Skip to content
Snippets Groups Projects
0thanosrulerCustomResourceDefinition.yaml 366 KiB
Newer Older
                            This bool directly controls if the no_new_privs flag will
                            be set on the container process. AllowPrivilegeEscalation
                            is true always when the container is: 1) run as Privileged
                            2) has CAP_SYS_ADMIN'
paulfantom's avatar
paulfantom committed
                          type: boolean
                        capabilities:
                          description: The capabilities to add/drop when running containers.
                            Defaults to the default set of capabilities granted by
                            the container runtime.
paulfantom's avatar
paulfantom committed
                          properties:
                            add:
                              description: Added capabilities
                              items:
                                description: Capability represent POSIX capabilities
                                  type
paulfantom's avatar
paulfantom committed
                                type: string
                              type: array
                            drop:
                              description: Removed capabilities
                              items:
                                description: Capability represent POSIX capabilities
                                  type
paulfantom's avatar
paulfantom committed
                                type: string
                              type: array
                          type: object
                        privileged:
                          description: Run container in privileged mode. Processes
                            in privileged containers are essentially equivalent to
                            root on the host. Defaults to false.
paulfantom's avatar
paulfantom committed
                          type: boolean
                        procMount:
                          description: procMount denotes the type of proc mount to
                            use for the containers. The default is DefaultProcMount
                            which uses the container runtime defaults for readonly
                            paths and masked paths. This requires the ProcMountType
                            feature flag to be enabled.
                          type: string
paulfantom's avatar
paulfantom committed
                        readOnlyRootFilesystem:
                          description: Whether this container has a read-only root
                            filesystem. Default is false.
paulfantom's avatar
paulfantom committed
                          type: boolean
                        runAsGroup:
                          description: The GID to run the entrypoint of the container
                            process. Uses runtime default if unset. May also be set
                            in PodSecurityContext.  If set in both SecurityContext
                            and PodSecurityContext, the value specified in SecurityContext
                            takes precedence.
paulfantom's avatar
paulfantom committed
                          format: int64
                          type: integer
                        runAsNonRoot:
                          description: Indicates that the container must run as a
                            non-root user. If true, the Kubelet will validate the
                            image at runtime to ensure that it does not run as UID
                            0 (root) and fail to start the container if it does. If
                            unset or false, no such validation will be performed.
                            May also be set in PodSecurityContext.  If set in both
                            SecurityContext and PodSecurityContext, the value specified
                            in SecurityContext takes precedence.
paulfantom's avatar
paulfantom committed
                          type: boolean
                        runAsUser:
                          description: The UID to run the entrypoint of the container
                            process. Defaults to user specified in image metadata
                            if unspecified. May also be set in PodSecurityContext.  If
                            set in both SecurityContext and PodSecurityContext, the
                            value specified in SecurityContext takes precedence.
paulfantom's avatar
paulfantom committed
                          format: int64
                          type: integer
                        seLinuxOptions:
                          description: The SELinux context to be applied to the container.
                            If unspecified, the container runtime will allocate a
                            random SELinux context for each container.  May also be
                            set in PodSecurityContext.  If set in both SecurityContext
                            and PodSecurityContext, the value specified in SecurityContext
                            takes precedence.
paulfantom's avatar
paulfantom committed
                          properties:
                            level:
                              description: Level is SELinux level label that applies
                                to the container.
                              type: string
paulfantom's avatar
paulfantom committed
                            role:
                              description: Role is a SELinux role label that applies
                                to the container.
                              type: string
paulfantom's avatar
paulfantom committed
                            type:
                              description: Type is a SELinux type label that applies
                                to the container.
paulfantom's avatar
paulfantom committed
                              type: string
                            user:
                              description: User is a SELinux user label that applies
                                to the container.
paulfantom's avatar
paulfantom committed
                              type: string
                          type: object
                        seccompProfile:
                          description: The seccomp options to use by this container.
                            If seccomp options are provided at both the pod & container
                            level, the container options override the pod options.
                          properties:
                            localhostProfile:
                              description: localhostProfile indicates a profile defined
                                in a file on the node should be used. The profile
                                must be preconfigured on the node to work. Must be
                                a descending path, relative to the kubelet's configured
                                seccomp profile location. Must only be set if type
                                is "Localhost".
                              type: string
                            type:
                              description: "type indicates which kind of seccomp profile
                                will be applied. Valid options are: \n Localhost -
                                a profile defined in a file on the node should be
                                used. RuntimeDefault - the container runtime default
                                profile should be used. Unconfined - no profile should
                                be applied."
                              type: string
                          required:
                          - type
                          type: object
paulfantom's avatar
paulfantom committed
                        windowsOptions:
                          description: The Windows specific settings applied to all
                            containers. If unspecified, the options from the PodSecurityContext
                            will be used. If set in both SecurityContext and PodSecurityContext,
                            the value specified in SecurityContext takes precedence.
paulfantom's avatar
paulfantom committed
                          properties:
                            gmsaCredentialSpec:
                              description: GMSACredentialSpec is where the GMSA admission
                                webhook (https://github.com/kubernetes-sigs/windows-gmsa)
                                inlines the contents of the GMSA credential spec named
                                by the GMSACredentialSpecName field.
paulfantom's avatar
paulfantom committed
                              type: string
                            gmsaCredentialSpecName:
                              description: GMSACredentialSpecName is the name of the
                                GMSA credential spec to use.
paulfantom's avatar
paulfantom committed
                              type: string
                            hostProcess:
                              description: HostProcess determines if a container should
                                be run as a 'Host Process' container. This field is
                                alpha-level and will only be honored by components
                                that enable the WindowsHostProcessContainers feature
                                flag. Setting this field without the feature flag
                                will result in errors when validating the Pod. All
                                of a Pod's containers must have the same effective
                                HostProcess value (it is not allowed to have a mix
                                of HostProcess containers and non-HostProcess containers).  In
                                addition, if HostProcess is true then HostNetwork
                                must also be set to true.
                              type: boolean
paulfantom's avatar
paulfantom committed
                            runAsUserName:
                              description: The UserName in Windows to run the entrypoint
                                of the container process. Defaults to the user specified
                                in image metadata if unspecified. May also be set
                                in PodSecurityContext. If set in both SecurityContext
                                and PodSecurityContext, the value specified in SecurityContext
                                takes precedence.
paulfantom's avatar
paulfantom committed
                              type: string
                          type: object
                      type: object
                    startupProbe:
                      description: 'StartupProbe indicates that the Pod has successfully
                        initialized. If specified, no other probes are executed until
                        this completes successfully. If this probe fails, the Pod
                        will be restarted, just as if the livenessProbe failed. This
                        can be used to provide different probe parameters at the beginning
                        of a Pod''s lifecycle, when it might take a long time to load
                        data or warm a cache, than during steady-state operation.
                        This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
paulfantom's avatar
paulfantom committed
                      properties:
                        exec:
                          description: One and only one of the following should be
                            specified. Exec specifies the action to take.
paulfantom's avatar
paulfantom committed
                          properties:
                            command:
                              description: Command is the command line to execute
                                inside the container, the working directory for the
                                command  is root ('/') in the container's filesystem.
                                The command is simply exec'd, it is not run inside
                                a shell, so traditional shell instructions ('|', etc)
                                won't work. To use a shell, you need to explicitly
                                call out to that shell. Exit status of 0 is treated
                                as live/healthy and non-zero is unhealthy.
paulfantom's avatar
paulfantom committed
                              items:
                                type: string
                              type: array
                          type: object
                        failureThreshold:
                          description: Minimum consecutive failures for the probe
                            to be considered failed after having succeeded. Defaults
                            to 3. Minimum value is 1.
paulfantom's avatar
paulfantom committed
                          format: int32
                          type: integer
                        httpGet:
                          description: HTTPGet specifies the http request to perform.
                          properties:
                            host:
                              description: Host name to connect to, defaults to the
                                pod IP. You probably want to set "Host" in httpHeaders
                                instead.
paulfantom's avatar
paulfantom committed
                              type: string
                            httpHeaders:
                              description: Custom headers to set in the request. HTTP
                                allows repeated headers.
paulfantom's avatar
paulfantom committed
                              items:
                                description: HTTPHeader describes a custom header
                                  to be used in HTTP probes
paulfantom's avatar
paulfantom committed
                                properties:
                                  name:
                                    description: The header field name
                                    type: string
                                  value:
                                    description: The header field value
                                    type: string
                                required:
                                - name
                                - value
                                type: object
                              type: array
                            path:
                              description: Path to access on the HTTP server.
                              type: string
                            port:
                              anyOf:
                              - type: integer
                              - type: string
                              description: Name or number of the port to access on
                                the container. Number must be in the range 1 to 65535.
                                Name must be an IANA_SVC_NAME.
paulfantom's avatar
paulfantom committed
                              x-kubernetes-int-or-string: true
                            scheme:
                              description: Scheme to use for connecting to the host.
                                Defaults to HTTP.
paulfantom's avatar
paulfantom committed
                              type: string
                          required:
                          - port
                          type: object
                        initialDelaySeconds:
                          description: 'Number of seconds after the container has
                            started before liveness probes are initiated. More info:
                            https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
paulfantom's avatar
paulfantom committed
                          format: int32
                          type: integer
                        periodSeconds:
                          description: How often (in seconds) to perform the probe.
                            Default to 10 seconds. Minimum value is 1.
paulfantom's avatar
paulfantom committed
                          format: int32
                          type: integer
                        successThreshold:
                          description: Minimum consecutive successes for the probe
                            to be considered successful after having failed. Defaults
                            to 1. Must be 1 for liveness and startup. Minimum value
                            is 1.
paulfantom's avatar
paulfantom committed
                          format: int32
                          type: integer
                        tcpSocket:
                          description: 'TCPSocket specifies an action involving a
                            TCP port. TCP hooks not yet supported TODO: implement
                            a realistic TCP lifecycle hook'
paulfantom's avatar
paulfantom committed
                          properties:
                            host:
                              description: 'Optional: Host name to connect to, defaults
                                to the pod IP.'
paulfantom's avatar
paulfantom committed
                              type: string
                            port:
                              anyOf:
                              - type: integer
                              - type: string
                              description: Number or name of the port to access on
                                the container. Number must be in the range 1 to 65535.
                                Name must be an IANA_SVC_NAME.
paulfantom's avatar
paulfantom committed
                              x-kubernetes-int-or-string: true
                          required:
                          - port
                          type: object
                        terminationGracePeriodSeconds:
                          description: Optional duration in seconds the pod needs
                            to terminate gracefully upon probe failure. The grace
                            period is the duration in seconds after the processes
                            running in the pod are sent a termination signal and the
                            time when the processes are forcibly halted with a kill
                            signal. Set this value longer than the expected cleanup
                            time for your process. If this value is nil, the pod's
                            terminationGracePeriodSeconds will be used. Otherwise,
                            this value overrides the value provided by the pod spec.
                            Value must be non-negative integer. The value zero indicates
                            stop immediately via the kill signal (no opportunity to
                            shut down). This is a beta field and requires enabling
                            ProbeTerminationGracePeriod feature gate. Minimum value
                            is 1. spec.terminationGracePeriodSeconds is used if unset.
                          format: int64
                          type: integer
paulfantom's avatar
paulfantom committed
                        timeoutSeconds:
                          description: 'Number of seconds after which the probe times
                            out. Defaults to 1 second. Minimum value is 1. More info:
                            https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
paulfantom's avatar
paulfantom committed
                          format: int32
                          type: integer
                      type: object
                    stdin:
                      description: Whether this container should allocate a buffer
                        for stdin in the container runtime. If this is not set, reads
                        from stdin in the container will always result in EOF. Default
                        is false.
paulfantom's avatar
paulfantom committed
                      type: boolean
                    stdinOnce:
                      description: Whether the container runtime should close the
                        stdin channel after it has been opened by a single attach.
                        When stdin is true the stdin stream will remain open across
                        multiple attach sessions. If stdinOnce is set to true, stdin
                        is opened on container start, is empty until the first client
                        attaches to stdin, and then remains open and accepts data
                        until the client disconnects, at which time stdin is closed
                        and remains closed until the container is restarted. If this
                        flag is false, a container processes that reads from stdin
                        will never receive an EOF. Default is false
paulfantom's avatar
paulfantom committed
                      type: boolean
                    terminationMessagePath:
                      description: 'Optional: Path at which the file to which the
                        container''s termination message will be written is mounted
                        into the container''s filesystem. Message written is intended
                        to be brief final status, such as an assertion failure message.
                        Will be truncated by the node if greater than 4096 bytes.
                        The total message length across all containers will be limited
                        to 12kb. Defaults to /dev/termination-log. Cannot be updated.'
paulfantom's avatar
paulfantom committed
                      type: string
                    terminationMessagePolicy:
                      description: Indicate how the termination message should be
                        populated. File will use the contents of terminationMessagePath
                        to populate the container status message on both success and
                        failure. FallbackToLogsOnError will use the last chunk of
                        container log output if the termination message file is empty
                        and the container exited with an error. The log output is
                        limited to 2048 bytes or 80 lines, whichever is smaller. Defaults
                        to File. Cannot be updated.
paulfantom's avatar
paulfantom committed
                      type: string
                    tty:
                      description: Whether this container should allocate a TTY for
                        itself, also requires 'stdin' to be true. Default is false.
paulfantom's avatar
paulfantom committed
                      type: boolean
                    volumeDevices:
                      description: volumeDevices is the list of block devices to be
                        used by the container.
paulfantom's avatar
paulfantom committed
                      items:
                        description: volumeDevice describes a mapping of a raw block
                          device within a container.
                        properties:
paulfantom's avatar
paulfantom committed
                          devicePath:
                            description: devicePath is the path inside of the container
                              that the device will be mapped to.
                            type: string
paulfantom's avatar
paulfantom committed
                          name:
                            description: name must match the name of a persistentVolumeClaim
                              in the pod
                            type: string
paulfantom's avatar
paulfantom committed
                        required:
                        - devicePath
                        - name
                        type: object
paulfantom's avatar
paulfantom committed
                      type: array
                    volumeMounts:
                      description: Pod volumes to mount into the container's filesystem.
                        Cannot be updated.
paulfantom's avatar
paulfantom committed
                      items:
                        description: VolumeMount describes a mounting of a Volume
                          within a container.
                        properties:
paulfantom's avatar
paulfantom committed
                          mountPath:
                            description: Path within the container at which the volume
                              should be mounted.  Must not contain ':'.
paulfantom's avatar
paulfantom committed
                            type: string
                          mountPropagation:
                            description: mountPropagation determines how mounts are
                              propagated from the host to container and the other
                              way around. When not set, MountPropagationNone is used.
                              This field is beta in 1.10.
paulfantom's avatar
paulfantom committed
                            type: string
                          name:
                            description: This must match the Name of a Volume.
                            type: string
paulfantom's avatar
paulfantom committed
                          readOnly:
                            description: Mounted read-only if true, read-write otherwise
                              (false or unspecified). Defaults to false.
paulfantom's avatar
paulfantom committed
                            type: boolean
                          subPath:
                            description: Path within the volume from which the container's
                              volume should be mounted. Defaults to "" (volume's root).
                            type: string
paulfantom's avatar
paulfantom committed
                          subPathExpr:
                            description: Expanded path within the volume from which
                              the container's volume should be mounted. Behaves similarly
                              to SubPath but environment variable references $(VAR_NAME)
                              are expanded using the container's environment. Defaults
                              to "" (volume's root). SubPathExpr and SubPath are mutually
                              exclusive.
                            type: string
paulfantom's avatar
paulfantom committed
                        required:
                        - mountPath
                        - name
                        type: object
paulfantom's avatar
paulfantom committed
                      type: array
                    workingDir:
                      description: Container's working directory. If not specified,
                        the container runtime's default will be used, which might
                        be configured in the container image. Cannot be updated.
paulfantom's avatar
paulfantom committed
                      type: string
                  required:
                  - name
                  type: object
                type: array
              labels:
                additionalProperties:
                  type: string
                description: Labels configure the external label pairs to ThanosRuler.
                  A default replica label `thanos_ruler_replica` will be always added  as
                  a label with the value of the pod's name and it will be dropped
                  in the alerts.
paulfantom's avatar
paulfantom committed
                type: object
              listenLocal:
                description: ListenLocal makes the Thanos ruler listen on loopback,
                  so that it does not bind against the Pod IP.
paulfantom's avatar
paulfantom committed
                type: boolean
              logFormat:
                description: Log format for ThanosRuler to be configured with.
                type: string
              logLevel:
                description: Log level for ThanosRuler to be configured with.
                type: string
              minReadySeconds:
                description: Minimum number of seconds for which a newly created pod
                  should be ready without any of its container crashing for it to
                  be considered available. Defaults to 0 (pod will be considered available
                  as soon as it is ready) This is an alpha field and requires enabling
                  StatefulSetMinReadySeconds feature gate.
                format: int32
                type: integer
paulfantom's avatar
paulfantom committed
              nodeSelector:
                additionalProperties:
                  type: string
                description: Define which Nodes the Pods are scheduled on.
                type: object
              objectStorageConfig:
                description: ObjectStorageConfig configures object storage in Thanos.
                  Alternative to ObjectStorageConfigFile, and lower order priority.
paulfantom's avatar
paulfantom committed
                properties:
                  key:
                    description: The key of the secret to select from.  Must be a
                      valid secret key.
paulfantom's avatar
paulfantom committed
                    type: string
                  name:
                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                      TODO: Add other useful fields. apiVersion, kind, uid?'
paulfantom's avatar
paulfantom committed
                    type: string
                  optional:
                    description: Specify whether the Secret or its key must be defined
                    type: boolean
paulfantom's avatar
paulfantom committed
                required:
                - key
                type: object
Lili Cosic's avatar
Lili Cosic committed
              objectStorageConfigFile:
                description: ObjectStorageConfigFile specifies the path of the object
                  storage configuration file. When used alongside with ObjectStorageConfig,
                  ObjectStorageConfigFile takes precedence.
Lili Cosic's avatar
Lili Cosic committed
                type: string
paulfantom's avatar
paulfantom committed
              paused:
                description: When a ThanosRuler deployment is paused, no actions except
                  for deletion will be performed on the underlying objects.
paulfantom's avatar
paulfantom committed
                type: boolean
              podMetadata:
                description: PodMetadata contains Labels and Annotations gets propagated
                  to the thanos ruler pods.
paulfantom's avatar
paulfantom committed
                properties:
                  annotations:
                    additionalProperties:
                      type: string
                    description: 'Annotations is an unstructured key value map stored
                      with a resource that may be set by external tools to store and
                      retrieve arbitrary metadata. They are not queryable and should
                      be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations'
paulfantom's avatar
paulfantom committed
                    type: object
                  labels:
                    additionalProperties:
                      type: string
                    description: 'Map of string keys and values that can be used to
                      organize and categorize (scope and select) objects. May match
                      selectors of replication controllers and services. More info:
                      http://kubernetes.io/docs/user-guide/labels'
paulfantom's avatar
paulfantom committed
                    type: object
                  name:
                    description: 'Name must be unique within a namespace. Is required
                      when creating resources, although some resources may allow a
                      client to request the generation of an appropriate name automatically.
                      Name is primarily intended for creation idempotence and configuration
                      definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names'
                    type: string
paulfantom's avatar
paulfantom committed
                type: object
              portName:
                description: Port name used for the pods and governing service. This
                  defaults to web
paulfantom's avatar
paulfantom committed
                type: string
              priorityClassName:
                description: Priority class assigned to the Pods
                type: string
              prometheusRulesExcludedFromEnforce:
                description: PrometheusRulesExcludedFromEnforce - list of Prometheus
                  rules to be excluded from enforcing of adding namespace labels.
                  Works only if enforcedNamespaceLabel set to true. Make sure both
                  ruleNamespace and ruleName are set for each pair
                  description: PrometheusRuleExcludeConfig enables users to configure
                    excluded PrometheusRule names and their namespaces to be ignored
                    while enforcing namespace label for alerts and metrics.
                  properties:
                    ruleName:
                      description: RuleNamespace - name of excluded rule
                      type: string
                    ruleNamespace:
                      description: RuleNamespace - namespace of excluded rule
                      type: string
                  required:
                  - ruleName
                  - ruleNamespace
                  type: object
                type: array
paulfantom's avatar
paulfantom committed
              queryConfig:
                description: Define configuration for connecting to thanos query instances.
                  If this is defined, the QueryEndpoints field will be ignored. Maps
                  to the `query.config` CLI argument. Only available with thanos v0.11.0
                  and higher.
paulfantom's avatar
paulfantom committed
                properties:
                  key:
                    description: The key of the secret to select from.  Must be a
                      valid secret key.
paulfantom's avatar
paulfantom committed
                    type: string
                  name:
                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                      TODO: Add other useful fields. apiVersion, kind, uid?'
                    type: string
paulfantom's avatar
paulfantom committed
                  optional:
                    description: Specify whether the Secret or its key must be defined
                    type: boolean
paulfantom's avatar
paulfantom committed
                required:
                - key
                type: object
              queryEndpoints:
                description: QueryEndpoints defines Thanos querier endpoints from
                  which to query metrics. Maps to the --query flag of thanos ruler.
paulfantom's avatar
paulfantom committed
                items:
                  type: string
                type: array
              replicas:
                description: Number of thanos ruler instances to deploy.
                format: int32
                type: integer
              resources:
                description: Resources defines the resource requirements for single
                  Pods. If not provided, no requests/limits will be set
paulfantom's avatar
paulfantom committed
                properties:
                  limits:
                    additionalProperties:
Lili Cosic's avatar
Lili Cosic committed
                      anyOf:
                      - type: integer
                      - type: string
                      pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
                      x-kubernetes-int-or-string: true
                    description: 'Limits describes the maximum amount of compute resources
                      allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
paulfantom's avatar
paulfantom committed
                    type: object
                  requests:
                    additionalProperties:
Lili Cosic's avatar
Lili Cosic committed
                      anyOf:
                      - type: integer
                      - type: string
                      pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
                      x-kubernetes-int-or-string: true
                    description: 'Requests describes the minimum amount of compute
                      resources required. If Requests is omitted for a container,
                      it defaults to Limits if that is explicitly specified, otherwise
                      to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
paulfantom's avatar
paulfantom committed
                    type: object
                type: object
              retention:
                description: Time duration ThanosRuler shall retain data for. Default
                  is '24h', and must match the regular expression `[0-9]+(ms|s|m|h|d|w|y)`
                  (milliseconds seconds minutes hours days weeks years).
paulfantom's avatar
paulfantom committed
                type: string
              routePrefix:
                description: The route prefix ThanosRuler registers HTTP handlers
                  for. This allows thanos UI to be served on a sub-path.
paulfantom's avatar
paulfantom committed
                type: string
              ruleNamespaceSelector:
                description: Namespaces to be selected for Rules discovery. If unspecified,
                  only the same namespace as the ThanosRuler object is in is used.
paulfantom's avatar
paulfantom committed
                properties:
                  matchExpressions:
                    description: matchExpressions is a list of label selector requirements.
                      The requirements are ANDed.
                      description: A label selector requirement is a selector that
                        contains values, a key, and an operator that relates the key
                        and values.
                      properties:
paulfantom's avatar
paulfantom committed
                        key:
                          description: key is the label key that the selector applies
                            to.
                          type: string
paulfantom's avatar
paulfantom committed
                        operator:
                          description: operator represents a key's relationship to
                            a set of values. Valid operators are In, NotIn, Exists
                            and DoesNotExist.
                          type: string
paulfantom's avatar
paulfantom committed
                        values:
                          description: values is an array of string values. If the
                            operator is In or NotIn, the values array must be non-empty.
                            If the operator is Exists or DoesNotExist, the values
                            array must be empty. This array is replaced during a strategic
                            merge patch.
paulfantom's avatar
paulfantom committed
                          items:
                            type: string
                          type: array
paulfantom's avatar
paulfantom committed
                      - key
                      - operator
                      type: object
                    type: array
paulfantom's avatar
paulfantom committed
                  matchLabels:
                    additionalProperties:
                      type: string
                    description: matchLabels is a map of {key,value} pairs. A single
                      {key,value} in the matchLabels map is equivalent to an element
                      of matchExpressions, whose key field is "key", the operator
                      is "In", and the values array contains only "value". The requirements
                      are ANDed.
paulfantom's avatar
paulfantom committed
                    type: object
                type: object
              ruleSelector:
                description: A label selector to select which PrometheusRules to mount
                  for alerting and recording.
paulfantom's avatar
paulfantom committed
                properties:
                  matchExpressions:
                    description: matchExpressions is a list of label selector requirements.
                      The requirements are ANDed.
                      description: A label selector requirement is a selector that
                        contains values, a key, and an operator that relates the key
                        and values.
                      properties:
paulfantom's avatar
paulfantom committed
                        key:
                          description: key is the label key that the selector applies
                            to.
                          type: string
paulfantom's avatar
paulfantom committed
                        operator:
                          description: operator represents a key's relationship to
                            a set of values. Valid operators are In, NotIn, Exists
                            and DoesNotExist.
                          type: string
paulfantom's avatar
paulfantom committed
                        values:
                          description: values is an array of string values. If the
                            operator is In or NotIn, the values array must be non-empty.
                            If the operator is Exists or DoesNotExist, the values
                            array must be empty. This array is replaced during a strategic
                            merge patch.
paulfantom's avatar
paulfantom committed
                          items:
                            type: string
                          type: array
                      required:
                      - key
                      - operator
                      type: object
                    type: array
                  matchLabels:
                    additionalProperties:
                      type: string
                    description: matchLabels is a map of {key,value} pairs. A single
                      {key,value} in the matchLabels map is equivalent to an element
                      of matchExpressions, whose key field is "key", the operator
                      is "In", and the values array contains only "value". The requirements
                      are ANDed.
paulfantom's avatar
paulfantom committed
                    type: object
                type: object
              securityContext:
                description: SecurityContext holds pod-level security attributes and
                  common container settings. This defaults to the default PodSecurityContext.
paulfantom's avatar
paulfantom committed
                properties:
                  fsGroup:
                    description: "A special supplemental group that applies to all
                      containers in a pod. Some volume types allow the Kubelet to
                      change the ownership of that volume to be owned by the pod:
                      \n 1. The owning GID will be the FSGroup 2. The setgid bit is
                      set (new files created in the volume will be owned by FSGroup)
                      3. The permission bits are OR'd with rw-rw---- \n If unset,
                      the Kubelet will not modify the ownership and permissions of
                      any volume."
paulfantom's avatar
paulfantom committed
                    format: int64
                    type: integer
                  fsGroupChangePolicy:
                    description: 'fsGroupChangePolicy defines behavior of changing
                      ownership and permission of the volume before being exposed
                      inside Pod. This field will only apply to volume types which
                      support fsGroup based ownership(and permissions). It will have
                      no effect on ephemeral volume types such as: secret, configmaps
                      and emptydir. Valid values are "OnRootMismatch" and "Always".
                      If not specified, "Always" is used.'
paulfantom's avatar
paulfantom committed
                    type: string
                  runAsGroup:
                    description: The GID to run the entrypoint of the container process.
                      Uses runtime default if unset. May also be set in SecurityContext.  If
                      set in both SecurityContext and PodSecurityContext, the value
                      specified in SecurityContext takes precedence for that container.
paulfantom's avatar
paulfantom committed
                    format: int64
                    type: integer
                  runAsNonRoot:
                    description: Indicates that the container must run as a non-root
                      user. If true, the Kubelet will validate the image at runtime
                      to ensure that it does not run as UID 0 (root) and fail to start
                      the container if it does. If unset or false, no such validation
                      will be performed. May also be set in SecurityContext.  If set
                      in both SecurityContext and PodSecurityContext, the value specified
                      in SecurityContext takes precedence.
paulfantom's avatar
paulfantom committed
                    type: boolean
                  runAsUser:
                    description: The UID to run the entrypoint of the container process.
                      Defaults to user specified in image metadata if unspecified.
                      May also be set in SecurityContext.  If set in both SecurityContext
                      and PodSecurityContext, the value specified in SecurityContext
                      takes precedence for that container.
paulfantom's avatar
paulfantom committed
                    format: int64
                    type: integer
                  seLinuxOptions:
                    description: The SELinux context to be applied to all containers.
                      If unspecified, the container runtime will allocate a random
                      SELinux context for each container.  May also be set in SecurityContext.  If
                      set in both SecurityContext and PodSecurityContext, the value
                      specified in SecurityContext takes precedence for that container.
paulfantom's avatar
paulfantom committed
                    properties:
                      level:
                        description: Level is SELinux level label that applies to
                          the container.
paulfantom's avatar
paulfantom committed
                        type: string
                      role:
                        description: Role is a SELinux role label that applies to
                          the container.
paulfantom's avatar
paulfantom committed
                        type: string
                      type:
                        description: Type is a SELinux type label that applies to
                          the container.
paulfantom's avatar
paulfantom committed
                        type: string
                      user:
                        description: User is a SELinux user label that applies to
                          the container.
paulfantom's avatar
paulfantom committed
                        type: string
                    type: object
                  seccompProfile:
                    description: The seccomp options to use by the containers in this
                      pod.
                    properties:
                      localhostProfile:
                        description: localhostProfile indicates a profile defined
                          in a file on the node should be used. The profile must be
                          preconfigured on the node to work. Must be a descending
                          path, relative to the kubelet's configured seccomp profile
                          location. Must only be set if type is "Localhost".
                        type: string
                      type:
                        description: "type indicates which kind of seccomp profile
                          will be applied. Valid options are: \n Localhost - a profile
                          defined in a file on the node should be used. RuntimeDefault
                          - the container runtime default profile should be used.
                          Unconfined - no profile should be applied."
                        type: string
                    required:
                    - type
                    type: object
paulfantom's avatar
paulfantom committed
                  supplementalGroups:
                    description: A list of groups applied to the first process run
                      in each container, in addition to the container's primary GID.  If
                      unspecified, no groups will be added to any container.
paulfantom's avatar
paulfantom committed
                    items:
                      format: int64
                      type: integer
                    type: array
                  sysctls:
                    description: Sysctls hold a list of namespaced sysctls used for
                      the pod. Pods with unsupported sysctls (by the container runtime)
                      might fail to launch.
paulfantom's avatar
paulfantom committed
                    items:
                      description: Sysctl defines a kernel parameter to be set
                      properties:
paulfantom's avatar
paulfantom committed
                          description: Name of a property to set
                          type: string
paulfantom's avatar
paulfantom committed
                        value:
                          description: Value of a property to set
                          type: string
                      required:
                      - name
paulfantom's avatar
paulfantom committed
                      - value
                      type: object
                    type: array
paulfantom's avatar
paulfantom committed
                  windowsOptions:
                    description: The Windows specific settings applied to all containers.
                      If unspecified, the options within a container's SecurityContext
                      will be used. If set in both SecurityContext and PodSecurityContext,
                      the value specified in SecurityContext takes precedence.
                    properties:
paulfantom's avatar
paulfantom committed
                      gmsaCredentialSpec:
                        description: GMSACredentialSpec is where the GMSA admission
                          webhook (https://github.com/kubernetes-sigs/windows-gmsa)
                          inlines the contents of the GMSA credential spec named by
                          the GMSACredentialSpecName field.
                        type: string
paulfantom's avatar
paulfantom committed
                      gmsaCredentialSpecName:
                        description: GMSACredentialSpecName is the name of the GMSA
                          credential spec to use.
paulfantom's avatar
paulfantom committed
                        type: string
                      hostProcess:
                        description: HostProcess determines if a container should
                          be run as a 'Host Process' container. This field is alpha-level
                          and will only be honored by components that enable the WindowsHostProcessContainers
                          feature flag. Setting this field without the feature flag
                          will result in errors when validating the Pod. All of a
                          Pod's containers must have the same effective HostProcess
                          value (it is not allowed to have a mix of HostProcess containers
                          and non-HostProcess containers).  In addition, if HostProcess
                          is true then HostNetwork must also be set to true.
                        type: boolean
paulfantom's avatar
paulfantom committed
                      runAsUserName:
                        description: The UserName in Windows to run the entrypoint
                          of the container process. Defaults to the user specified
                          in image metadata if unspecified. May also be set in PodSecurityContext.
                          If set in both SecurityContext and PodSecurityContext, the
                          value specified in SecurityContext takes precedence.
                        type: string
                    type: object
paulfantom's avatar
paulfantom committed
                type: object
              serviceAccountName:
                description: ServiceAccountName is the name of the ServiceAccount
                  to use to run the Thanos Ruler Pods.
paulfantom's avatar
paulfantom committed
                type: string
              storage:
                description: Storage spec to specify how storage shall be used.
                properties:
                  disableMountSubPath:
                    description: 'Deprecated: subPath usage will be disabled by default
                      in a future release, this option will become unnecessary. DisableMountSubPath
                      allows to remove any subPath usage in volume mounts.'
paulfantom's avatar
paulfantom committed
                    type: boolean
                  emptyDir:
                    description: 'EmptyDirVolumeSource to be used by the Prometheus
                      StatefulSets. If specified, used in place of any volumeClaimTemplate.
                      More info: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir'
                    properties:
paulfantom's avatar
paulfantom committed
                      medium:
                        description: 'What type of storage medium should back this
                          directory. The default is "" which means to use the node''s
                          default medium. Must be an empty string (default) or Memory.
                          More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir'
                        type: string
paulfantom's avatar
paulfantom committed
                      sizeLimit:
Lili Cosic's avatar
Lili Cosic committed
                        anyOf:
                        - type: integer
                        - type: string
                        description: 'Total amount of local storage required for this
                          EmptyDir volume. The size limit is also applicable for memory
                          medium. The maximum usage on memory medium EmptyDir would
                          be the minimum value between the SizeLimit specified here
                          and the sum of memory limits of all containers in a pod.
                          The default is nil which means that the limit is undefined.
                          More info: http://kubernetes.io/docs/user-guide/volumes#emptydir'
Lili Cosic's avatar
Lili Cosic committed
                        pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
                        x-kubernetes-int-or-string: true
                    type: object
                  ephemeral:
                    description: 'EphemeralVolumeSource to be used by the Prometheus
                      StatefulSets. This is a beta field in k8s 1.21, for lower versions,
                      starting with k8s 1.19, it requires enabling the GenericEphemeralVolume
                      feature gate. More info: https://kubernetes.io/docs/concepts/storage/ephemeral-volumes/#generic-ephemeral-volumes'
                    properties:
                      volumeClaimTemplate:
                        description: "Will be used to create a stand-alone PVC to
                          provision the volume. The pod in which this EphemeralVolumeSource
                          is embedded will be the owner of the PVC, i.e. the PVC will
                          be deleted together with the pod.  The name of the PVC will
                          be `<pod name>-<volume name>` where `<volume name>` is the
                          name from the `PodSpec.Volumes` array entry. Pod validation
                          will reject the pod if the concatenated name is not valid
                          for a PVC (for example, too long). \n An existing PVC with
                          that name that is not owned by the pod will *not* be used
                          for the pod to avoid using an unrelated volume by mistake.
                          Starting the pod is then blocked until the unrelated PVC
                          is removed. If such a pre-created PVC is meant to be used
                          by the pod, the PVC has to updated with an owner reference
                          to the pod once the pod exists. Normally this should not
                          be necessary, but it may be useful when manually reconstructing
                          a broken cluster. \n This field is read-only and no changes
                          will be made by Kubernetes to the PVC after it has been
                          created. \n Required, must not be nil."
                        properties:
                          metadata:
                            description: May contain labels and annotations that will
                              be copied into the PVC when creating it. No other fields
                              are allowed and will be rejected during validation.
                            type: object
                          spec:
                            description: The specification for the PersistentVolumeClaim.
                              The entire content is copied unchanged into the PVC
                              that gets created from this template. The same fields
                              as in a PersistentVolumeClaim are also valid here.
                            properties:
                              accessModes:
                                description: 'AccessModes contains the desired access
                                  modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1'
                                items:
                                  type: string
                                type: array
                              dataSource:
                                description: 'This field can be used to specify either:
                                  * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)
                                  * An existing PVC (PersistentVolumeClaim) If the
                                  provisioner or an external controller can support
                                  the specified data source, it will create a new
                                  volume based on the contents of the specified data
                                  source. If the AnyVolumeDataSource feature gate
                                  is enabled, this field will always have the same
                                  contents as the DataSourceRef field.'
                                properties:
                                  apiGroup:
                                    description: APIGroup is the group for the resource
                                      being referenced. If APIGroup is not specified,
                                      the specified Kind must be in the core API group.
                                      For any other third-party types, APIGroup is
                                      required.
                                    type: string
                                  kind:
                                    description: Kind is the type of resource being
                                      referenced
                                    type: string
                                  name:
                                    description: Name is the name of resource being
                                      referenced
                                    type: string
                                required:
                                - kind
                                - name
                                type: object
                              dataSourceRef:
                                description: 'Specifies the object from which to populate
                                  the volume with data, if a non-empty volume is desired.
                                  This may be any local object from a non-empty API
                                  group (non core object) or a PersistentVolumeClaim
                                  object. When this field is specified, volume binding
                                  will only succeed if the type of the specified object
                                  matches some installed volume populator or dynamic
                                  provisioner. This field will replace the functionality
                                  of the DataSource field and as such if both fields
                                  are non-empty, they must have the same value. For
                                  backwards compatibility, both fields (DataSource
                                  and DataSourceRef) will be set to the same value
                                  automatically if one of them is empty and the other
                                  is non-empty. There are two important differences
                                  between DataSource and DataSourceRef: * While DataSource
                                  only allows two specific types of objects, DataSourceRef   allows
                                  any non-core object, as well as PersistentVolumeClaim
                                  objects. * While DataSource ignores disallowed values
                                  (dropping them), DataSourceRef   preserves all values,
                                  and generates an error if a disallowed value is   specified.
                                  (Alpha) Using this field requires the AnyVolumeDataSource
                                  feature gate to be enabled.'
                                properties:
                                  apiGroup:
                                    description: APIGroup is the group for the resource
                                      being referenced. If APIGroup is not specified,
                                      the specified Kind must be in the core API group.
                                      For any other third-party types, APIGroup is
                                      required.
                                    type: string
                                  kind:
                                    description: Kind is the type of resource being
                                      referenced
                                    type: string
                                  name:
                                    description: Name is the name of resource being
                                      referenced
                                    type: string
                                required:
                                - kind
                                - name
                                type: object
                              resources:
                                description: 'Resources represents the minimum resources
                                  the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources'
                                properties:
                                  limits:
                                    additionalProperties:
                                      anyOf:
                                      - type: integer
                                      - type: string
                                      pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
                                      x-kubernetes-int-or-string: true
                                    description: 'Limits describes the maximum amount
                                      of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
                                    type: object
                                  requests:
                                    additionalProperties:
                                      anyOf: