s3_region_name { +variable ovh_os_region_name { type = string - default = "gra" + default = "GRA11" +} + +variable ovh_os_private_network_vlan_id { + type = string + default = "10" +} + +variable ovh_kube_cluster_name { + type = string + default = "mks-kubeflow" +} + +variable ovh_kube_version { + type = string + default = "1.29" +} + +variable kubeflow_control_plane_flavor { + type = string + default = "b3-8" +} + +variable kubeflow_control_plane_autoscale { + type = string + default = "false" +} + +variable kubeflow_control_plane_desired_nodes { + type = number + default = 3 +} + +variable kubeflow_control_plane_max_nodes { + type = number + default = 10 +} + +variable kubeflow_control_plane_min_nodes { + type = number + default = 3 +} + +variable kubeflow_cpu_worker_flavor { + type = string + default = "c3-8" +} + +variable kubeflow_cpu_worker_autoscale { + type = string + default = "false" +} + +variable kubeflow_cpu_worker_desired_nodes { + type = number + default = 2 +} + +variable kubeflow_cpu_worker_max_nodes { + type = number + default = 10 +} + +variable kubeflow_cpu_worker_min_nodes { + type = number + default = 2 +} + +variable kubeflow_gpu_worker_flavor { + type = string + default = "t2-45" +} + +variable kubeflow_gpu_worker_autoscale { + type = string + default = "true" +} + +variable kubeflow_gpu_worker_max_nodes { + type = number + default = 5 +} + +variable kubeflow_gpu_worker_min_nodes { + type = number + default = 0 } variable ovh_api_dns_application_key { @@ -19,3 +104,44 @@ variable ovh_dns_domain { type = string } +variable letsencrypt_issuer { + type = string + default = "letsencrypt-staging" +} + +variable ovh_mysql_name { + type = string + default = "mks-kubeflow" +} + +variable ovh_mysql_version { + type = string + default = "8" +} + +variable ovh_mysql_region { + type = string + default = "GRA" +} + +variable ovh_s3_bucket_name { + type = string + default = "mks-kubeflow" +} + +variable ovh_s3_region_name { + type = string + default = "gra" +} + +variable kubeflow_default_user_name { + type = string + default = "user" +} + +# Use bcrypt to hash the password +# python3 -c 'from passlib.hash import bcrypt; import getpass; print(bcrypt.using(rounds=12, ident="2y").hash(getpass.getpass()))' +variable kubeflow_default_user_password_hash { + type = string + default = "$2y$12$DQDRh8mTqZeWSL4ZUm76.uBzmWmhuHH/IpyPw2cSy1ZUSjQSB7VFa" +} \ No newline at end of file From 33a3d3900b7e7a596d54ffe053fb87c27623f03f Mon Sep 17 00:00:00 2001 From: Simon Guyennet Date: Fri, 22 Nov 2024 10:24:55 +0100 Subject: [PATCH 14/16] Bump MKS version to 1.31 --- use-cases/kubeflow/README.md | 3 +- .../modules/kubeflow/ovh_private_network.tf | 8 +++ .../kubeflow/modules/kubeflow/variables.tf | 7 ++- use-cases/kubeflow/root.tf | 63 ++++++++++--------- use-cases/kubeflow/variables.tf | 7 ++- 5 files changed, 54 insertions(+), 34 deletions(-) diff --git a/use-cases/kubeflow/README.md b/use-cases/kubeflow/README.md index 819d129d..ddf0812b 100644 --- a/use-cases/kubeflow/README.md +++ b/use-cases/kubeflow/README.md @@ -5,8 +5,9 @@ The purpose of this tutorial is to deploy KubeFlow in an OVHcloud Managed Kubern This Terraform will create and configure: * A private network +* A gateway * A managed Kubernetes cluster -* A load balancer for Kubernetes with a public IP +* A Public Cloud load balancer with a public IP * A MySQL managed database * An object storage bucket * A Kubeflow deployment diff --git a/use-cases/kubeflow/modules/kubeflow/ovh_private_network.tf b/use-cases/kubeflow/modules/kubeflow/ovh_private_network.tf index 73f1169f..5ad55486 100644 --- a/use-cases/kubeflow/modules/kubeflow/ovh_private_network.tf +++ b/use-cases/kubeflow/modules/kubeflow/ovh_private_network.tf @@ -12,4 +12,12 @@ resource "ovh_cloud_project_network_private_subnet" "private-subnet" { network = "192.168.168.0/24" dhcp = true no_gateway = false +} + +resource "ovh_cloud_project_gateway" "gateway" { + name = "${var.ovh_kube_cluster_name}-gateway" + model = "${var.ovh_gateway_size}" + region = "${var.ovh_os_region_name}" + network_id = tolist(ovh_cloud_project_network_private.private-net.regions_attributes[*].openstackid)[0] + subnet_id = ovh_cloud_project_network_private_subnet.private-subnet.id } \ No newline at end of file diff --git a/use-cases/kubeflow/modules/kubeflow/variables.tf b/use-cases/kubeflow/modules/kubeflow/variables.tf index f88a394e..ca3289d1 100644 --- a/use-cases/kubeflow/modules/kubeflow/variables.tf +++ b/use-cases/kubeflow/modules/kubeflow/variables.tf @@ -8,6 +8,11 @@ variable ovh_os_private_network_vlan_id { default = "10" } +variable ovh_gateway_size { + type = string + default = "s" +} + variable ovh_kube_cluster_name { type = string default = "mks-kubeflow" @@ -15,7 +20,7 @@ variable ovh_kube_cluster_name { variable ovh_kube_version { type = string - default = "1.29" + default = "1.31" } variable ovh_s3_access_key { diff --git a/use-cases/kubeflow/root.tf b/use-cases/kubeflow/root.tf index 42ca7dfa..994b7272 100644 --- a/use-cases/kubeflow/root.tf +++ b/use-cases/kubeflow/root.tf @@ -4,36 +4,37 @@ module "s3_user" { module "kubeflow" { source = "./modules/kubeflow" - ovh_s3_access_key = module.s3_user.access_key_id - ovh_s3_secret_key = module.s3_user.secret_access_key - ovh_dns_domain = var.ovh_dns_domain - ovh_api_dns_application_key = var.ovh_api_dns_application_key - ovh_api_dns_consumer_key = var.ovh_api_dns_consumer_key - ovh_api_dns_application_secret = var.ovh_api_dns_application_secret - ovh_os_region_name = var.ovh_os_region_name - ovh_os_private_network_vlan_id = var.ovh_os_private_network_vlan_id - ovh_kube_cluster_name = var.ovh_kube_cluster_name - ovh_kube_version = var.ovh_kube_version - kubeflow_control_plane_flavor = var.kubeflow_control_plane_flavor - kubeflow_control_plane_autoscale = var.kubeflow_control_plane_autoscale + ovh_s3_access_key = module.s3_user.access_key_id + ovh_s3_secret_key = module.s3_user.secret_access_key + ovh_dns_domain = var.ovh_dns_domain + ovh_api_dns_application_key = var.ovh_api_dns_application_key + ovh_api_dns_consumer_key = var.ovh_api_dns_consumer_key + ovh_api_dns_application_secret = var.ovh_api_dns_application_secret + ovh_os_region_name = var.ovh_os_region_name + ovh_os_private_network_vlan_id = var.ovh_os_private_network_vlan_id + ovh_gateway_size = var.ovh_gateway_size + ovh_kube_cluster_name = var.ovh_kube_cluster_name + ovh_kube_version = var.ovh_kube_version + kubeflow_control_plane_flavor = var.kubeflow_control_plane_flavor + kubeflow_control_plane_autoscale = var.kubeflow_control_plane_autoscale kubeflow_control_plane_desired_nodes = var.kubeflow_control_plane_desired_nodes - kubeflow_control_plane_max_nodes = var.kubeflow_control_plane_max_nodes - kubeflow_control_plane_min_nodes = var.kubeflow_control_plane_min_nodes - kubeflow_cpu_worker_flavor = var.kubeflow_cpu_worker_flavor - kubeflow_cpu_worker_autoscale = var.kubeflow_cpu_worker_autoscale - kubeflow_cpu_worker_desired_nodes = var.kubeflow_cpu_worker_desired_nodes - kubeflow_cpu_worker_max_nodes = var.kubeflow_cpu_worker_max_nodes - kubeflow_cpu_worker_min_nodes = var.kubeflow_cpu_worker_min_nodes - kubeflow_gpu_worker_flavor = var.kubeflow_gpu_worker_flavor - kubeflow_gpu_worker_autoscale = var.kubeflow_gpu_worker_autoscale - kubeflow_gpu_worker_max_nodes = var.kubeflow_gpu_worker_max_nodes - kubeflow_gpu_worker_min_nodes = var.kubeflow_gpu_worker_min_nodes - letsencrypt_issuer = var.letsencrypt_issuer - ovh_mysql_name = var.ovh_mysql_name - ovh_mysql_version = var.ovh_mysql_version - ovh_mysql_region = var.ovh_mysql_region - ovh_s3_bucket_name = var.ovh_s3_bucket_name - ovh_s3_region_name = var.ovh_s3_region_name - kubeflow_default_user_name = var.kubeflow_default_user_name - kubeflow_default_user_password_hash = var.kubeflow_default_user_password_hash + kubeflow_control_plane_max_nodes = var.kubeflow_control_plane_max_nodes + kubeflow_control_plane_min_nodes = var.kubeflow_control_plane_min_nodes + kubeflow_cpu_worker_flavor = var.kubeflow_cpu_worker_flavor + kubeflow_cpu_worker_autoscale = var.kubeflow_cpu_worker_autoscale + kubeflow_cpu_worker_desired_nodes = var.kubeflow_cpu_worker_desired_nodes + kubeflow_cpu_worker_max_nodes = var.kubeflow_cpu_worker_max_nodes + kubeflow_cpu_worker_min_nodes = var.kubeflow_cpu_worker_min_nodes + kubeflow_gpu_worker_flavor = var.kubeflow_gpu_worker_flavor + kubeflow_gpu_worker_autoscale = var.kubeflow_gpu_worker_autoscale + kubeflow_gpu_worker_max_nodes = var.kubeflow_gpu_worker_max_nodes + kubeflow_gpu_worker_min_nodes = var.kubeflow_gpu_worker_min_nodes + letsencrypt_issuer = var.letsencrypt_issuer + ovh_mysql_name = var.ovh_mysql_name + ovh_mysql_version = var.ovh_mysql_version + ovh_mysql_region = var.ovh_mysql_region + ovh_s3_bucket_name = var.ovh_s3_bucket_name + ovh_s3_region_name = var.ovh_s3_region_name + kubeflow_default_user_name = var.kubeflow_default_user_name + kubeflow_default_user_password_hash = var.kubeflow_default_user_password_hash } \ No newline at end of file diff --git a/use-cases/kubeflow/variables.tf b/use-cases/kubeflow/variables.tf index 9017b2f0..13576d8a 100644 --- a/use-cases/kubeflow/variables.tf +++ b/use-cases/kubeflow/variables.tf @@ -8,6 +8,11 @@ variable ovh_os_private_network_vlan_id { default = "10" } +variable ovh_gateway_size { + type = string + default = "s" +} + variable ovh_kube_cluster_name { type = string default = "mks-kubeflow" @@ -15,7 +20,7 @@ variable ovh_kube_cluster_name { variable ovh_kube_version { type = string - default = "1.29" + default = "1.31" } variable kubeflow_control_plane_flavor { From 32217da81d6525de1d865733094f301dc5e50ab1 Mon Sep 17 00:00:00 2001 From: Aurelie Vache Date: Mon, 25 Nov 2024 10:25:00 +0000 Subject: [PATCH 15/16] merge --- use-cases/kubeflow/README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/use-cases/kubeflow/README.md b/use-cases/kubeflow/README.md index ddf0812b..3c8fa3df 100644 --- a/use-cases/kubeflow/README.md +++ b/use-cases/kubeflow/README.md @@ -69,6 +69,8 @@ POST on /domain/zone/*/refresh vim ovhrc.sh ``` +Add at the end of the file: + ```bash export TF_VAR_ovh_api_dns_application_key="" export TF_VAR_ovh_api_dns_application_secret="" @@ -100,7 +102,7 @@ You can find the list of configuration variables in `variables.tf` and you can o ```bash source ovhrc.sh terraform init -terraform plan +terraform apply -target module.s3_user terraform apply ``` @@ -142,4 +144,4 @@ After a while the status of the run should turn green. You can see the logs of t ```bash terraform output --raw ovh_kube_cluster_kubeconfig > ./kubeconfig kubectl get nodes --kubeconfig ./kubeconfig -``` \ No newline at end of file +``` From 0ff6f2ea61c740578383e8852b25710ef21842be Mon Sep 17 00:00:00 2001 From: Aurelie Vache Date: Mon, 25 Nov 2024 10:20:57 +0000 Subject: [PATCH 16/16] fix: final review --- .gitignore | 2 ++ use-cases/kubeflow/modules/kubeflow/provider.tf | 7 +------ use-cases/kubeflow/modules/kubeflow/variables.tf | 2 +- use-cases/kubeflow/modules/s3_user/provider.tf | 2 +- use-cases/kubeflow/output.tf | 9 +++++++++ use-cases/kubeflow/provider.tf | 2 +- use-cases/kubeflow/variables.tf | 2 +- 7 files changed, 16 insertions(+), 10 deletions(-) diff --git a/.gitignore b/.gitignore index 0fd540f6..72f3114a 100644 --- a/.gitignore +++ b/.gitignore @@ -46,3 +46,5 @@ ai/ai-endpoints/java-langchain4j-chatbot/target/test-classes/com/ovhcloud/exampl # Dot env files .env +use-cases/kubeflow/ovhrc.sh +use-cases/kubeflow/kubeconfig diff --git a/use-cases/kubeflow/modules/kubeflow/provider.tf b/use-cases/kubeflow/modules/kubeflow/provider.tf index be2b5c06..a80700c9 100644 --- a/use-cases/kubeflow/modules/kubeflow/provider.tf +++ b/use-cases/kubeflow/modules/kubeflow/provider.tf @@ -2,7 +2,7 @@ terraform { required_providers { ovh = { source = "ovh/ovh" - version = "1.0.0" + version = "1.1.0" } helm = { @@ -20,11 +20,6 @@ terraform { version = "1.14.0" } - aws = { - source = "hashicorp/aws" - version = "5.74.0" - } - random = { source = "hashicorp/random" version = "3.6.3" diff --git a/use-cases/kubeflow/modules/kubeflow/variables.tf b/use-cases/kubeflow/modules/kubeflow/variables.tf index ca3289d1..a60303d3 100644 --- a/use-cases/kubeflow/modules/kubeflow/variables.tf +++ b/use-cases/kubeflow/modules/kubeflow/variables.tf @@ -5,7 +5,7 @@ variable ovh_os_region_name { variable ovh_os_private_network_vlan_id { type = string - default = "10" + default = "11" } variable ovh_gateway_size { diff --git a/use-cases/kubeflow/modules/s3_user/provider.tf b/use-cases/kubeflow/modules/s3_user/provider.tf index 634a9323..02042250 100644 --- a/use-cases/kubeflow/modules/s3_user/provider.tf +++ b/use-cases/kubeflow/modules/s3_user/provider.tf @@ -2,7 +2,7 @@ terraform { required_providers { ovh = { source = "ovh/ovh" - version = "1.0.0" + version = "1.1.0" } } } \ No newline at end of file diff --git a/use-cases/kubeflow/output.tf b/use-cases/kubeflow/output.tf index 547a64b9..778514ce 100644 --- a/use-cases/kubeflow/output.tf +++ b/use-cases/kubeflow/output.tf @@ -1,3 +1,12 @@ +output "access_key_id" { + value = module.s3_user.access_key_id +} + +output "secret_access_key" { + value = module.s3_user.secret_access_key + sensitive = true +} + output "kubeflow_url" { description = "Kubeflow URL" value = "https://kubeflow.${var.ovh_dns_domain}" diff --git a/use-cases/kubeflow/provider.tf b/use-cases/kubeflow/provider.tf index a6f6db69..d48baed4 100644 --- a/use-cases/kubeflow/provider.tf +++ b/use-cases/kubeflow/provider.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "5.74.0" + version = "5.77.0" } } } diff --git a/use-cases/kubeflow/variables.tf b/use-cases/kubeflow/variables.tf index 13576d8a..7ca25ba5 100644 --- a/use-cases/kubeflow/variables.tf +++ b/use-cases/kubeflow/variables.tf @@ -5,7 +5,7 @@ variable ovh_os_region_name { variable ovh_os_private_network_vlan_id { type = string - default = "10" + default = "11" } variable ovh_gateway_size {