diff --git a/apps/base/tekton/README.md b/apps/base/tekton/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..13e5a9fd7b745c4b75b46ab113b9e637e6c7d59d
--- /dev/null
+++ b/apps/base/tekton/README.md
@@ -0,0 +1,6 @@
+Tekton
+===
+
+Tekton is an open-source framework for creating continuous integration and continuous delivery (CI/CD) systems, designed to run on Kubernetes. It provides a set of reusable components, known as "Tasks" and "Pipelines," that enable developers to define and automate their software delivery processes. By leveraging Kubernetes-native resources, Tekton allows for scalable and flexible workflows that can integrate with various tools and services in the cloud-native ecosystem.
+
+<iframe src="https://www.youtube-nocookie.com/embed/skcLi9-WTkA" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>
\ No newline at end of file
diff --git a/apps/base/tekton/config-restricted-patch.yaml b/apps/base/tekton/config-restricted-patch.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..0c802211163f797b2535898309dbdf38760ad27d
--- /dev/null
+++ b/apps/base/tekton/config-restricted-patch.yaml
@@ -0,0 +1,3 @@
+- op: add
+ path: /data/set-security-context
+ value: "true"
\ No newline at end of file
diff --git a/apps/base/tekton/kustomization.yaml b/apps/base/tekton/kustomization.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..46bd8aef74b3a18f797006108d424f70b7f4e08d
--- /dev/null
+++ b/apps/base/tekton/kustomization.yaml
@@ -0,0 +1,19 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+ # curl https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.70.0/release.yaml > tekton-pipelines-v0.70.0.yaml
+ - tekton-pipelines-v0.70.0.yaml
+ # curl https://storage.googleapis.com/tekton-releases/triggers/previous/v0.31.0/release.yaml > tekton-triggers-v0.31.0.yaml
+ - tekton-triggers-v0.31.0.yaml
+ # curl https://storage.googleapis.com/tekton-releases/triggers/previous/v0.31.0/interceptors.yaml > tekton-interceptors-v0.31.0.yaml
+ - tekton-interceptors-v0.31.0.yaml
+ - poddisruptionbudget.yaml
+
+patches:
+ - path: ./config-restricted-patch.yaml
+ target:
+ version: v1
+ kind: ConfigMap
+ name: feature-flags
+ namespace: tekton-pipelines
\ No newline at end of file
diff --git a/apps/base/tekton/poddisruptionbudget.yaml b/apps/base/tekton/poddisruptionbudget.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..747c898f8666c0438e92bd85faa29a140f1fbeb2
--- /dev/null
+++ b/apps/base/tekton/poddisruptionbudget.yaml
@@ -0,0 +1,39 @@
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ name: tekton-pipelines-webhook
+ namespace: tekton-pipelines
+spec:
+ maxUnavailable: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/part-of: tekton-pipelines
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ name: tekton-triggers-interceptors
+ namespace: tekton-pipelines
+spec:
+ maxUnavailable: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: interceptors
+ app.kubernetes.io/name: core-interceptors
+ app.kubernetes.io/part-of: tekton-triggers
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ name: tekton-triggers-webhook
+ namespace: tekton-pipelines
+spec:
+ maxUnavailable: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/part-of: tekton-triggers
\ No newline at end of file
diff --git a/apps/base/tekton/tekton-interceptors-v0.31.0.yaml b/apps/base/tekton/tekton-interceptors-v0.31.0.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..15c81c38a5909b66cadfcb872ebba7d245bbf4e6
--- /dev/null
+++ b/apps/base/tekton/tekton-interceptors-v0.31.0.yaml
@@ -0,0 +1,230 @@
+# Copyright 2022 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Secret
+metadata:
+ name: tekton-triggers-core-interceptors-certs
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/name: core-interceptors
+ app.kubernetes.io/component: interceptors
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+ triggers.tekton.dev/release: "v0.31.0"
+# The data is populated at install time.
+
+---
+# Copyright 2020 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: tekton-triggers-core-interceptors
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/name: core-interceptors
+ app.kubernetes.io/component: interceptors
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/version: "v0.31.0"
+ app.kubernetes.io/part-of: tekton-triggers
+ # tekton.dev/release value replaced with inputs.params.versionTag in triggers/tekton/publish.yaml
+ triggers.tekton.dev/release: "v0.31.0"
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: core-interceptors
+ app.kubernetes.io/component: interceptors
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: core-interceptors
+ app.kubernetes.io/component: interceptors
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/version: "v0.31.0"
+ app.kubernetes.io/part-of: tekton-triggers
+ app: tekton-triggers-core-interceptors
+ triggers.tekton.dev/release: "v0.31.0"
+ # version value replaced with inputs.params.versionTag in triggers/tekton/publish.yaml
+ version: "v0.31.0"
+ spec:
+ serviceAccountName: tekton-triggers-core-interceptors
+ containers:
+ - name: tekton-triggers-core-interceptors
+ image: "ghcr.io/tektoncd/triggers/interceptors-3176d6a3f314c3655b30bfd36e421dd5:v0.31.0@sha256:7662d66b3b471fce5d7510592c744d87701a3c5c424d50b22c4f45146e0aa10d"
+ ports:
+ - containerPort: 8443
+ args: ["-logtostderr", "-stderrthreshold", "INFO"]
+ env:
+ - name: SYSTEM_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: CONFIG_LOGGING_NAME
+ value: config-logging-triggers
+ - name: CONFIG_OBSERVABILITY_NAME
+ value: config-observability-triggers
+ - name: METRICS_DOMAIN
+ value: tekton.dev/triggers
+ # assuming service and deployment names are same always for consistency
+ - name: INTERCEPTOR_TLS_SVC_NAME
+ value: tekton-triggers-core-interceptors
+ - name: INTERCEPTOR_TLS_SECRET_NAME
+ value: tekton-triggers-core-interceptors-certs
+ readinessProbe:
+ httpGet:
+ path: /ready
+ port: 8443
+ scheme: HTTPS
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ timeoutSeconds: 5
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ # User 65532 is the distroless nonroot user ID
+ runAsUser: 65532
+ runAsGroup: 65532
+ runAsNonRoot: true
+ capabilities:
+ drop:
+ - "ALL"
+ seccompProfile:
+ type: RuntimeDefault
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubernetes.io/name: tekton-triggers-core-interceptors
+ app.kubernetes.io/component: interceptors
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/version: "v0.31.0"
+ app.kubernetes.io/part-of: tekton-triggers
+ triggers.tekton.dev/release: "v0.31.0"
+ app: tekton-triggers-core-interceptors
+ version: "v0.31.0"
+ name: tekton-triggers-core-interceptors
+ namespace: tekton-pipelines
+spec:
+ ports:
+ - name: "https"
+ port: 8443
+ selector:
+ app.kubernetes.io/name: core-interceptors
+ app.kubernetes.io/component: interceptors
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+
+---
+# Copyright 2021 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: triggers.tekton.dev/v1alpha1
+kind: ClusterInterceptor
+metadata:
+ name: cel
+ labels:
+ server/type: https
+spec:
+ clientConfig:
+ service:
+ name: tekton-triggers-core-interceptors
+ namespace: tekton-pipelines
+ path: "cel"
+ port: 8443
+---
+apiVersion: triggers.tekton.dev/v1alpha1
+kind: ClusterInterceptor
+metadata:
+ name: bitbucket
+ labels:
+ server/type: https
+spec:
+ clientConfig:
+ service:
+ name: tekton-triggers-core-interceptors
+ namespace: tekton-pipelines
+ path: "bitbucket"
+ port: 8443
+---
+apiVersion: triggers.tekton.dev/v1alpha1
+kind: ClusterInterceptor
+metadata:
+ name: slack
+ labels:
+ server/type: https
+spec:
+ clientConfig:
+ service:
+ name: tekton-triggers-core-interceptors
+ namespace: tekton-pipelines
+ path: "slack"
+ port: 8443
+---
+apiVersion: triggers.tekton.dev/v1alpha1
+kind: ClusterInterceptor
+metadata:
+ name: github
+ labels:
+ server/type: https
+spec:
+ clientConfig:
+ service:
+ name: tekton-triggers-core-interceptors
+ namespace: tekton-pipelines
+ path: "github"
+ port: 8443
+---
+apiVersion: triggers.tekton.dev/v1alpha1
+kind: ClusterInterceptor
+metadata:
+ name: gitlab
+ labels:
+ server/type: https
+spec:
+ clientConfig:
+ service:
+ name: tekton-triggers-core-interceptors
+ namespace: tekton-pipelines
+ path: "gitlab"
+ port: 8443
+
+---
diff --git a/apps/base/tekton/tekton-pipelines-v0.70.0.yaml b/apps/base/tekton/tekton-pipelines-v0.70.0.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..52ec9d3b0da141e5ba3903b70e9ee8ec6c2c92a1
--- /dev/null
+++ b/apps/base/tekton/tekton-pipelines-v0.70.0.yaml
@@ -0,0 +1,32090 @@
+# Copyright 2019 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: tekton-pipelines
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+ pod-security.kubernetes.io/enforce: restricted
+
+---
+# Copyright 2020-2022 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: tekton-pipelines-controller-cluster-access
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+rules:
+ - apiGroups: [""]
+ # Controller needs to watch Pods created by TaskRuns to see them progress.
+ resources: ["pods"]
+ verbs: ["list", "watch"]
+ - apiGroups: [""]
+ # Controller needs to get the list of cordoned nodes over the course of a single run
+ resources: ["nodes"]
+ verbs: ["list"]
+ # Controller needs cluster access to all of the CRDs that it is responsible for
+ # managing.
+ - apiGroups: ["tekton.dev"]
+ resources: ["tasks", "clustertasks", "taskruns", "pipelines", "pipelineruns", "customruns", "stepactions"]
+ verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+ - apiGroups: ["tekton.dev"]
+ resources: ["verificationpolicies"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["tekton.dev"]
+ resources: ["taskruns/finalizers", "pipelineruns/finalizers", "customruns/finalizers"]
+ verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+ - apiGroups: ["tekton.dev"]
+ resources: ["tasks/status", "clustertasks/status", "taskruns/status", "pipelines/status", "pipelineruns/status", "customruns/status", "verificationpolicies/status", "stepactions/status"]
+ verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+ # resolution.tekton.dev
+ - apiGroups: ["resolution.tekton.dev"]
+ resources: ["resolutionrequests", "resolutionrequests/status"]
+ verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ # This is the access that the controller needs on a per-namespace basis.
+ name: tekton-pipelines-controller-tenant-access
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+rules:
+ # Read-write access to create Pods and PVCs (for Workspaces)
+ - apiGroups: [""]
+ resources: ["pods", "persistentvolumeclaims"]
+ verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+ # Write permissions to publish events.
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["create", "update", "patch"]
+ # Read-only access to these.
+ - apiGroups: [""]
+ resources: ["configmaps", "limitranges", "secrets", "serviceaccounts"]
+ verbs: ["get", "list", "watch"]
+ # Read-write access to StatefulSets for Affinity Assistant.
+ - apiGroups: ["apps"]
+ resources: ["statefulsets"]
+ verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: tekton-pipelines-webhook-cluster-access
+ labels:
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+rules:
+ # The webhook needs to be able to get and update customresourcedefinitions,
+ # mainly to update the webhook certificates.
+ - apiGroups: ["apiextensions.k8s.io"]
+ resources: ["customresourcedefinitions", "customresourcedefinitions/status"]
+ verbs: ["get", "update", "patch"]
+ resourceNames:
+ - pipelines.tekton.dev
+ - pipelineruns.tekton.dev
+ - tasks.tekton.dev
+ - clustertasks.tekton.dev
+ - taskruns.tekton.dev
+ - resolutionrequests.resolution.tekton.dev
+ - customruns.tekton.dev
+ - verificationpolicies.tekton.dev
+ - stepactions.tekton.dev
+ # knative.dev/pkg needs list/watch permissions to set up informers for the webhook.
+ - apiGroups: ["apiextensions.k8s.io"]
+ resources: ["customresourcedefinitions"]
+ verbs: ["list", "watch"]
+ - apiGroups: ["admissionregistration.k8s.io"]
+ # The webhook performs a reconciliation on these two resources and continuously
+ # updates configuration.
+ resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
+ # knative starts informers on these things, which is why we need get, list and watch.
+ verbs: ["list", "watch"]
+ - apiGroups: ["admissionregistration.k8s.io"]
+ resources: ["mutatingwebhookconfigurations"]
+ # This mutating webhook is responsible for applying defaults to tekton objects
+ # as they are received.
+ resourceNames: ["webhook.pipeline.tekton.dev"]
+ # When there are changes to the configs or secrets, knative updates the mutatingwebhook config
+ # with the updated certificates or the refreshed set of rules.
+ verbs: ["get", "update", "delete"]
+ - apiGroups: ["admissionregistration.k8s.io"]
+ resources: ["validatingwebhookconfigurations"]
+ # validation.webhook.pipeline.tekton.dev performs schema validation when you, for example, create TaskRuns.
+ # config.webhook.pipeline.tekton.dev validates the logging configuration against knative's logging structure
+ resourceNames: ["validation.webhook.pipeline.tekton.dev", "config.webhook.pipeline.tekton.dev"]
+ # When there are changes to the configs or secrets, knative updates the validatingwebhook config
+ # with the updated certificates or the refreshed set of rules.
+ verbs: ["get", "update", "delete"]
+ - apiGroups: [""]
+ resources: ["namespaces"]
+ verbs: ["get"]
+ # The webhook configured the namespace as the OwnerRef on various cluster-scoped resources,
+ # which requires we can Get the system namespace.
+ resourceNames: ["tekton-pipelines"]
+ - apiGroups: [""]
+ resources: ["namespaces/finalizers"]
+ verbs: ["update"]
+ # The webhook configured the namespace as the OwnerRef on various cluster-scoped resources,
+ # which requires we can update the system namespace finalizers.
+ resourceNames: ["tekton-pipelines"]
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: tekton-events-controller-cluster-access
+ labels:
+ app.kubernetes.io/component: events
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+rules:
+ - apiGroups: ["tekton.dev"]
+ resources: ["tasks", "clustertasks", "taskruns", "pipelines", "pipelineruns", "customruns"]
+ verbs: ["get", "list", "watch"]
+
+---
+# Copyright 2020 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: tekton-pipelines-controller
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+rules:
+ - apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["list", "watch"]
+ # The controller needs access to these configmaps for logging information and runtime configuration.
+ - apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["get"]
+ resourceNames: ["config-logging", "config-observability", "feature-flags", "config-leader-election-controller", "config-registry-cert"]
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: tekton-pipelines-webhook
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+rules:
+ - apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["list", "watch"]
+ # The webhook needs access to these configmaps for logging information.
+ - apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["get"]
+ resourceNames: ["config-logging", "config-observability", "config-leader-election-webhook", "feature-flags"]
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["list", "watch"]
+ # The webhook daemon makes a reconciliation loop on webhook-certs. Whenever
+ # the secret changes it updates the webhook configurations with the certificates
+ # stored in the secret.
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "update"]
+ resourceNames: ["webhook-certs"]
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: tekton-pipelines-events-controller
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/component: events
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+rules:
+ - apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["list", "watch"]
+ # The controller needs access to these configmaps for logging information and runtime configuration.
+ - apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["get"]
+ resourceNames: ["config-logging", "config-observability", "feature-flags", "config-leader-election-events", "config-registry-cert"]
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: tekton-pipelines-leader-election
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+rules:
+ # We uses leases for leaderelection
+ - apiGroups: ["coordination.k8s.io"]
+ resources: ["leases"]
+ verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: tekton-pipelines-info
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+rules:
+ # All system:authenticated users needs to have access
+ # of the pipelines-info ConfigMap even if they don't
+ # have access to the other resources present in the
+ # installed namespace.
+ - apiGroups: [""]
+ resources: ["configmaps"]
+ resourceNames: ["pipelines-info"]
+ verbs: ["get"]
+
+---
+# Copyright 2019 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: tekton-pipelines-controller
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: tekton-pipelines-webhook
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: tekton-events-controller
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/component: events
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+
+---
+# Copyright 2019 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: tekton-pipelines-controller-cluster-access
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+subjects:
+ - kind: ServiceAccount
+ name: tekton-pipelines-controller
+ namespace: tekton-pipelines
+roleRef:
+ kind: ClusterRole
+ name: tekton-pipelines-controller-cluster-access
+ apiGroup: rbac.authorization.k8s.io
+---
+# If this ClusterRoleBinding is replaced with a RoleBinding
+# then the ClusterRole would be namespaced. The access described by
+# the tekton-pipelines-controller-tenant-access ClusterRole would
+# be scoped to individual tenant namespaces.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: tekton-pipelines-controller-tenant-access
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+subjects:
+ - kind: ServiceAccount
+ name: tekton-pipelines-controller
+ namespace: tekton-pipelines
+roleRef:
+ kind: ClusterRole
+ name: tekton-pipelines-controller-tenant-access
+ apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: tekton-pipelines-webhook-cluster-access
+ labels:
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+subjects:
+ - kind: ServiceAccount
+ name: tekton-pipelines-webhook
+ namespace: tekton-pipelines
+roleRef:
+ kind: ClusterRole
+ name: tekton-pipelines-webhook-cluster-access
+ apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: tekton-events-controller-cluster-access
+ labels:
+ app.kubernetes.io/component: events
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+subjects:
+ - kind: ServiceAccount
+ name: tekton-events-controller
+ namespace: tekton-pipelines
+roleRef:
+ kind: ClusterRole
+ name: tekton-events-controller-cluster-access
+ apiGroup: rbac.authorization.k8s.io
+
+---
+# Copyright 2020 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: tekton-pipelines-controller
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+subjects:
+ - kind: ServiceAccount
+ name: tekton-pipelines-controller
+ namespace: tekton-pipelines
+roleRef:
+ kind: Role
+ name: tekton-pipelines-controller
+ apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: tekton-pipelines-webhook
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+subjects:
+ - kind: ServiceAccount
+ name: tekton-pipelines-webhook
+ namespace: tekton-pipelines
+roleRef:
+ kind: Role
+ name: tekton-pipelines-webhook
+ apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: tekton-pipelines-controller-leaderelection
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+subjects:
+ - kind: ServiceAccount
+ name: tekton-pipelines-controller
+ namespace: tekton-pipelines
+roleRef:
+ kind: Role
+ name: tekton-pipelines-leader-election
+ apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: tekton-pipelines-webhook-leaderelection
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+subjects:
+ - kind: ServiceAccount
+ name: tekton-pipelines-webhook
+ namespace: tekton-pipelines
+roleRef:
+ kind: Role
+ name: tekton-pipelines-leader-election
+ apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: tekton-pipelines-info
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+subjects:
+ # Giving all system:authenticated users the access of the
+ # ConfigMap which contains version information.
+ - kind: Group
+ name: system:authenticated
+ apiGroup: rbac.authorization.k8s.io
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: tekton-pipelines-info
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: tekton-pipelines-events-controller
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/component: events
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+subjects:
+ - kind: ServiceAccount
+ name: tekton-events-controller
+ namespace: tekton-pipelines
+roleRef:
+ kind: Role
+ name: tekton-pipelines-events-controller
+ apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: tekton-events-controller-leaderelection
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/component: events
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+subjects:
+ - kind: ServiceAccount
+ name: tekton-events-controller
+ namespace: tekton-pipelines
+roleRef:
+ kind: Role
+ name: tekton-pipelines-leader-election
+ apiGroup: rbac.authorization.k8s.io
+
+---
+# Copyright 2019 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: clustertasks.tekton.dev
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+ pipeline.tekton.dev/release: "v0.70.0"
+ version: "v0.70.0"
+spec:
+ group: tekton.dev
+ preserveUnknownFields: false
+ versions:
+ - name: v1beta1
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ description: |-
+ ClusterTask is a Task with a cluster scope. ClusterTasks are used to
+ represent Tasks that should be publicly addressable from any namespace in the
+ cluster.
+
+ Deprecated: Please use the cluster resolver instead.
+ type: object
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec holds the desired state of the Task from the client
+ type: object
+ properties:
+ description:
+ description: |-
+ Description is a user-facing description of the task that may be
+ used to populate a UI.
+ type: string
+ displayName:
+ description: |-
+ DisplayName is a user-facing name of the task that may be
+ used to populate a UI.
+ type: string
+ params:
+ description: |-
+ Params is a list of input parameters required to run the task. Params
+ must be supplied as inputs in TaskRuns unless they declare a default
+ value.
+ type: array
+ items:
+ description: |-
+ ParamSpec defines arbitrary parameters needed beyond typed inputs (such as
+ resources). Parameter values are provided by users as inputs on a TaskRun
+ or PipelineRun.
+ type: object
+ required:
+ - name
+ properties:
+ default:
+ description: |-
+ Default is the value a parameter takes if no input value is supplied. If
+ default is set, a Task may be executed without a supplied value for the
+ parameter.
+ x-kubernetes-preserve-unknown-fields: true
+ description:
+ description: |-
+ Description is a user-facing description of the parameter that may be
+ used to populate a UI.
+ type: string
+ enum:
+ description: |-
+ Enum declares a set of allowed param input values for tasks/pipelines that can be validated.
+ If Enum is not set, no input validation is performed for the param.
+ type: array
+ items:
+ type: string
+ name:
+ description: Name declares the name by which a parameter is referenced.
+ type: string
+ properties:
+ description: Properties is the JSON Schema properties to support key-value pairs parameter.
+ type: object
+ additionalProperties:
+ description: PropertySpec defines the struct for object keys
+ type: object
+ properties:
+ type:
+ description: |-
+ ParamType indicates the type of an input parameter;
+ Used to distinguish between a single string and an array of strings.
+ type: string
+ type:
+ description: |-
+ Type is the user-specified type of the parameter. The possible types
+ are currently "string", "array" and "object", and "string" is the default.
+ type: string
+ x-kubernetes-list-type: atomic
+ resources:
+ description: |-
+ Resources is a list input and output resource to run the task
+ Resources are represented in TaskRuns as bindings to instances of
+ PipelineResources.
+
+ Deprecated: Unused, preserved only for backwards compatibility
+ type: object
+ properties:
+ inputs:
+ description: |-
+ Inputs holds the mapping from the PipelineResources declared in
+ DeclaredPipelineResources to the input PipelineResources required by the Task.
+ type: array
+ items:
+ description: |-
+ TaskResource defines an input or output Resource declared as a requirement
+ by a Task. The Name field will be used to refer to these Resources within
+ the Task definition, and when provided as an Input, the Name will be the
+ path to the volume mounted containing this Resource as an input (e.g.
+ an input Resource named `workspace` will be mounted at `/workspace`).
+
+ Deprecated: Unused, preserved only for backwards compatibility
+ type: object
+ required:
+ - name
+ - type
+ properties:
+ description:
+ description: |-
+ Description is a user-facing description of the declared resource that may be
+ used to populate a UI.
+ type: string
+ name:
+ description: |-
+ Name declares the name by which a resource is referenced in the
+ definition. Resources may be referenced by name in the definition of a
+ Task's steps.
+ type: string
+ optional:
+ description: |-
+ Optional declares the resource as optional.
+ By default optional is set to false which makes a resource required.
+ optional: true - the resource is considered optional
+ optional: false - the resource is considered required (equivalent of not specifying it)
+ type: boolean
+ targetPath:
+ description: |-
+ TargetPath is the path in workspace directory where the resource
+ will be copied.
+ type: string
+ type:
+ description: Type is the type of this resource;
+ type: string
+ x-kubernetes-list-type: atomic
+ outputs:
+ description: |-
+ Outputs holds the mapping from the PipelineResources declared in
+ DeclaredPipelineResources to the input PipelineResources required by the Task.
+ type: array
+ items:
+ description: |-
+ TaskResource defines an input or output Resource declared as a requirement
+ by a Task. The Name field will be used to refer to these Resources within
+ the Task definition, and when provided as an Input, the Name will be the
+ path to the volume mounted containing this Resource as an input (e.g.
+ an input Resource named `workspace` will be mounted at `/workspace`).
+
+ Deprecated: Unused, preserved only for backwards compatibility
+ type: object
+ required:
+ - name
+ - type
+ properties:
+ description:
+ description: |-
+ Description is a user-facing description of the declared resource that may be
+ used to populate a UI.
+ type: string
+ name:
+ description: |-
+ Name declares the name by which a resource is referenced in the
+ definition. Resources may be referenced by name in the definition of a
+ Task's steps.
+ type: string
+ optional:
+ description: |-
+ Optional declares the resource as optional.
+ By default optional is set to false which makes a resource required.
+ optional: true - the resource is considered optional
+ optional: false - the resource is considered required (equivalent of not specifying it)
+ type: boolean
+ targetPath:
+ description: |-
+ TargetPath is the path in workspace directory where the resource
+ will be copied.
+ type: string
+ type:
+ description: Type is the type of this resource;
+ type: string
+ x-kubernetes-list-type: atomic
+ results:
+ description: Results are values that this Task can output
+ type: array
+ items:
+ description: TaskResult used to describe the results of a task
+ type: object
+ required:
+ - name
+ properties:
+ description:
+ description: Description is a human-readable description of the result
+ type: string
+ name:
+ description: Name the given name
+ type: string
+ properties:
+ description: Properties is the JSON Schema properties to support key-value pairs results.
+ type: object
+ additionalProperties:
+ description: PropertySpec defines the struct for object keys
+ type: object
+ properties:
+ type:
+ description: |-
+ ParamType indicates the type of an input parameter;
+ Used to distinguish between a single string and an array of strings.
+ type: string
+ type:
+ description: |-
+ Type is the user-specified type of the result. The possible type
+ is currently "string" and will support "array" in following work.
+ type: string
+ value:
+ description: Value the expression used to retrieve the value of the result from an underlying Step.
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ sidecars:
+ description: |-
+ Sidecars are run alongside the Task's step containers. They begin before
+ the steps start and end after the steps complete.
+ type: array
+ items:
+ description: Sidecar has nearly the same data structure as Step but does not have the ability to timeout.
+ type: object
+ required:
+ - name
+ properties:
+ args:
+ description: |-
+ Arguments to the entrypoint.
+ The image's CMD is used if this is not provided.
+ Variable references $(VAR_NAME) are expanded using the container's environment. If a variable
+ cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+ produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+ of whether the variable exists or not. Cannot be updated.
+ More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ command:
+ description: |-
+ Entrypoint array. Not executed within a shell.
+ The image's ENTRYPOINT is used if this is not provided.
+ Variable references $(VAR_NAME) are expanded using the Sidecar's environment. If a variable
+ cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+ produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+ of whether the variable exists or not. Cannot be updated.
+ More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ env:
+ description: |-
+ List of environment variables to set in the Sidecar.
+ Cannot be updated.
+ type: array
+ items:
+ description: EnvVar represents an environment variable present in a Container.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: Name of the environment variable. Must be a C_IDENTIFIER.
+ type: string
+ value:
+ description: |-
+ Variable references $(VAR_NAME) are expanded
+ using the previously defined environment variables in the container and
+ any service environment variables. If a variable cannot be resolved,
+ the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+ "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+ Escaped references will never be expanded, regardless of whether the variable
+ exists or not.
+ Defaults to "".
+ type: string
+ valueFrom:
+ description: Source for the environment variable's value. Cannot be used if value is not empty.
+ type: object
+ properties:
+ configMapKeyRef:
+ description: Selects a key of a ConfigMap.
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key to select.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the ConfigMap or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ fieldRef:
+ description: |-
+ Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
+ spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+ type: object
+ required:
+ - fieldPath
+ properties:
+ apiVersion:
+ description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
+ type: string
+ fieldPath:
+ description: Path of the field to select in the specified API version.
+ type: string
+ x-kubernetes-map-type: atomic
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+ type: object
+ required:
+ - resource
+ properties:
+ containerName:
+ description: 'Container name: required for volumes, optional for env vars'
+ type: string
+ divisor:
+ description: Specifies the output format of the exposed resources, defaults to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required: resource to select'
+ type: string
+ x-kubernetes-map-type: atomic
+ secretKeyRef:
+ description: Selects a key of a secret in the pod's namespace
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key of the secret to select from. Must be a valid secret key.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the Secret or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ envFrom:
+ description: |-
+ List of sources to populate environment variables in the Sidecar.
+ The keys defined within a source must be a C_IDENTIFIER. All invalid keys
+ will be reported as an event when the Sidecar is starting. When a key exists in multiple
+ sources, the value associated with the last source will take precedence.
+ Values defined by an Env with a duplicate key will take precedence.
+ Cannot be updated.
+ type: array
+ items:
+ description: EnvFromSource represents the source of a set of ConfigMaps
+ type: object
+ properties:
+ configMapRef:
+ description: The ConfigMap to select from
+ type: object
+ properties:
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the ConfigMap must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ prefix:
+ description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
+ type: string
+ secretRef:
+ description: The Secret to select from
+ type: object
+ properties:
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the Secret must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ image:
+ description: |-
+ Image name to be used by the Sidecar.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ type: string
+ imagePullPolicy:
+ description: |-
+ Image pull policy.
+ One of Always, Never, IfNotPresent.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
+ type: string
+ lifecycle:
+ description: |-
+ Actions that the management system should take in response to Sidecar lifecycle events.
+ Cannot be updated.
+ type: object
+ properties:
+ postStart:
+ description: |-
+ PostStart is called immediately after a container is created. If the handler fails,
+ the container is terminated and restarted according to its restart policy.
+ Other management of the container blocks until the hook completes.
+ More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ sleep:
+ description: Sleep represents the duration that the container should sleep before being terminated.
+ type: object
+ required:
+ - seconds
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ type: integer
+ format: int64
+ tcpSocket:
+ description: |-
+ Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
+ for the backward compatibility. There are no validation of this field and
+ lifecycle hooks will fail in runtime when tcp handler is specified.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ preStop:
+ description: |-
+ PreStop is called immediately before a container is terminated due to an
+ API request or management event such as liveness/startup probe failure,
+ preemption, resource contention, etc. The handler is not called if the
+ container crashes or exits. The Pod's termination grace period countdown begins before the
+ PreStop hook is executed. Regardless of the outcome of the handler, the
+ container will eventually terminate within the Pod's termination grace
+ period (unless delayed by finalizers). Other management of the container blocks until the hook completes
+ or until the termination grace period is reached.
+ More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ sleep:
+ description: Sleep represents the duration that the container should sleep before being terminated.
+ type: object
+ required:
+ - seconds
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ type: integer
+ format: int64
+ tcpSocket:
+ description: |-
+ Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
+ for the backward compatibility. There are no validation of this field and
+ lifecycle hooks will fail in runtime when tcp handler is specified.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ livenessProbe:
+ description: |-
+ Periodic probe of Sidecar liveness.
+ Container will be restarted if the probe fails.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ failureThreshold:
+ description: |-
+ Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ Defaults to 3. Minimum value is 1.
+ type: integer
+ format: int32
+ grpc:
+ description: GRPC specifies an action involving a GRPC port.
+ type: object
+ required:
+ - port
+ properties:
+ port:
+ description: Port number of the gRPC service. Number must be in the range 1 to 65535.
+ type: integer
+ format: int32
+ service:
+ description: |-
+ Service is the name of the service to place in the gRPC HealthCheckRequest
+ (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
+
+ If this is not specified, the default behavior is defined by gRPC.
+ type: string
+ default: ""
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ initialDelaySeconds:
+ description: |-
+ Number of seconds after the container has started before liveness probes are initiated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ periodSeconds:
+ description: |-
+ How often (in seconds) to perform the probe.
+ Default to 10 seconds. Minimum value is 1.
+ type: integer
+ format: int32
+ successThreshold:
+ description: |-
+ Minimum consecutive successes for the probe to be considered successful after having failed.
+ Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
+ type: integer
+ format: int32
+ tcpSocket:
+ description: TCPSocket specifies an action involving a TCP port.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ terminationGracePeriodSeconds:
+ description: |-
+ Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
+ The grace period is the duration in seconds after the processes running in the pod are sent
+ a termination signal and the time when the processes are forcibly halted with a kill signal.
+ Set this value longer than the expected cleanup time for your process.
+ If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
+ value overrides the value provided by the pod spec.
+ Value must be non-negative integer. The value zero indicates stop immediately via
+ the kill signal (no opportunity to shut down).
+ This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
+ Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
+ type: integer
+ format: int64
+ timeoutSeconds:
+ description: |-
+ Number of seconds after which the probe times out.
+ Defaults to 1 second. Minimum value is 1.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ name:
+ description: |-
+ Name of the Sidecar specified as a DNS_LABEL.
+ Each Sidecar in a Task must have a unique name (DNS_LABEL).
+ Cannot be updated.
+ type: string
+ ports:
+ description: |-
+ List of ports to expose from the Sidecar. Exposing a port here gives
+ the system additional information about the network connections a
+ container uses, but is primarily informational. Not specifying a port here
+ DOES NOT prevent that port from being exposed. Any port which is
+ listening on the default "0.0.0.0" address inside a container will be
+ accessible from the network.
+ Cannot be updated.
+ type: array
+ items:
+ description: ContainerPort represents a network port in a single container.
+ type: object
+ required:
+ - containerPort
+ properties:
+ containerPort:
+ description: |-
+ Number of port to expose on the pod's IP address.
+ This must be a valid port number, 0 < x < 65536.
+ type: integer
+ format: int32
+ hostIP:
+ description: What host IP to bind the external port to.
+ type: string
+ hostPort:
+ description: |-
+ Number of port to expose on the host.
+ If specified, this must be a valid port number, 0 < x < 65536.
+ If HostNetwork is specified, this must match ContainerPort.
+ Most containers do not need this.
+ type: integer
+ format: int32
+ name:
+ description: |-
+ If specified, this must be an IANA_SVC_NAME and unique within the pod. Each
+ named port in a pod must have a unique name. Name for the port that can be
+ referred to by services.
+ type: string
+ protocol:
+ description: |-
+ Protocol for port. Must be UDP, TCP, or SCTP.
+ Defaults to "TCP".
+ type: string
+ default: TCP
+ x-kubernetes-list-map-keys:
+ - containerPort
+ - protocol
+ x-kubernetes-list-type: map
+ readinessProbe:
+ description: |-
+ Periodic probe of Sidecar service readiness.
+ Container will be removed from service endpoints if the probe fails.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ failureThreshold:
+ description: |-
+ Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ Defaults to 3. Minimum value is 1.
+ type: integer
+ format: int32
+ grpc:
+ description: GRPC specifies an action involving a GRPC port.
+ type: object
+ required:
+ - port
+ properties:
+ port:
+ description: Port number of the gRPC service. Number must be in the range 1 to 65535.
+ type: integer
+ format: int32
+ service:
+ description: |-
+ Service is the name of the service to place in the gRPC HealthCheckRequest
+ (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
+
+ If this is not specified, the default behavior is defined by gRPC.
+ type: string
+ default: ""
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ initialDelaySeconds:
+ description: |-
+ Number of seconds after the container has started before liveness probes are initiated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ periodSeconds:
+ description: |-
+ How often (in seconds) to perform the probe.
+ Default to 10 seconds. Minimum value is 1.
+ type: integer
+ format: int32
+ successThreshold:
+ description: |-
+ Minimum consecutive successes for the probe to be considered successful after having failed.
+ Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
+ type: integer
+ format: int32
+ tcpSocket:
+ description: TCPSocket specifies an action involving a TCP port.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ terminationGracePeriodSeconds:
+ description: |-
+ Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
+ The grace period is the duration in seconds after the processes running in the pod are sent
+ a termination signal and the time when the processes are forcibly halted with a kill signal.
+ Set this value longer than the expected cleanup time for your process.
+ If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
+ value overrides the value provided by the pod spec.
+ Value must be non-negative integer. The value zero indicates stop immediately via
+ the kill signal (no opportunity to shut down).
+ This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
+ Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
+ type: integer
+ format: int64
+ timeoutSeconds:
+ description: |-
+ Number of seconds after which the probe times out.
+ Defaults to 1 second. Minimum value is 1.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ resources:
+ description: |-
+ Compute Resources required by this Sidecar.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ type: array
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ requests:
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ restartPolicy:
+ description: |-
+ RestartPolicy refers to kubernetes RestartPolicy. It can only be set for an
+ initContainer and must have it's policy set to "Always". It is currently
+ left optional to help support Kubernetes versions prior to 1.29 when this feature
+ was introduced.
+ type: string
+ script:
+ description: |-
+ Script is the contents of an executable file to execute.
+
+ If Script is not empty, the Step cannot have an Command or Args.
+ type: string
+ securityContext:
+ description: |-
+ SecurityContext defines the security options the Sidecar should be run with.
+ If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
+ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ type: object
+ properties:
+ allowPrivilegeEscalation:
+ description: |-
+ AllowPrivilegeEscalation controls whether a process can gain more
+ privileges than its parent process. This bool directly controls if
+ the no_new_privs flag will be set on the container process.
+ AllowPrivilegeEscalation is true always when the container is:
+ 1) run as Privileged
+ 2) has CAP_SYS_ADMIN
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ capabilities:
+ description: |-
+ The capabilities to add/drop when running containers.
+ Defaults to the default set of capabilities granted by the container runtime.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ properties:
+ add:
+ description: Added capabilities
+ type: array
+ items:
+ description: Capability represent POSIX capabilities type
+ type: string
+ x-kubernetes-list-type: atomic
+ drop:
+ description: Removed capabilities
+ type: array
+ items:
+ description: Capability represent POSIX capabilities type
+ type: string
+ x-kubernetes-list-type: atomic
+ privileged:
+ description: |-
+ Run container in privileged mode.
+ Processes in privileged containers are essentially equivalent to root on the host.
+ Defaults to false.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ procMount:
+ description: |-
+ procMount denotes the type of proc mount to use for the containers.
+ The default value is Default which uses the container runtime defaults for
+ readonly paths and masked paths.
+ This requires the ProcMountType feature flag to be enabled.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ readOnlyRootFilesystem:
+ description: |-
+ Whether this container has a read-only root filesystem.
+ Default is false.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ runAsGroup:
+ description: |-
+ The GID to run the entrypoint of the container process.
+ Uses runtime default if unset.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ runAsNonRoot:
+ description: |-
+ Indicates that the container must run as a non-root user.
+ If true, the Kubelet will validate the image at runtime to ensure that it
+ does not run as UID 0 (root) and fail to start the container if it does.
+ If unset or false, no such validation will be performed.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: |-
+ The UID to run the entrypoint of the container process.
+ Defaults to user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ seLinuxOptions:
+ description: |-
+ The SELinux context to be applied to the container.
+ If unspecified, the container runtime will allocate a random SELinux context for each
+ container. May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ properties:
+ level:
+ description: Level is SELinux level label that applies to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label that applies to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label that applies to the container.
+ type: string
+ user:
+ description: User is a SELinux user label that applies to the container.
+ type: string
+ seccompProfile:
+ description: |-
+ The seccomp options to use by this container. If seccomp options are
+ provided at both the pod & container level, the container options
+ override the pod options.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile defined in a file on the node should be used.
+ The profile must be preconfigured on the node to work.
+ Must be a descending path, relative to the kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT be set for any other type.
+ type: string
+ type:
+ description: |-
+ type indicates which kind of seccomp profile will be applied.
+ Valid options are:
+
+ Localhost - a profile defined in a file on the node should be used.
+ RuntimeDefault - the container runtime default profile should be used.
+ Unconfined - no profile should be applied.
+ type: string
+ windowsOptions:
+ description: |-
+ The Windows specific settings applied to all containers.
+ If unspecified, the options from the PodSecurityContext will be used.
+ If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is linux.
+ type: object
+ properties:
+ gmsaCredentialSpec:
+ description: |-
+ GMSACredentialSpec is where the GMSA admission webhook
+ (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the name of the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: |-
+ HostProcess determines if a container should be run as a 'Host Process' container.
+ All of a Pod's containers must have the same effective HostProcess value
+ (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then HostNetwork must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: |-
+ The UserName in Windows to run the entrypoint of the container process.
+ Defaults to the user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: string
+ startupProbe:
+ description: |-
+ StartupProbe indicates that the Pod the Sidecar is running in has successfully initialized.
+ If specified, no other probes are executed until this completes successfully.
+ If this probe fails, the Pod will be restarted, just as if the livenessProbe failed.
+ This can be used to provide different probe parameters at the beginning of a Pod's lifecycle,
+ when it might take a long time to load data or warm a cache, than during steady-state operation.
+ This cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ failureThreshold:
+ description: |-
+ Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ Defaults to 3. Minimum value is 1.
+ type: integer
+ format: int32
+ grpc:
+ description: GRPC specifies an action involving a GRPC port.
+ type: object
+ required:
+ - port
+ properties:
+ port:
+ description: Port number of the gRPC service. Number must be in the range 1 to 65535.
+ type: integer
+ format: int32
+ service:
+ description: |-
+ Service is the name of the service to place in the gRPC HealthCheckRequest
+ (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
+
+ If this is not specified, the default behavior is defined by gRPC.
+ type: string
+ default: ""
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ initialDelaySeconds:
+ description: |-
+ Number of seconds after the container has started before liveness probes are initiated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ periodSeconds:
+ description: |-
+ How often (in seconds) to perform the probe.
+ Default to 10 seconds. Minimum value is 1.
+ type: integer
+ format: int32
+ successThreshold:
+ description: |-
+ Minimum consecutive successes for the probe to be considered successful after having failed.
+ Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
+ type: integer
+ format: int32
+ tcpSocket:
+ description: TCPSocket specifies an action involving a TCP port.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ terminationGracePeriodSeconds:
+ description: |-
+ Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
+ The grace period is the duration in seconds after the processes running in the pod are sent
+ a termination signal and the time when the processes are forcibly halted with a kill signal.
+ Set this value longer than the expected cleanup time for your process.
+ If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
+ value overrides the value provided by the pod spec.
+ Value must be non-negative integer. The value zero indicates stop immediately via
+ the kill signal (no opportunity to shut down).
+ This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
+ Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
+ type: integer
+ format: int64
+ timeoutSeconds:
+ description: |-
+ Number of seconds after which the probe times out.
+ Defaults to 1 second. Minimum value is 1.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ stdin:
+ description: |-
+ Whether this Sidecar should allocate a buffer for stdin in the container runtime. If this
+ is not set, reads from stdin in the Sidecar will always result in EOF.
+ Default is false.
+ type: boolean
+ stdinOnce:
+ description: |-
+ Whether the container runtime should close the stdin channel after it has been opened by
+ a single attach. When stdin is true the stdin stream will remain open across multiple attach
+ sessions. If stdinOnce is set to true, stdin is opened on Sidecar start, is empty until the
+ first client attaches to stdin, and then remains open and accepts data until the client disconnects,
+ at which time stdin is closed and remains closed until the Sidecar is restarted. If this
+ flag is false, a container processes that reads from stdin will never receive an EOF.
+ Default is false
+ type: boolean
+ terminationMessagePath:
+ description: |-
+ Optional: Path at which the file to which the Sidecar's termination message
+ will be written is mounted into the Sidecar's filesystem.
+ Message written is intended to be brief final status, such as an assertion failure message.
+ Will be truncated by the node if greater than 4096 bytes. The total message length across
+ all containers will be limited to 12kb.
+ Defaults to /dev/termination-log.
+ Cannot be updated.
+ type: string
+ terminationMessagePolicy:
+ description: |-
+ Indicate how the termination message should be populated. File will use the contents of
+ terminationMessagePath to populate the Sidecar status message on both success and failure.
+ FallbackToLogsOnError will use the last chunk of Sidecar log output if the termination
+ message file is empty and the Sidecar exited with an error.
+ The log output is limited to 2048 bytes or 80 lines, whichever is smaller.
+ Defaults to File.
+ Cannot be updated.
+ type: string
+ tty:
+ description: |-
+ Whether this Sidecar should allocate a TTY for itself, also requires 'stdin' to be true.
+ Default is false.
+ type: boolean
+ volumeDevices:
+ description: volumeDevices is the list of block devices to be used by the Sidecar.
+ type: array
+ items:
+ description: volumeDevice describes a mapping of a raw block device within a container.
+ type: object
+ required:
+ - devicePath
+ - name
+ properties:
+ devicePath:
+ description: devicePath is the path inside of the container that the device will be mapped to.
+ type: string
+ name:
+ description: name must match the name of a persistentVolumeClaim in the pod
+ type: string
+ x-kubernetes-list-type: atomic
+ volumeMounts:
+ description: |-
+ Volumes to mount into the Sidecar's filesystem.
+ Cannot be updated.
+ type: array
+ items:
+ description: VolumeMount describes a mounting of a Volume within a container.
+ type: object
+ required:
+ - mountPath
+ - name
+ properties:
+ mountPath:
+ description: |-
+ Path within the container at which the volume should be mounted. Must
+ not contain ':'.
+ type: string
+ mountPropagation:
+ description: |-
+ mountPropagation determines how mounts are propagated from the host
+ to container and the other way around.
+ When not set, MountPropagationNone is used.
+ This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
+ type: string
+ name:
+ description: This must match the Name of a Volume.
+ type: string
+ readOnly:
+ description: |-
+ Mounted read-only if true, read-write otherwise (false or unspecified).
+ Defaults to false.
+ type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
+ subPath:
+ description: |-
+ Path within the volume from which the container's volume should be mounted.
+ Defaults to "" (volume's root).
+ type: string
+ subPathExpr:
+ description: |-
+ Expanded path within the volume from which the container's volume should be mounted.
+ Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+ Defaults to "" (volume's root).
+ SubPathExpr and SubPath are mutually exclusive.
+ type: string
+ x-kubernetes-list-type: atomic
+ workingDir:
+ description: |-
+ Sidecar's working directory.
+ If not specified, the container runtime's default will be used, which
+ might be configured in the container image.
+ Cannot be updated.
+ type: string
+ workspaces:
+ description: |-
+ This is an alpha field. You must set the "enable-api-fields" feature flag to "alpha"
+ for this field to be supported.
+
+ Workspaces is a list of workspaces from the Task that this Sidecar wants
+ exclusive access to. Adding a workspace to this list means that any
+ other Step or Sidecar that does not also request this Workspace will
+ not have access to it.
+ type: array
+ items:
+ description: |-
+ WorkspaceUsage is used by a Step or Sidecar to declare that it wants isolated access
+ to a Workspace defined in a Task.
+ type: object
+ required:
+ - mountPath
+ - name
+ properties:
+ mountPath:
+ description: |-
+ MountPath is the path that the workspace should be mounted to inside the Step or Sidecar,
+ overriding any MountPath specified in the Task's WorkspaceDeclaration.
+ type: string
+ name:
+ description: Name is the name of the workspace this Step or Sidecar wants access to.
+ type: string
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ stepTemplate:
+ description: |-
+ StepTemplate can be used as the basis for all step containers within the
+ Task, so that the steps inherit settings on the base container.
+ type: object
+ required:
+ - name
+ properties:
+ args:
+ description: |-
+ Arguments to the entrypoint.
+ The image's CMD is used if this is not provided.
+ Variable references $(VAR_NAME) are expanded using the Step's environment. If a variable
+ cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+ produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+ of whether the variable exists or not. Cannot be updated.
+ More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ command:
+ description: |-
+ Entrypoint array. Not executed within a shell.
+ The docker image's ENTRYPOINT is used if this is not provided.
+ Variable references $(VAR_NAME) are expanded using the Step's environment. If a variable
+ cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+ produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+ of whether the variable exists or not. Cannot be updated.
+ More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ env:
+ description: |-
+ List of environment variables to set in the container.
+ Cannot be updated.
+ type: array
+ items:
+ description: EnvVar represents an environment variable present in a Container.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: Name of the environment variable. Must be a C_IDENTIFIER.
+ type: string
+ value:
+ description: |-
+ Variable references $(VAR_NAME) are expanded
+ using the previously defined environment variables in the container and
+ any service environment variables. If a variable cannot be resolved,
+ the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+ "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+ Escaped references will never be expanded, regardless of whether the variable
+ exists or not.
+ Defaults to "".
+ type: string
+ valueFrom:
+ description: Source for the environment variable's value. Cannot be used if value is not empty.
+ type: object
+ properties:
+ configMapKeyRef:
+ description: Selects a key of a ConfigMap.
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key to select.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the ConfigMap or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ fieldRef:
+ description: |-
+ Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
+ spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+ type: object
+ required:
+ - fieldPath
+ properties:
+ apiVersion:
+ description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
+ type: string
+ fieldPath:
+ description: Path of the field to select in the specified API version.
+ type: string
+ x-kubernetes-map-type: atomic
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+ type: object
+ required:
+ - resource
+ properties:
+ containerName:
+ description: 'Container name: required for volumes, optional for env vars'
+ type: string
+ divisor:
+ description: Specifies the output format of the exposed resources, defaults to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required: resource to select'
+ type: string
+ x-kubernetes-map-type: atomic
+ secretKeyRef:
+ description: Selects a key of a secret in the pod's namespace
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key of the secret to select from. Must be a valid secret key.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the Secret or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ envFrom:
+ description: |-
+ List of sources to populate environment variables in the Step.
+ The keys defined within a source must be a C_IDENTIFIER. All invalid keys
+ will be reported as an event when the container is starting. When a key exists in multiple
+ sources, the value associated with the last source will take precedence.
+ Values defined by an Env with a duplicate key will take precedence.
+ Cannot be updated.
+ type: array
+ items:
+ description: EnvFromSource represents the source of a set of ConfigMaps
+ type: object
+ properties:
+ configMapRef:
+ description: The ConfigMap to select from
+ type: object
+ properties:
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the ConfigMap must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ prefix:
+ description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
+ type: string
+ secretRef:
+ description: The Secret to select from
+ type: object
+ properties:
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the Secret must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ image:
+ description: |-
+ Default image name to use for each Step.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ This field is optional to allow higher level config management to default or override
+ container images in workload controllers like Deployments and StatefulSets.
+ type: string
+ imagePullPolicy:
+ description: |-
+ Image pull policy.
+ One of Always, Never, IfNotPresent.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
+ type: string
+ lifecycle:
+ description: |-
+ Actions that the management system should take in response to container lifecycle events.
+ Cannot be updated.
+
+ Deprecated: This field will be removed in a future release.
+ type: object
+ properties:
+ postStart:
+ description: |-
+ PostStart is called immediately after a container is created. If the handler fails,
+ the container is terminated and restarted according to its restart policy.
+ Other management of the container blocks until the hook completes.
+ More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ sleep:
+ description: Sleep represents the duration that the container should sleep before being terminated.
+ type: object
+ required:
+ - seconds
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ type: integer
+ format: int64
+ tcpSocket:
+ description: |-
+ Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
+ for the backward compatibility. There are no validation of this field and
+ lifecycle hooks will fail in runtime when tcp handler is specified.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ preStop:
+ description: |-
+ PreStop is called immediately before a container is terminated due to an
+ API request or management event such as liveness/startup probe failure,
+ preemption, resource contention, etc. The handler is not called if the
+ container crashes or exits. The Pod's termination grace period countdown begins before the
+ PreStop hook is executed. Regardless of the outcome of the handler, the
+ container will eventually terminate within the Pod's termination grace
+ period (unless delayed by finalizers). Other management of the container blocks until the hook completes
+ or until the termination grace period is reached.
+ More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ sleep:
+ description: Sleep represents the duration that the container should sleep before being terminated.
+ type: object
+ required:
+ - seconds
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ type: integer
+ format: int64
+ tcpSocket:
+ description: |-
+ Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
+ for the backward compatibility. There are no validation of this field and
+ lifecycle hooks will fail in runtime when tcp handler is specified.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ livenessProbe:
+ description: |-
+ Periodic probe of container liveness.
+ Container will be restarted if the probe fails.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+
+ Deprecated: This field will be removed in a future release.
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ failureThreshold:
+ description: |-
+ Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ Defaults to 3. Minimum value is 1.
+ type: integer
+ format: int32
+ grpc:
+ description: GRPC specifies an action involving a GRPC port.
+ type: object
+ required:
+ - port
+ properties:
+ port:
+ description: Port number of the gRPC service. Number must be in the range 1 to 65535.
+ type: integer
+ format: int32
+ service:
+ description: |-
+ Service is the name of the service to place in the gRPC HealthCheckRequest
+ (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
+
+ If this is not specified, the default behavior is defined by gRPC.
+ type: string
+ default: ""
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ initialDelaySeconds:
+ description: |-
+ Number of seconds after the container has started before liveness probes are initiated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ periodSeconds:
+ description: |-
+ How often (in seconds) to perform the probe.
+ Default to 10 seconds. Minimum value is 1.
+ type: integer
+ format: int32
+ successThreshold:
+ description: |-
+ Minimum consecutive successes for the probe to be considered successful after having failed.
+ Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
+ type: integer
+ format: int32
+ tcpSocket:
+ description: TCPSocket specifies an action involving a TCP port.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ terminationGracePeriodSeconds:
+ description: |-
+ Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
+ The grace period is the duration in seconds after the processes running in the pod are sent
+ a termination signal and the time when the processes are forcibly halted with a kill signal.
+ Set this value longer than the expected cleanup time for your process.
+ If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
+ value overrides the value provided by the pod spec.
+ Value must be non-negative integer. The value zero indicates stop immediately via
+ the kill signal (no opportunity to shut down).
+ This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
+ Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
+ type: integer
+ format: int64
+ timeoutSeconds:
+ description: |-
+ Number of seconds after which the probe times out.
+ Defaults to 1 second. Minimum value is 1.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ name:
+ description: |-
+ Default name for each Step specified as a DNS_LABEL.
+ Each Step in a Task must have a unique name.
+ Cannot be updated.
+
+ Deprecated: This field will be removed in a future release.
+ type: string
+ ports:
+ description: |-
+ List of ports to expose from the Step's container. Exposing a port here gives
+ the system additional information about the network connections a
+ container uses, but is primarily informational. Not specifying a port here
+ DOES NOT prevent that port from being exposed. Any port which is
+ listening on the default "0.0.0.0" address inside a container will be
+ accessible from the network.
+ Cannot be updated.
+
+ Deprecated: This field will be removed in a future release.
+ type: array
+ items:
+ description: ContainerPort represents a network port in a single container.
+ type: object
+ required:
+ - containerPort
+ properties:
+ containerPort:
+ description: |-
+ Number of port to expose on the pod's IP address.
+ This must be a valid port number, 0 < x < 65536.
+ type: integer
+ format: int32
+ hostIP:
+ description: What host IP to bind the external port to.
+ type: string
+ hostPort:
+ description: |-
+ Number of port to expose on the host.
+ If specified, this must be a valid port number, 0 < x < 65536.
+ If HostNetwork is specified, this must match ContainerPort.
+ Most containers do not need this.
+ type: integer
+ format: int32
+ name:
+ description: |-
+ If specified, this must be an IANA_SVC_NAME and unique within the pod. Each
+ named port in a pod must have a unique name. Name for the port that can be
+ referred to by services.
+ type: string
+ protocol:
+ description: |-
+ Protocol for port. Must be UDP, TCP, or SCTP.
+ Defaults to "TCP".
+ type: string
+ default: TCP
+ x-kubernetes-list-map-keys:
+ - containerPort
+ - protocol
+ x-kubernetes-list-type: map
+ readinessProbe:
+ description: |-
+ Periodic probe of container service readiness.
+ Container will be removed from service endpoints if the probe fails.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+
+ Deprecated: This field will be removed in a future release.
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ failureThreshold:
+ description: |-
+ Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ Defaults to 3. Minimum value is 1.
+ type: integer
+ format: int32
+ grpc:
+ description: GRPC specifies an action involving a GRPC port.
+ type: object
+ required:
+ - port
+ properties:
+ port:
+ description: Port number of the gRPC service. Number must be in the range 1 to 65535.
+ type: integer
+ format: int32
+ service:
+ description: |-
+ Service is the name of the service to place in the gRPC HealthCheckRequest
+ (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
+
+ If this is not specified, the default behavior is defined by gRPC.
+ type: string
+ default: ""
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ initialDelaySeconds:
+ description: |-
+ Number of seconds after the container has started before liveness probes are initiated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ periodSeconds:
+ description: |-
+ How often (in seconds) to perform the probe.
+ Default to 10 seconds. Minimum value is 1.
+ type: integer
+ format: int32
+ successThreshold:
+ description: |-
+ Minimum consecutive successes for the probe to be considered successful after having failed.
+ Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
+ type: integer
+ format: int32
+ tcpSocket:
+ description: TCPSocket specifies an action involving a TCP port.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ terminationGracePeriodSeconds:
+ description: |-
+ Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
+ The grace period is the duration in seconds after the processes running in the pod are sent
+ a termination signal and the time when the processes are forcibly halted with a kill signal.
+ Set this value longer than the expected cleanup time for your process.
+ If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
+ value overrides the value provided by the pod spec.
+ Value must be non-negative integer. The value zero indicates stop immediately via
+ the kill signal (no opportunity to shut down).
+ This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
+ Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
+ type: integer
+ format: int64
+ timeoutSeconds:
+ description: |-
+ Number of seconds after which the probe times out.
+ Defaults to 1 second. Minimum value is 1.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ resources:
+ description: |-
+ Compute Resources required by this Step.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ type: array
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ requests:
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ securityContext:
+ description: |-
+ SecurityContext defines the security options the Step should be run with.
+ If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
+ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ type: object
+ properties:
+ allowPrivilegeEscalation:
+ description: |-
+ AllowPrivilegeEscalation controls whether a process can gain more
+ privileges than its parent process. This bool directly controls if
+ the no_new_privs flag will be set on the container process.
+ AllowPrivilegeEscalation is true always when the container is:
+ 1) run as Privileged
+ 2) has CAP_SYS_ADMIN
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ capabilities:
+ description: |-
+ The capabilities to add/drop when running containers.
+ Defaults to the default set of capabilities granted by the container runtime.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ properties:
+ add:
+ description: Added capabilities
+ type: array
+ items:
+ description: Capability represent POSIX capabilities type
+ type: string
+ x-kubernetes-list-type: atomic
+ drop:
+ description: Removed capabilities
+ type: array
+ items:
+ description: Capability represent POSIX capabilities type
+ type: string
+ x-kubernetes-list-type: atomic
+ privileged:
+ description: |-
+ Run container in privileged mode.
+ Processes in privileged containers are essentially equivalent to root on the host.
+ Defaults to false.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ procMount:
+ description: |-
+ procMount denotes the type of proc mount to use for the containers.
+ The default value is Default which uses the container runtime defaults for
+ readonly paths and masked paths.
+ This requires the ProcMountType feature flag to be enabled.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ readOnlyRootFilesystem:
+ description: |-
+ Whether this container has a read-only root filesystem.
+ Default is false.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ runAsGroup:
+ description: |-
+ The GID to run the entrypoint of the container process.
+ Uses runtime default if unset.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ runAsNonRoot:
+ description: |-
+ Indicates that the container must run as a non-root user.
+ If true, the Kubelet will validate the image at runtime to ensure that it
+ does not run as UID 0 (root) and fail to start the container if it does.
+ If unset or false, no such validation will be performed.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: |-
+ The UID to run the entrypoint of the container process.
+ Defaults to user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ seLinuxOptions:
+ description: |-
+ The SELinux context to be applied to the container.
+ If unspecified, the container runtime will allocate a random SELinux context for each
+ container. May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ properties:
+ level:
+ description: Level is SELinux level label that applies to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label that applies to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label that applies to the container.
+ type: string
+ user:
+ description: User is a SELinux user label that applies to the container.
+ type: string
+ seccompProfile:
+ description: |-
+ The seccomp options to use by this container. If seccomp options are
+ provided at both the pod & container level, the container options
+ override the pod options.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile defined in a file on the node should be used.
+ The profile must be preconfigured on the node to work.
+ Must be a descending path, relative to the kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT be set for any other type.
+ type: string
+ type:
+ description: |-
+ type indicates which kind of seccomp profile will be applied.
+ Valid options are:
+
+ Localhost - a profile defined in a file on the node should be used.
+ RuntimeDefault - the container runtime default profile should be used.
+ Unconfined - no profile should be applied.
+ type: string
+ windowsOptions:
+ description: |-
+ The Windows specific settings applied to all containers.
+ If unspecified, the options from the PodSecurityContext will be used.
+ If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is linux.
+ type: object
+ properties:
+ gmsaCredentialSpec:
+ description: |-
+ GMSACredentialSpec is where the GMSA admission webhook
+ (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the name of the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: |-
+ HostProcess determines if a container should be run as a 'Host Process' container.
+ All of a Pod's containers must have the same effective HostProcess value
+ (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then HostNetwork must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: |-
+ The UserName in Windows to run the entrypoint of the container process.
+ Defaults to the user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: string
+ startupProbe:
+ description: |-
+ DeprecatedStartupProbe indicates that the Pod has successfully initialized.
+ If specified, no other probes are executed until this completes successfully.
+ If this probe fails, the Pod will be restarted, just as if the livenessProbe failed.
+ This can be used to provide different probe parameters at the beginning of a Pod's lifecycle,
+ when it might take a long time to load data or warm a cache, than during steady-state operation.
+ This cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+
+ Deprecated: This field will be removed in a future release.
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ failureThreshold:
+ description: |-
+ Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ Defaults to 3. Minimum value is 1.
+ type: integer
+ format: int32
+ grpc:
+ description: GRPC specifies an action involving a GRPC port.
+ type: object
+ required:
+ - port
+ properties:
+ port:
+ description: Port number of the gRPC service. Number must be in the range 1 to 65535.
+ type: integer
+ format: int32
+ service:
+ description: |-
+ Service is the name of the service to place in the gRPC HealthCheckRequest
+ (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
+
+ If this is not specified, the default behavior is defined by gRPC.
+ type: string
+ default: ""
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ initialDelaySeconds:
+ description: |-
+ Number of seconds after the container has started before liveness probes are initiated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ periodSeconds:
+ description: |-
+ How often (in seconds) to perform the probe.
+ Default to 10 seconds. Minimum value is 1.
+ type: integer
+ format: int32
+ successThreshold:
+ description: |-
+ Minimum consecutive successes for the probe to be considered successful after having failed.
+ Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
+ type: integer
+ format: int32
+ tcpSocket:
+ description: TCPSocket specifies an action involving a TCP port.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ terminationGracePeriodSeconds:
+ description: |-
+ Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
+ The grace period is the duration in seconds after the processes running in the pod are sent
+ a termination signal and the time when the processes are forcibly halted with a kill signal.
+ Set this value longer than the expected cleanup time for your process.
+ If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
+ value overrides the value provided by the pod spec.
+ Value must be non-negative integer. The value zero indicates stop immediately via
+ the kill signal (no opportunity to shut down).
+ This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
+ Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
+ type: integer
+ format: int64
+ timeoutSeconds:
+ description: |-
+ Number of seconds after which the probe times out.
+ Defaults to 1 second. Minimum value is 1.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ stdin:
+ description: |-
+ Whether this Step should allocate a buffer for stdin in the container runtime. If this
+ is not set, reads from stdin in the Step will always result in EOF.
+ Default is false.
+
+ Deprecated: This field will be removed in a future release.
+ type: boolean
+ stdinOnce:
+ description: |-
+ Whether the container runtime should close the stdin channel after it has been opened by
+ a single attach. When stdin is true the stdin stream will remain open across multiple attach
+ sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the
+ first client attaches to stdin, and then remains open and accepts data until the client disconnects,
+ at which time stdin is closed and remains closed until the container is restarted. If this
+ flag is false, a container processes that reads from stdin will never receive an EOF.
+ Default is false
+
+ Deprecated: This field will be removed in a future release.
+ type: boolean
+ terminationMessagePath:
+ description: 'Deprecated: This field will be removed in a future release and cannot be meaningfully used.'
+ type: string
+ terminationMessagePolicy:
+ description: 'Deprecated: This field will be removed in a future release and cannot be meaningfully used.'
+ type: string
+ tty:
+ description: |-
+ Whether this Step should allocate a DeprecatedTTY for itself, also requires 'stdin' to be true.
+ Default is false.
+
+ Deprecated: This field will be removed in a future release.
+ type: boolean
+ volumeDevices:
+ description: volumeDevices is the list of block devices to be used by the Step.
+ type: array
+ items:
+ description: volumeDevice describes a mapping of a raw block device within a container.
+ type: object
+ required:
+ - devicePath
+ - name
+ properties:
+ devicePath:
+ description: devicePath is the path inside of the container that the device will be mapped to.
+ type: string
+ name:
+ description: name must match the name of a persistentVolumeClaim in the pod
+ type: string
+ x-kubernetes-list-type: atomic
+ volumeMounts:
+ description: |-
+ Volumes to mount into the Step's filesystem.
+ Cannot be updated.
+ type: array
+ items:
+ description: VolumeMount describes a mounting of a Volume within a container.
+ type: object
+ required:
+ - mountPath
+ - name
+ properties:
+ mountPath:
+ description: |-
+ Path within the container at which the volume should be mounted. Must
+ not contain ':'.
+ type: string
+ mountPropagation:
+ description: |-
+ mountPropagation determines how mounts are propagated from the host
+ to container and the other way around.
+ When not set, MountPropagationNone is used.
+ This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
+ type: string
+ name:
+ description: This must match the Name of a Volume.
+ type: string
+ readOnly:
+ description: |-
+ Mounted read-only if true, read-write otherwise (false or unspecified).
+ Defaults to false.
+ type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
+ subPath:
+ description: |-
+ Path within the volume from which the container's volume should be mounted.
+ Defaults to "" (volume's root).
+ type: string
+ subPathExpr:
+ description: |-
+ Expanded path within the volume from which the container's volume should be mounted.
+ Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+ Defaults to "" (volume's root).
+ SubPathExpr and SubPath are mutually exclusive.
+ type: string
+ x-kubernetes-list-type: atomic
+ workingDir:
+ description: |-
+ Step's working directory.
+ If not specified, the container runtime's default will be used, which
+ might be configured in the container image.
+ Cannot be updated.
+ type: string
+ steps:
+ description: |-
+ Steps are the steps of the build; each step is run sequentially with the
+ source mounted into /workspace.
+ type: array
+ items:
+ description: Step runs a subcomponent of a Task
+ type: object
+ required:
+ - name
+ properties:
+ args:
+ description: |-
+ Arguments to the entrypoint.
+ The image's CMD is used if this is not provided.
+ Variable references $(VAR_NAME) are expanded using the container's environment. If a variable
+ cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+ produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+ of whether the variable exists or not. Cannot be updated.
+ More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ command:
+ description: |-
+ Entrypoint array. Not executed within a shell.
+ The image's ENTRYPOINT is used if this is not provided.
+ Variable references $(VAR_NAME) are expanded using the container's environment. If a variable
+ cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+ produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+ of whether the variable exists or not. Cannot be updated.
+ More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ env:
+ description: |-
+ List of environment variables to set in the container.
+ Cannot be updated.
+ type: array
+ items:
+ description: EnvVar represents an environment variable present in a Container.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: Name of the environment variable. Must be a C_IDENTIFIER.
+ type: string
+ value:
+ description: |-
+ Variable references $(VAR_NAME) are expanded
+ using the previously defined environment variables in the container and
+ any service environment variables. If a variable cannot be resolved,
+ the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+ "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+ Escaped references will never be expanded, regardless of whether the variable
+ exists or not.
+ Defaults to "".
+ type: string
+ valueFrom:
+ description: Source for the environment variable's value. Cannot be used if value is not empty.
+ type: object
+ properties:
+ configMapKeyRef:
+ description: Selects a key of a ConfigMap.
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key to select.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the ConfigMap or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ fieldRef:
+ description: |-
+ Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
+ spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+ type: object
+ required:
+ - fieldPath
+ properties:
+ apiVersion:
+ description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
+ type: string
+ fieldPath:
+ description: Path of the field to select in the specified API version.
+ type: string
+ x-kubernetes-map-type: atomic
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+ type: object
+ required:
+ - resource
+ properties:
+ containerName:
+ description: 'Container name: required for volumes, optional for env vars'
+ type: string
+ divisor:
+ description: Specifies the output format of the exposed resources, defaults to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required: resource to select'
+ type: string
+ x-kubernetes-map-type: atomic
+ secretKeyRef:
+ description: Selects a key of a secret in the pod's namespace
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key of the secret to select from. Must be a valid secret key.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the Secret or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ envFrom:
+ description: |-
+ List of sources to populate environment variables in the container.
+ The keys defined within a source must be a C_IDENTIFIER. All invalid keys
+ will be reported as an event when the container is starting. When a key exists in multiple
+ sources, the value associated with the last source will take precedence.
+ Values defined by an Env with a duplicate key will take precedence.
+ Cannot be updated.
+ type: array
+ items:
+ description: EnvFromSource represents the source of a set of ConfigMaps
+ type: object
+ properties:
+ configMapRef:
+ description: The ConfigMap to select from
+ type: object
+ properties:
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the ConfigMap must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ prefix:
+ description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
+ type: string
+ secretRef:
+ description: The Secret to select from
+ type: object
+ properties:
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the Secret must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ image:
+ description: |-
+ Image reference name to run for this Step.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ type: string
+ imagePullPolicy:
+ description: |-
+ Image pull policy.
+ One of Always, Never, IfNotPresent.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
+ type: string
+ lifecycle:
+ description: |-
+ Actions that the management system should take in response to container lifecycle events.
+ Cannot be updated.
+
+ Deprecated: This field will be removed in a future release.
+ type: object
+ properties:
+ postStart:
+ description: |-
+ PostStart is called immediately after a container is created. If the handler fails,
+ the container is terminated and restarted according to its restart policy.
+ Other management of the container blocks until the hook completes.
+ More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ sleep:
+ description: Sleep represents the duration that the container should sleep before being terminated.
+ type: object
+ required:
+ - seconds
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ type: integer
+ format: int64
+ tcpSocket:
+ description: |-
+ Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
+ for the backward compatibility. There are no validation of this field and
+ lifecycle hooks will fail in runtime when tcp handler is specified.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ preStop:
+ description: |-
+ PreStop is called immediately before a container is terminated due to an
+ API request or management event such as liveness/startup probe failure,
+ preemption, resource contention, etc. The handler is not called if the
+ container crashes or exits. The Pod's termination grace period countdown begins before the
+ PreStop hook is executed. Regardless of the outcome of the handler, the
+ container will eventually terminate within the Pod's termination grace
+ period (unless delayed by finalizers). Other management of the container blocks until the hook completes
+ or until the termination grace period is reached.
+ More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ sleep:
+ description: Sleep represents the duration that the container should sleep before being terminated.
+ type: object
+ required:
+ - seconds
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ type: integer
+ format: int64
+ tcpSocket:
+ description: |-
+ Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
+ for the backward compatibility. There are no validation of this field and
+ lifecycle hooks will fail in runtime when tcp handler is specified.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ livenessProbe:
+ description: |-
+ Periodic probe of container liveness.
+ Step will be restarted if the probe fails.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+
+ Deprecated: This field will be removed in a future release.
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ failureThreshold:
+ description: |-
+ Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ Defaults to 3. Minimum value is 1.
+ type: integer
+ format: int32
+ grpc:
+ description: GRPC specifies an action involving a GRPC port.
+ type: object
+ required:
+ - port
+ properties:
+ port:
+ description: Port number of the gRPC service. Number must be in the range 1 to 65535.
+ type: integer
+ format: int32
+ service:
+ description: |-
+ Service is the name of the service to place in the gRPC HealthCheckRequest
+ (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
+
+ If this is not specified, the default behavior is defined by gRPC.
+ type: string
+ default: ""
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ initialDelaySeconds:
+ description: |-
+ Number of seconds after the container has started before liveness probes are initiated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ periodSeconds:
+ description: |-
+ How often (in seconds) to perform the probe.
+ Default to 10 seconds. Minimum value is 1.
+ type: integer
+ format: int32
+ successThreshold:
+ description: |-
+ Minimum consecutive successes for the probe to be considered successful after having failed.
+ Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
+ type: integer
+ format: int32
+ tcpSocket:
+ description: TCPSocket specifies an action involving a TCP port.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ terminationGracePeriodSeconds:
+ description: |-
+ Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
+ The grace period is the duration in seconds after the processes running in the pod are sent
+ a termination signal and the time when the processes are forcibly halted with a kill signal.
+ Set this value longer than the expected cleanup time for your process.
+ If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
+ value overrides the value provided by the pod spec.
+ Value must be non-negative integer. The value zero indicates stop immediately via
+ the kill signal (no opportunity to shut down).
+ This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
+ Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
+ type: integer
+ format: int64
+ timeoutSeconds:
+ description: |-
+ Number of seconds after which the probe times out.
+ Defaults to 1 second. Minimum value is 1.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ name:
+ description: |-
+ Name of the Step specified as a DNS_LABEL.
+ Each Step in a Task must have a unique name.
+ type: string
+ onError:
+ description: |-
+ OnError defines the exiting behavior of a container on error
+ can be set to [ continue | stopAndFail ]
+ type: string
+ params:
+ description: Params declares parameters passed to this step action.
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ ports:
+ description: |-
+ List of ports to expose from the Step's container. Exposing a port here gives
+ the system additional information about the network connections a
+ container uses, but is primarily informational. Not specifying a port here
+ DOES NOT prevent that port from being exposed. Any port which is
+ listening on the default "0.0.0.0" address inside a container will be
+ accessible from the network.
+ Cannot be updated.
+
+ Deprecated: This field will be removed in a future release.
+ type: array
+ items:
+ description: ContainerPort represents a network port in a single container.
+ type: object
+ required:
+ - containerPort
+ properties:
+ containerPort:
+ description: |-
+ Number of port to expose on the pod's IP address.
+ This must be a valid port number, 0 < x < 65536.
+ type: integer
+ format: int32
+ hostIP:
+ description: What host IP to bind the external port to.
+ type: string
+ hostPort:
+ description: |-
+ Number of port to expose on the host.
+ If specified, this must be a valid port number, 0 < x < 65536.
+ If HostNetwork is specified, this must match ContainerPort.
+ Most containers do not need this.
+ type: integer
+ format: int32
+ name:
+ description: |-
+ If specified, this must be an IANA_SVC_NAME and unique within the pod. Each
+ named port in a pod must have a unique name. Name for the port that can be
+ referred to by services.
+ type: string
+ protocol:
+ description: |-
+ Protocol for port. Must be UDP, TCP, or SCTP.
+ Defaults to "TCP".
+ type: string
+ default: TCP
+ x-kubernetes-list-map-keys:
+ - containerPort
+ - protocol
+ x-kubernetes-list-type: map
+ readinessProbe:
+ description: |-
+ Periodic probe of container service readiness.
+ Step will be removed from service endpoints if the probe fails.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+
+ Deprecated: This field will be removed in a future release.
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ failureThreshold:
+ description: |-
+ Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ Defaults to 3. Minimum value is 1.
+ type: integer
+ format: int32
+ grpc:
+ description: GRPC specifies an action involving a GRPC port.
+ type: object
+ required:
+ - port
+ properties:
+ port:
+ description: Port number of the gRPC service. Number must be in the range 1 to 65535.
+ type: integer
+ format: int32
+ service:
+ description: |-
+ Service is the name of the service to place in the gRPC HealthCheckRequest
+ (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
+
+ If this is not specified, the default behavior is defined by gRPC.
+ type: string
+ default: ""
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ initialDelaySeconds:
+ description: |-
+ Number of seconds after the container has started before liveness probes are initiated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ periodSeconds:
+ description: |-
+ How often (in seconds) to perform the probe.
+ Default to 10 seconds. Minimum value is 1.
+ type: integer
+ format: int32
+ successThreshold:
+ description: |-
+ Minimum consecutive successes for the probe to be considered successful after having failed.
+ Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
+ type: integer
+ format: int32
+ tcpSocket:
+ description: TCPSocket specifies an action involving a TCP port.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ terminationGracePeriodSeconds:
+ description: |-
+ Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
+ The grace period is the duration in seconds after the processes running in the pod are sent
+ a termination signal and the time when the processes are forcibly halted with a kill signal.
+ Set this value longer than the expected cleanup time for your process.
+ If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
+ value overrides the value provided by the pod spec.
+ Value must be non-negative integer. The value zero indicates stop immediately via
+ the kill signal (no opportunity to shut down).
+ This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
+ Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
+ type: integer
+ format: int64
+ timeoutSeconds:
+ description: |-
+ Number of seconds after which the probe times out.
+ Defaults to 1 second. Minimum value is 1.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ ref:
+ description: Contains the reference to an existing StepAction.
+ type: object
+ properties:
+ name:
+ description: Name of the referenced step
+ type: string
+ params:
+ description: |-
+ Params contains the parameters used to identify the
+ referenced Tekton resource. Example entries might include
+ "repo" or "path" but the set of params ultimately depends on
+ the chosen resolver.
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ resolver:
+ description: |-
+ Resolver is the name of the resolver that should perform
+ resolution of the referenced Tekton resource, such as "git".
+ type: string
+ resources:
+ description: |-
+ Compute Resources required by this Step.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ type: array
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ requests:
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ results:
+ description: |-
+ Results declares StepResults produced by the Step.
+
+ This is field is at an ALPHA stability level and gated by "enable-step-actions" feature flag.
+
+ It can be used in an inlined Step when used to store Results to $(step.results.resultName.path).
+ It cannot be used when referencing StepActions using [v1beta1.Step.Ref].
+ The Results declared by the StepActions will be stored here instead.
+ type: array
+ items:
+ description: |-
+ StepResult used to describe the Results of a Step.
+
+ This is field is at an BETA stability level and gated by "enable-step-actions" feature flag.
+ type: object
+ required:
+ - name
+ properties:
+ description:
+ description: Description is a human-readable description of the result
+ type: string
+ name:
+ description: Name the given name
+ type: string
+ properties:
+ description: Properties is the JSON Schema properties to support key-value pairs results.
+ type: object
+ additionalProperties:
+ description: PropertySpec defines the struct for object keys
+ type: object
+ properties:
+ type:
+ description: |-
+ ParamType indicates the type of an input parameter;
+ Used to distinguish between a single string and an array of strings.
+ type: string
+ type:
+ description: The possible types are 'string', 'array', and 'object', with 'string' as the default.
+ type: string
+ x-kubernetes-list-type: atomic
+ script:
+ description: |-
+ Script is the contents of an executable file to execute.
+
+ If Script is not empty, the Step cannot have an Command and the Args will be passed to the Script.
+ type: string
+ securityContext:
+ description: |-
+ SecurityContext defines the security options the Step should be run with.
+ If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
+ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ type: object
+ properties:
+ allowPrivilegeEscalation:
+ description: |-
+ AllowPrivilegeEscalation controls whether a process can gain more
+ privileges than its parent process. This bool directly controls if
+ the no_new_privs flag will be set on the container process.
+ AllowPrivilegeEscalation is true always when the container is:
+ 1) run as Privileged
+ 2) has CAP_SYS_ADMIN
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ capabilities:
+ description: |-
+ The capabilities to add/drop when running containers.
+ Defaults to the default set of capabilities granted by the container runtime.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ properties:
+ add:
+ description: Added capabilities
+ type: array
+ items:
+ description: Capability represent POSIX capabilities type
+ type: string
+ x-kubernetes-list-type: atomic
+ drop:
+ description: Removed capabilities
+ type: array
+ items:
+ description: Capability represent POSIX capabilities type
+ type: string
+ x-kubernetes-list-type: atomic
+ privileged:
+ description: |-
+ Run container in privileged mode.
+ Processes in privileged containers are essentially equivalent to root on the host.
+ Defaults to false.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ procMount:
+ description: |-
+ procMount denotes the type of proc mount to use for the containers.
+ The default value is Default which uses the container runtime defaults for
+ readonly paths and masked paths.
+ This requires the ProcMountType feature flag to be enabled.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ readOnlyRootFilesystem:
+ description: |-
+ Whether this container has a read-only root filesystem.
+ Default is false.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ runAsGroup:
+ description: |-
+ The GID to run the entrypoint of the container process.
+ Uses runtime default if unset.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ runAsNonRoot:
+ description: |-
+ Indicates that the container must run as a non-root user.
+ If true, the Kubelet will validate the image at runtime to ensure that it
+ does not run as UID 0 (root) and fail to start the container if it does.
+ If unset or false, no such validation will be performed.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: |-
+ The UID to run the entrypoint of the container process.
+ Defaults to user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ seLinuxOptions:
+ description: |-
+ The SELinux context to be applied to the container.
+ If unspecified, the container runtime will allocate a random SELinux context for each
+ container. May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ properties:
+ level:
+ description: Level is SELinux level label that applies to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label that applies to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label that applies to the container.
+ type: string
+ user:
+ description: User is a SELinux user label that applies to the container.
+ type: string
+ seccompProfile:
+ description: |-
+ The seccomp options to use by this container. If seccomp options are
+ provided at both the pod & container level, the container options
+ override the pod options.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile defined in a file on the node should be used.
+ The profile must be preconfigured on the node to work.
+ Must be a descending path, relative to the kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT be set for any other type.
+ type: string
+ type:
+ description: |-
+ type indicates which kind of seccomp profile will be applied.
+ Valid options are:
+
+ Localhost - a profile defined in a file on the node should be used.
+ RuntimeDefault - the container runtime default profile should be used.
+ Unconfined - no profile should be applied.
+ type: string
+ windowsOptions:
+ description: |-
+ The Windows specific settings applied to all containers.
+ If unspecified, the options from the PodSecurityContext will be used.
+ If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is linux.
+ type: object
+ properties:
+ gmsaCredentialSpec:
+ description: |-
+ GMSACredentialSpec is where the GMSA admission webhook
+ (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the name of the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: |-
+ HostProcess determines if a container should be run as a 'Host Process' container.
+ All of a Pod's containers must have the same effective HostProcess value
+ (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then HostNetwork must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: |-
+ The UserName in Windows to run the entrypoint of the container process.
+ Defaults to the user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: string
+ startupProbe:
+ description: |-
+ DeprecatedStartupProbe indicates that the Pod this Step runs in has successfully initialized.
+ If specified, no other probes are executed until this completes successfully.
+ If this probe fails, the Pod will be restarted, just as if the livenessProbe failed.
+ This can be used to provide different probe parameters at the beginning of a Pod's lifecycle,
+ when it might take a long time to load data or warm a cache, than during steady-state operation.
+ This cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+
+ Deprecated: This field will be removed in a future release.
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ failureThreshold:
+ description: |-
+ Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ Defaults to 3. Minimum value is 1.
+ type: integer
+ format: int32
+ grpc:
+ description: GRPC specifies an action involving a GRPC port.
+ type: object
+ required:
+ - port
+ properties:
+ port:
+ description: Port number of the gRPC service. Number must be in the range 1 to 65535.
+ type: integer
+ format: int32
+ service:
+ description: |-
+ Service is the name of the service to place in the gRPC HealthCheckRequest
+ (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
+
+ If this is not specified, the default behavior is defined by gRPC.
+ type: string
+ default: ""
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ initialDelaySeconds:
+ description: |-
+ Number of seconds after the container has started before liveness probes are initiated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ periodSeconds:
+ description: |-
+ How often (in seconds) to perform the probe.
+ Default to 10 seconds. Minimum value is 1.
+ type: integer
+ format: int32
+ successThreshold:
+ description: |-
+ Minimum consecutive successes for the probe to be considered successful after having failed.
+ Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
+ type: integer
+ format: int32
+ tcpSocket:
+ description: TCPSocket specifies an action involving a TCP port.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ terminationGracePeriodSeconds:
+ description: |-
+ Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
+ The grace period is the duration in seconds after the processes running in the pod are sent
+ a termination signal and the time when the processes are forcibly halted with a kill signal.
+ Set this value longer than the expected cleanup time for your process.
+ If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
+ value overrides the value provided by the pod spec.
+ Value must be non-negative integer. The value zero indicates stop immediately via
+ the kill signal (no opportunity to shut down).
+ This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
+ Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
+ type: integer
+ format: int64
+ timeoutSeconds:
+ description: |-
+ Number of seconds after which the probe times out.
+ Defaults to 1 second. Minimum value is 1.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ stderrConfig:
+ description: Stores configuration for the stderr stream of the step.
+ type: object
+ properties:
+ path:
+ description: Path to duplicate stdout stream to on container's local filesystem.
+ type: string
+ stdin:
+ description: |-
+ Whether this container should allocate a buffer for stdin in the container runtime. If this
+ is not set, reads from stdin in the container will always result in EOF.
+ Default is false.
+
+ Deprecated: This field will be removed in a future release.
+ type: boolean
+ stdinOnce:
+ description: |-
+ Whether the container runtime should close the stdin channel after it has been opened by
+ a single attach. When stdin is true the stdin stream will remain open across multiple attach
+ sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the
+ first client attaches to stdin, and then remains open and accepts data until the client disconnects,
+ at which time stdin is closed and remains closed until the container is restarted. If this
+ flag is false, a container processes that reads from stdin will never receive an EOF.
+ Default is false
+
+ Deprecated: This field will be removed in a future release.
+ type: boolean
+ stdoutConfig:
+ description: Stores configuration for the stdout stream of the step.
+ type: object
+ properties:
+ path:
+ description: Path to duplicate stdout stream to on container's local filesystem.
+ type: string
+ terminationMessagePath:
+ description: 'Deprecated: This field will be removed in a future release and can''t be meaningfully used.'
+ type: string
+ terminationMessagePolicy:
+ description: 'Deprecated: This field will be removed in a future release and can''t be meaningfully used.'
+ type: string
+ timeout:
+ description: |-
+ Timeout is the time after which the step times out. Defaults to never.
+ Refer to Go's ParseDuration documentation for expected format: https://golang.org/pkg/time/#ParseDuration
+ type: string
+ tty:
+ description: |-
+ Whether this container should allocate a DeprecatedTTY for itself, also requires 'stdin' to be true.
+ Default is false.
+
+ Deprecated: This field will be removed in a future release.
+ type: boolean
+ volumeDevices:
+ description: volumeDevices is the list of block devices to be used by the Step.
+ type: array
+ items:
+ description: volumeDevice describes a mapping of a raw block device within a container.
+ type: object
+ required:
+ - devicePath
+ - name
+ properties:
+ devicePath:
+ description: devicePath is the path inside of the container that the device will be mapped to.
+ type: string
+ name:
+ description: name must match the name of a persistentVolumeClaim in the pod
+ type: string
+ x-kubernetes-list-type: atomic
+ volumeMounts:
+ description: |-
+ Volumes to mount into the Step's filesystem.
+ Cannot be updated.
+ type: array
+ items:
+ description: VolumeMount describes a mounting of a Volume within a container.
+ type: object
+ required:
+ - mountPath
+ - name
+ properties:
+ mountPath:
+ description: |-
+ Path within the container at which the volume should be mounted. Must
+ not contain ':'.
+ type: string
+ mountPropagation:
+ description: |-
+ mountPropagation determines how mounts are propagated from the host
+ to container and the other way around.
+ When not set, MountPropagationNone is used.
+ This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
+ type: string
+ name:
+ description: This must match the Name of a Volume.
+ type: string
+ readOnly:
+ description: |-
+ Mounted read-only if true, read-write otherwise (false or unspecified).
+ Defaults to false.
+ type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
+ subPath:
+ description: |-
+ Path within the volume from which the container's volume should be mounted.
+ Defaults to "" (volume's root).
+ type: string
+ subPathExpr:
+ description: |-
+ Expanded path within the volume from which the container's volume should be mounted.
+ Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+ Defaults to "" (volume's root).
+ SubPathExpr and SubPath are mutually exclusive.
+ type: string
+ x-kubernetes-list-type: atomic
+ when:
+ description: |-
+ WhenExpressions are used to specify whether a Task should be executed or skipped
+ All of them need to evaluate to True for a guarded Task to be executed.
+ type: array
+ items:
+ description: |-
+ WhenExpression allows a PipelineTask to declare expressions to be evaluated before the Task is run
+ to determine whether the Task should be executed or skipped
+ type: object
+ properties:
+ cel:
+ description: |-
+ CEL is a string of Common Language Expression, which can be used to conditionally execute
+ the task based on the result of the expression evaluation
+ More info about CEL syntax: https://github.com/google/cel-spec/blob/master/doc/langdef.md
+ type: string
+ input:
+ description: Input is the string for guard checking which can be a static input or an output from a parent Task
+ type: string
+ operator:
+ description: Operator that represents an Input's relationship to the values
+ type: string
+ values:
+ description: |-
+ Values is an array of strings, which is compared against the input, for guard checking
+ It must be non-empty
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ workingDir:
+ description: |-
+ Step's working directory.
+ If not specified, the container runtime's default will be used, which
+ might be configured in the container image.
+ Cannot be updated.
+ type: string
+ workspaces:
+ description: |-
+ This is an alpha field. You must set the "enable-api-fields" feature flag to "alpha"
+ for this field to be supported.
+
+ Workspaces is a list of workspaces from the Task that this Step wants
+ exclusive access to. Adding a workspace to this list means that any
+ other Step or Sidecar that does not also request this Workspace will
+ not have access to it.
+ type: array
+ items:
+ description: |-
+ WorkspaceUsage is used by a Step or Sidecar to declare that it wants isolated access
+ to a Workspace defined in a Task.
+ type: object
+ required:
+ - mountPath
+ - name
+ properties:
+ mountPath:
+ description: |-
+ MountPath is the path that the workspace should be mounted to inside the Step or Sidecar,
+ overriding any MountPath specified in the Task's WorkspaceDeclaration.
+ type: string
+ name:
+ description: Name is the name of the workspace this Step or Sidecar wants access to.
+ type: string
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ volumes:
+ description: |-
+ Volumes is a collection of volumes that are available to mount into the
+ steps of the build.
+ See Pod.spec.volumes (API version: v1)
+ x-kubernetes-preserve-unknown-fields: true
+ workspaces:
+ description: Workspaces are the volumes that this Task requires.
+ type: array
+ items:
+ description: WorkspaceDeclaration is a declaration of a volume that a Task requires.
+ type: object
+ required:
+ - name
+ properties:
+ description:
+ description: Description is an optional human readable description of this volume.
+ type: string
+ mountPath:
+ description: MountPath overrides the directory that the volume will be made available at.
+ type: string
+ name:
+ description: Name is the name by which you can bind the volume at runtime.
+ type: string
+ optional:
+ description: |-
+ Optional marks a Workspace as not being required in TaskRuns. By default
+ this field is false and so declared workspaces are required.
+ type: boolean
+ readOnly:
+ description: |-
+ ReadOnly dictates whether a mounted volume is writable. By default this
+ field is false and so mounted volumes are writable.
+ type: boolean
+ x-kubernetes-list-type: atomic
+ # Opt into the status subresource so metadata.generation
+ # starts to increment
+ subresources:
+ status: {}
+ names:
+ kind: ClusterTask
+ plural: clustertasks
+ singular: clustertask
+ categories:
+ - tekton
+ - tekton-pipelines
+ scope: Cluster
+
+---
+# Copyright 2020 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: customruns.tekton.dev
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+ pipeline.tekton.dev/release: "v0.70.0"
+ version: "v0.70.0"
+spec:
+ group: tekton.dev
+ preserveUnknownFields: false
+ versions:
+ - name: v1beta1
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ description: CustomRun represents a single execution of a Custom Task.
+ type: object
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: CustomRunSpec defines the desired state of CustomRun
+ type: object
+ properties:
+ customRef:
+ description: TaskRef can be used to refer to a specific instance of a task.
+ type: object
+ properties:
+ apiVersion:
+ description: |-
+ API version of the referent
+ Note: A Task with non-empty APIVersion and Kind is considered a Custom Task
+ type: string
+ bundle:
+ description: |-
+ Bundle url reference to a Tekton Bundle.
+
+ Deprecated: Please use ResolverRef with the bundles resolver instead.
+ The field is staying there for go client backward compatibility, but is not used/allowed anymore.
+ type: string
+ kind:
+ description: |-
+ TaskKind indicates the Kind of the Task:
+ 1. Namespaced Task when Kind is set to "Task". If Kind is "", it defaults to "Task".
+ 2. Cluster-Scoped Task when Kind is set to "ClusterTask"
+ 3. Custom Task when Kind is non-empty and APIVersion is non-empty
+ type: string
+ name:
+ description: 'Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names'
+ type: string
+ params:
+ description: |-
+ Params contains the parameters used to identify the
+ referenced Tekton resource. Example entries might include
+ "repo" or "path" but the set of params ultimately depends on
+ the chosen resolver.
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ resolver:
+ description: |-
+ Resolver is the name of the resolver that should perform
+ resolution of the referenced Tekton resource, such as "git".
+ type: string
+ customSpec:
+ description: Spec is a specification of a custom task
+ type: object
+ properties:
+ apiVersion:
+ type: string
+ kind:
+ type: string
+ metadata:
+ description: PipelineTaskMetadata contains the labels or annotations for an EmbeddedTask
+ type: object
+ properties:
+ annotations:
+ type: object
+ additionalProperties:
+ type: string
+ labels:
+ type: object
+ additionalProperties:
+ type: string
+ spec:
+ description: Spec is a specification of a custom task
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ params:
+ description: Params is a list of Param
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ retries:
+ description: Used for propagating retries count to custom tasks
+ type: integer
+ serviceAccountName:
+ type: string
+ status:
+ description: Used for cancelling a customrun (and maybe more later on)
+ type: string
+ statusMessage:
+ description: Status message for cancellation.
+ type: string
+ timeout:
+ description: |-
+ Time after which the custom-task times out.
+ Refer Go's ParseDuration documentation for expected format: https://golang.org/pkg/time/#ParseDuration
+ type: string
+ workspaces:
+ description: Workspaces is a list of WorkspaceBindings from volumes to workspaces.
+ type: array
+ items:
+ description: WorkspaceBinding maps a Task's declared workspace to a Volume.
+ type: object
+ required:
+ - name
+ properties:
+ configMap:
+ description: ConfigMap represents a configMap that should populate this workspace.
+ type: object
+ properties:
+ defaultMode:
+ description: |-
+ defaultMode is optional: mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ Defaults to 0644.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ items:
+ description: |-
+ items if unspecified, each key-value pair in the Data field of the referenced
+ ConfigMap will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the ConfigMap,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
+ type: array
+ items:
+ description: Maps a string key to a path within a volume.
+ type: object
+ required:
+ - key
+ - path
+ properties:
+ key:
+ description: key is the key to project.
+ type: string
+ mode:
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ path:
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
+ type: string
+ x-kubernetes-list-type: atomic
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: optional specify whether the ConfigMap or its keys must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ csi:
+ description: CSI (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers.
+ type: object
+ required:
+ - driver
+ properties:
+ driver:
+ description: |-
+ driver is the name of the CSI driver that handles this volume.
+ Consult with your admin for the correct name as registered in the cluster.
+ type: string
+ fsType:
+ description: |-
+ fsType to mount. Ex. "ext4", "xfs", "ntfs".
+ If not provided, the empty value is passed to the associated CSI driver
+ which will determine the default filesystem to apply.
+ type: string
+ nodePublishSecretRef:
+ description: |-
+ nodePublishSecretRef is a reference to the secret object containing
+ sensitive information to pass to the CSI driver to complete the CSI
+ NodePublishVolume and NodeUnpublishVolume calls.
+ This field is optional, and may be empty if no secret is required. If the
+ secret object contains more than one secret, all secret references are passed.
+ type: object
+ properties:
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ x-kubernetes-map-type: atomic
+ readOnly:
+ description: |-
+ readOnly specifies a read-only configuration for the volume.
+ Defaults to false (read/write).
+ type: boolean
+ volumeAttributes:
+ description: |-
+ volumeAttributes stores driver-specific properties that are passed to the CSI
+ driver. Consult your driver's documentation for supported values.
+ type: object
+ additionalProperties:
+ type: string
+ emptyDir:
+ description: |-
+ EmptyDir represents a temporary directory that shares a Task's lifetime.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+ Either this OR PersistentVolumeClaim can be used.
+ type: object
+ properties:
+ medium:
+ description: |-
+ medium represents what type of storage medium should back this directory.
+ The default is "" which means to use the node's default medium.
+ Must be an empty string (default) or Memory.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+ type: string
+ sizeLimit:
+ description: |-
+ sizeLimit is the total amount of local storage required for this EmptyDir volume.
+ The size limit is also applicable for memory medium.
+ The maximum usage on memory medium EmptyDir would be the minimum value between
+ the SizeLimit specified here and the sum of memory limits of all containers in a pod.
+ The default is nil which means that the limit is undefined.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ name:
+ description: Name is the name of the workspace populated by the volume.
+ type: string
+ persistentVolumeClaim:
+ description: |-
+ PersistentVolumeClaimVolumeSource represents a reference to a
+ PersistentVolumeClaim in the same namespace. Either this OR EmptyDir can be used.
+ type: object
+ required:
+ - claimName
+ properties:
+ claimName:
+ description: |-
+ claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.
+ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+ type: string
+ readOnly:
+ description: |-
+ readOnly Will force the ReadOnly setting in VolumeMounts.
+ Default false.
+ type: boolean
+ projected:
+ description: Projected represents a projected volume that should populate this workspace.
+ type: object
+ properties:
+ defaultMode:
+ description: |-
+ defaultMode are the mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ sources:
+ description: |-
+ sources is the list of volume projections. Each entry in this list
+ handles one source.
+ type: array
+ items:
+ description: |-
+ Projection that may be projected along with other supported volume types.
+ Exactly one of these fields must be set.
+ type: object
+ properties:
+ clusterTrustBundle:
+ description: |-
+ ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+ of ClusterTrustBundle objects in an auto-updating file.
+
+ Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+ ClusterTrustBundle objects can either be selected by name, or by the
+ combination of signer name and a label selector.
+
+ Kubelet performs aggressive normalization of the PEM contents written
+ into the pod filesystem. Esoteric PEM features such as inter-block
+ comments and block headers are stripped. Certificates are deduplicated.
+ The ordering of certificates within the file is arbitrary, and Kubelet
+ may change the order over time.
+ type: object
+ required:
+ - path
+ properties:
+ labelSelector:
+ description: |-
+ Select all ClusterTrustBundles that match this label selector. Only has
+ effect if signerName is set. Mutually-exclusive with name. If unset,
+ interpreted as "match nothing". If set but empty, interpreted as "match
+ everything".
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ type: array
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ x-kubernetes-map-type: atomic
+ name:
+ description: |-
+ Select a single ClusterTrustBundle by object name. Mutually-exclusive
+ with signerName and labelSelector.
+ type: string
+ optional:
+ description: |-
+ If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+ aren't available. If using name, then the named ClusterTrustBundle is
+ allowed not to exist. If using signerName, then the combination of
+ signerName and labelSelector is allowed to match zero
+ ClusterTrustBundles.
+ type: boolean
+ path:
+ description: Relative path from the volume root to write the bundle.
+ type: string
+ signerName:
+ description: |-
+ Select all ClusterTrustBundles that match this signer name.
+ Mutually-exclusive with name. The contents of all selected
+ ClusterTrustBundles will be unified and deduplicated.
+ type: string
+ configMap:
+ description: configMap information about the configMap data to project
+ type: object
+ properties:
+ items:
+ description: |-
+ items if unspecified, each key-value pair in the Data field of the referenced
+ ConfigMap will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the ConfigMap,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
+ type: array
+ items:
+ description: Maps a string key to a path within a volume.
+ type: object
+ required:
+ - key
+ - path
+ properties:
+ key:
+ description: key is the key to project.
+ type: string
+ mode:
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ path:
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
+ type: string
+ x-kubernetes-list-type: atomic
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: optional specify whether the ConfigMap or its keys must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ downwardAPI:
+ description: downwardAPI information about the downwardAPI data to project
+ type: object
+ properties:
+ items:
+ description: Items is a list of DownwardAPIVolume file
+ type: array
+ items:
+ description: DownwardAPIVolumeFile represents information to create the file containing the pod field
+ type: object
+ required:
+ - path
+ properties:
+ fieldRef:
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
+ type: object
+ required:
+ - fieldPath
+ properties:
+ apiVersion:
+ description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
+ type: string
+ fieldPath:
+ description: Path of the field to select in the specified API version.
+ type: string
+ x-kubernetes-map-type: atomic
+ mode:
+ description: |-
+ Optional: mode bits used to set permissions on this file, must be an octal value
+ between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ path:
+ description: 'Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ''..'' path. Must be utf-8 encoded. The first item of the relative path must not start with ''..'''
+ type: string
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+ type: object
+ required:
+ - resource
+ properties:
+ containerName:
+ description: 'Container name: required for volumes, optional for env vars'
+ type: string
+ divisor:
+ description: Specifies the output format of the exposed resources, defaults to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required: resource to select'
+ type: string
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ secret:
+ description: secret information about the secret data to project
+ type: object
+ properties:
+ items:
+ description: |-
+ items if unspecified, each key-value pair in the Data field of the referenced
+ Secret will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the Secret,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
+ type: array
+ items:
+ description: Maps a string key to a path within a volume.
+ type: object
+ required:
+ - key
+ - path
+ properties:
+ key:
+ description: key is the key to project.
+ type: string
+ mode:
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ path:
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
+ type: string
+ x-kubernetes-list-type: atomic
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: optional field specify whether the Secret or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ serviceAccountToken:
+ description: serviceAccountToken is information about the serviceAccountToken data to project
+ type: object
+ required:
+ - path
+ properties:
+ audience:
+ description: |-
+ audience is the intended audience of the token. A recipient of a token
+ must identify itself with an identifier specified in the audience of the
+ token, and otherwise should reject the token. The audience defaults to the
+ identifier of the apiserver.
+ type: string
+ expirationSeconds:
+ description: |-
+ expirationSeconds is the requested duration of validity of the service
+ account token. As the token approaches expiration, the kubelet volume
+ plugin will proactively rotate the service account token. The kubelet will
+ start trying to rotate the token if the token is older than 80 percent of
+ its time to live or if the token is older than 24 hours.Defaults to 1 hour
+ and must be at least 10 minutes.
+ type: integer
+ format: int64
+ path:
+ description: |-
+ path is the path relative to the mount point of the file to project the
+ token into.
+ type: string
+ x-kubernetes-list-type: atomic
+ secret:
+ description: Secret represents a secret that should populate this workspace.
+ type: object
+ properties:
+ defaultMode:
+ description: |-
+ defaultMode is Optional: mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values
+ for mode bits. Defaults to 0644.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ items:
+ description: |-
+ items If unspecified, each key-value pair in the Data field of the referenced
+ Secret will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the Secret,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
+ type: array
+ items:
+ description: Maps a string key to a path within a volume.
+ type: object
+ required:
+ - key
+ - path
+ properties:
+ key:
+ description: key is the key to project.
+ type: string
+ mode:
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ path:
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
+ type: string
+ x-kubernetes-list-type: atomic
+ optional:
+ description: optional field specify whether the Secret or its keys must be defined
+ type: boolean
+ secretName:
+ description: |-
+ secretName is the name of the secret in the pod's namespace to use.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+ type: string
+ subPath:
+ description: |-
+ SubPath is optionally a directory on the volume which should be used
+ for this binding (i.e. the volume will be mounted at this sub directory).
+ type: string
+ volumeClaimTemplate:
+ description: |-
+ VolumeClaimTemplate is a template for a claim that will be created in the same namespace.
+ The PipelineRun controller is responsible for creating a unique claim for each instance of PipelineRun.
+ See PersistentVolumeClaim (API version: v1)
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ status:
+ description: CustomRunStatus defines the observed state of CustomRun
+ type: object
+ properties:
+ annotations:
+ description: |-
+ Annotations is additional Status fields for the Resource to save some
+ additional State as well as convey more information to the user. This is
+ roughly akin to Annotations on any k8s resource, just the reconciler conveying
+ richer information outwards.
+ type: object
+ additionalProperties:
+ type: string
+ completionTime:
+ description: CompletionTime is the time the build completed.
+ type: string
+ format: date-time
+ conditions:
+ description: Conditions the latest available observations of a resource's current state.
+ type: array
+ items:
+ description: |-
+ Condition defines a readiness condition for a Knative resource.
+ See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
+ type: object
+ required:
+ - status
+ - type
+ properties:
+ lastTransitionTime:
+ description: |-
+ LastTransitionTime is the last time the condition transitioned from one status to another.
+ We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic
+ differences (all other things held constant).
+ type: string
+ message:
+ description: A human readable message indicating details about the transition.
+ type: string
+ reason:
+ description: The reason for the condition's last transition.
+ type: string
+ severity:
+ description: |-
+ Severity with which to treat failures of this type of condition.
+ When this is not specified, it defaults to Error.
+ type: string
+ status:
+ description: Status of the condition, one of True, False, Unknown.
+ type: string
+ type:
+ description: Type of condition.
+ type: string
+ extraFields:
+ description: |-
+ ExtraFields holds arbitrary fields provided by the custom task
+ controller.
+ x-kubernetes-preserve-unknown-fields: true
+ observedGeneration:
+ description: |-
+ ObservedGeneration is the 'Generation' of the Service that
+ was last processed by the controller.
+ type: integer
+ format: int64
+ results:
+ description: |-
+ Results reports any output result values to be consumed by later
+ tasks in a pipeline.
+ type: array
+ items:
+ description: CustomRunResult used to describe the results of a task
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: Name the given name
+ type: string
+ value:
+ description: Value the given value of the result
+ type: string
+ retriesStatus:
+ description: |-
+ RetriesStatus contains the history of CustomRunStatus, in case of a retry.
+ See CustomRun.status (API version: tekton.dev/v1beta1)
+ x-kubernetes-preserve-unknown-fields: true
+ startTime:
+ description: StartTime is the time the build is actually started.
+ type: string
+ format: date-time
+ additionalPrinterColumns:
+ - name: Succeeded
+ type: string
+ jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].status"
+ - name: Reason
+ type: string
+ jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].reason"
+ - name: StartTime
+ type: date
+ jsonPath: .status.startTime
+ - name: CompletionTime
+ type: date
+ jsonPath: .status.completionTime
+ # Opt into the status subresource so metadata.generation
+ # starts to increment
+ subresources:
+ status: {}
+ names:
+ kind: CustomRun
+ plural: customruns
+ singular: customrun
+ categories:
+ - tekton
+ - tekton-pipelines
+ scope: Namespaced
+
+---
+# Copyright 2019 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: pipelines.tekton.dev
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+ pipeline.tekton.dev/release: "v0.70.0"
+ version: "v0.70.0"
+spec:
+ group: tekton.dev
+ preserveUnknownFields: false
+ versions:
+ - name: v1beta1
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ schema:
+ openAPIV3Schema:
+ description: |-
+ Pipeline describes a list of Tasks to execute. It expresses how outputs
+ of tasks feed into inputs of subsequent tasks.
+
+ Deprecated: Please use v1.Pipeline instead.
+ type: object
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec holds the desired state of the Pipeline from the client
+ type: object
+ properties:
+ description:
+ description: |-
+ Description is a user-facing description of the pipeline that may be
+ used to populate a UI.
+ type: string
+ displayName:
+ description: |-
+ DisplayName is a user-facing name of the pipeline that may be
+ used to populate a UI.
+ type: string
+ finally:
+ description: |-
+ Finally declares the list of Tasks that execute just before leaving the Pipeline
+ i.e. either after all Tasks are finished executing successfully
+ or after a failure which would result in ending the Pipeline
+ type: array
+ items:
+ description: |-
+ PipelineTask defines a task in a Pipeline, passing inputs from both
+ Params and from the output of previous tasks.
+ type: object
+ properties:
+ description:
+ description: |-
+ Description is the description of this task within the context of a Pipeline.
+ This description may be used to populate a UI.
+ type: string
+ displayName:
+ description: |-
+ DisplayName is the display name of this task within the context of a Pipeline.
+ This display name may be used to populate a UI.
+ type: string
+ matrix:
+ description: Matrix declares parameters used to fan out this task.
+ type: object
+ properties:
+ include:
+ description: Include is a list of IncludeParams which allows passing in specific combinations of Parameters into the Matrix.
+ type: array
+ items:
+ description: IncludeParams allows passing in a specific combinations of Parameters into the Matrix.
+ type: object
+ properties:
+ name:
+ description: Name the specified combination
+ type: string
+ params:
+ description: |-
+ Params takes only `Parameters` of type `"string"`
+ The names of the `params` must match the names of the `params` in the underlying `Task`
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ params:
+ description: |-
+ Params is a list of parameters used to fan out the pipelineTask
+ Params takes only `Parameters` of type `"array"`
+ Each array element is supplied to the `PipelineTask` by substituting `params` of type `"string"` in the underlying `Task`.
+ The names of the `params` in the `Matrix` must match the names of the `params` in the underlying `Task` that they will be substituting.
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ name:
+ description: |-
+ Name is the name of this task within the context of a Pipeline. Name is
+ used as a coordinate with the `from` and `runAfter` fields to establish
+ the execution order of tasks relative to one another.
+ type: string
+ onError:
+ description: |-
+ OnError defines the exiting behavior of a PipelineRun on error
+ can be set to [ continue | stopAndFail ]
+ type: string
+ params:
+ description: Parameters declares parameters passed to this task.
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ pipelineRef:
+ description: |-
+ PipelineRef is a reference to a pipeline definition
+ Note: PipelineRef is in preview mode and not yet supported
+ type: object
+ properties:
+ apiVersion:
+ description: API version of the referent
+ type: string
+ bundle:
+ description: |-
+ Bundle url reference to a Tekton Bundle.
+
+ Deprecated: Please use ResolverRef with the bundles resolver instead.
+ The field is staying there for go client backward compatibility, but is not used/allowed anymore.
+ type: string
+ name:
+ description: 'Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names'
+ type: string
+ params:
+ description: |-
+ Params contains the parameters used to identify the
+ referenced Tekton resource. Example entries might include
+ "repo" or "path" but the set of params ultimately depends on
+ the chosen resolver.
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ resolver:
+ description: |-
+ Resolver is the name of the resolver that should perform
+ resolution of the referenced Tekton resource, such as "git".
+ type: string
+ pipelineSpec:
+ description: |-
+ PipelineSpec is a specification of a pipeline
+ Note: PipelineSpec is in preview mode and not yet supported
+ Specifying PipelineSpec can be disabled by setting
+ `disable-inline-spec` feature flag.
+ See Pipeline.spec (API version: tekton.dev/v1beta1)
+ x-kubernetes-preserve-unknown-fields: true
+ resources:
+ description: 'Deprecated: Unused, preserved only for backwards compatibility'
+ type: object
+ properties:
+ inputs:
+ description: |-
+ Inputs holds the mapping from the PipelineResources declared in
+ DeclaredPipelineResources to the input PipelineResources required by the Task.
+ type: array
+ items:
+ description: |-
+ PipelineTaskInputResource maps the name of a declared PipelineResource input
+ dependency in a Task to the resource in the Pipeline's DeclaredPipelineResources
+ that should be used. This input may come from a previous task.
+
+ Deprecated: Unused, preserved only for backwards compatibility
+ type: object
+ required:
+ - name
+ - resource
+ properties:
+ from:
+ description: |-
+ From is the list of PipelineTask names that the resource has to come from.
+ (Implies an ordering in the execution graph.)
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ name:
+ description: Name is the name of the PipelineResource as declared by the Task.
+ type: string
+ resource:
+ description: Resource is the name of the DeclaredPipelineResource to use.
+ type: string
+ x-kubernetes-list-type: atomic
+ outputs:
+ description: |-
+ Outputs holds the mapping from the PipelineResources declared in
+ DeclaredPipelineResources to the input PipelineResources required by the Task.
+ type: array
+ items:
+ description: |-
+ PipelineTaskOutputResource maps the name of a declared PipelineResource output
+ dependency in a Task to the resource in the Pipeline's DeclaredPipelineResources
+ that should be used.
+
+ Deprecated: Unused, preserved only for backwards compatibility
+ type: object
+ required:
+ - name
+ - resource
+ properties:
+ name:
+ description: Name is the name of the PipelineResource as declared by the Task.
+ type: string
+ resource:
+ description: Resource is the name of the DeclaredPipelineResource to use.
+ type: string
+ x-kubernetes-list-type: atomic
+ retries:
+ description: 'Retries represents how many times this task should be retried in case of task failure: ConditionSucceeded set to False'
+ type: integer
+ runAfter:
+ description: |-
+ RunAfter is the list of PipelineTask names that should be executed before
+ this Task executes. (Used to force a specific ordering in graph execution.)
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ taskRef:
+ description: TaskRef is a reference to a task definition.
+ type: object
+ properties:
+ apiVersion:
+ description: |-
+ API version of the referent
+ Note: A Task with non-empty APIVersion and Kind is considered a Custom Task
+ type: string
+ bundle:
+ description: |-
+ Bundle url reference to a Tekton Bundle.
+
+ Deprecated: Please use ResolverRef with the bundles resolver instead.
+ The field is staying there for go client backward compatibility, but is not used/allowed anymore.
+ type: string
+ kind:
+ description: |-
+ TaskKind indicates the Kind of the Task:
+ 1. Namespaced Task when Kind is set to "Task". If Kind is "", it defaults to "Task".
+ 2. Cluster-Scoped Task when Kind is set to "ClusterTask"
+ 3. Custom Task when Kind is non-empty and APIVersion is non-empty
+ type: string
+ name:
+ description: 'Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names'
+ type: string
+ params:
+ description: |-
+ Params contains the parameters used to identify the
+ referenced Tekton resource. Example entries might include
+ "repo" or "path" but the set of params ultimately depends on
+ the chosen resolver.
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ resolver:
+ description: |-
+ Resolver is the name of the resolver that should perform
+ resolution of the referenced Tekton resource, such as "git".
+ type: string
+ taskSpec:
+ description: |-
+ TaskSpec is a specification of a task
+ Specifying TaskSpec can be disabled by setting
+ `disable-inline-spec` feature flag.
+ See Task.spec (API version: tekton.dev/v1beta1)
+ x-kubernetes-preserve-unknown-fields: true
+ timeout:
+ description: |-
+ Time after which the TaskRun times out. Defaults to 1 hour.
+ Refer Go's ParseDuration documentation for expected format: https://golang.org/pkg/time/#ParseDuration
+ type: string
+ when:
+ description: WhenExpressions is a list of when expressions that need to be true for the task to run
+ type: array
+ items:
+ description: |-
+ WhenExpression allows a PipelineTask to declare expressions to be evaluated before the Task is run
+ to determine whether the Task should be executed or skipped
+ type: object
+ properties:
+ cel:
+ description: |-
+ CEL is a string of Common Language Expression, which can be used to conditionally execute
+ the task based on the result of the expression evaluation
+ More info about CEL syntax: https://github.com/google/cel-spec/blob/master/doc/langdef.md
+ type: string
+ input:
+ description: Input is the string for guard checking which can be a static input or an output from a parent Task
+ type: string
+ operator:
+ description: Operator that represents an Input's relationship to the values
+ type: string
+ values:
+ description: |-
+ Values is an array of strings, which is compared against the input, for guard checking
+ It must be non-empty
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ workspaces:
+ description: |-
+ Workspaces maps workspaces from the pipeline spec to the workspaces
+ declared in the Task.
+ type: array
+ items:
+ description: |-
+ WorkspacePipelineTaskBinding describes how a workspace passed into the pipeline should be
+ mapped to a task's declared workspace.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: Name is the name of the workspace as declared by the task
+ type: string
+ subPath:
+ description: |-
+ SubPath is optionally a directory on the volume which should be used
+ for this binding (i.e. the volume will be mounted at this sub directory).
+ type: string
+ workspace:
+ description: Workspace is the name of the workspace declared by the pipeline
+ type: string
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ params:
+ description: |-
+ Params declares a list of input parameters that must be supplied when
+ this Pipeline is run.
+ type: array
+ items:
+ description: |-
+ ParamSpec defines arbitrary parameters needed beyond typed inputs (such as
+ resources). Parameter values are provided by users as inputs on a TaskRun
+ or PipelineRun.
+ type: object
+ required:
+ - name
+ properties:
+ default:
+ description: |-
+ Default is the value a parameter takes if no input value is supplied. If
+ default is set, a Task may be executed without a supplied value for the
+ parameter.
+ x-kubernetes-preserve-unknown-fields: true
+ description:
+ description: |-
+ Description is a user-facing description of the parameter that may be
+ used to populate a UI.
+ type: string
+ enum:
+ description: |-
+ Enum declares a set of allowed param input values for tasks/pipelines that can be validated.
+ If Enum is not set, no input validation is performed for the param.
+ type: array
+ items:
+ type: string
+ name:
+ description: Name declares the name by which a parameter is referenced.
+ type: string
+ properties:
+ description: Properties is the JSON Schema properties to support key-value pairs parameter.
+ type: object
+ additionalProperties:
+ description: PropertySpec defines the struct for object keys
+ type: object
+ properties:
+ type:
+ description: |-
+ ParamType indicates the type of an input parameter;
+ Used to distinguish between a single string and an array of strings.
+ type: string
+ type:
+ description: |-
+ Type is the user-specified type of the parameter. The possible types
+ are currently "string", "array" and "object", and "string" is the default.
+ type: string
+ x-kubernetes-list-type: atomic
+ resources:
+ description: 'Deprecated: Unused, preserved only for backwards compatibility'
+ type: array
+ items:
+ description: |-
+ PipelineDeclaredResource is used by a Pipeline to declare the types of the
+ PipelineResources that it will required to run and names which can be used to
+ refer to these PipelineResources in PipelineTaskResourceBindings.
+
+ Deprecated: Unused, preserved only for backwards compatibility
+ type: object
+ required:
+ - name
+ - type
+ properties:
+ name:
+ description: |-
+ Name is the name that will be used by the Pipeline to refer to this resource.
+ It does not directly correspond to the name of any PipelineResources Task
+ inputs or outputs, and it does not correspond to the actual names of the
+ PipelineResources that will be bound in the PipelineRun.
+ type: string
+ optional:
+ description: |-
+ Optional declares the resource as optional.
+ optional: true - the resource is considered optional
+ optional: false - the resource is considered required (default/equivalent of not specifying it)
+ type: boolean
+ type:
+ description: Type is the type of the PipelineResource.
+ type: string
+ x-kubernetes-list-type: atomic
+ results:
+ description: Results are values that this pipeline can output once run
+ type: array
+ items:
+ description: PipelineResult used to describe the results of a pipeline
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ description:
+ description: Description is a human-readable description of the result
+ type: string
+ name:
+ description: Name the given name
+ type: string
+ type:
+ description: |-
+ Type is the user-specified type of the result.
+ The possible types are 'string', 'array', and 'object', with 'string' as the default.
+ 'array' and 'object' types are alpha features.
+ type: string
+ value:
+ description: Value the expression used to retrieve the value
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ tasks:
+ description: Tasks declares the graph of Tasks that execute when this Pipeline is run.
+ type: array
+ items:
+ description: |-
+ PipelineTask defines a task in a Pipeline, passing inputs from both
+ Params and from the output of previous tasks.
+ type: object
+ properties:
+ description:
+ description: |-
+ Description is the description of this task within the context of a Pipeline.
+ This description may be used to populate a UI.
+ type: string
+ displayName:
+ description: |-
+ DisplayName is the display name of this task within the context of a Pipeline.
+ This display name may be used to populate a UI.
+ type: string
+ matrix:
+ description: Matrix declares parameters used to fan out this task.
+ type: object
+ properties:
+ include:
+ description: Include is a list of IncludeParams which allows passing in specific combinations of Parameters into the Matrix.
+ type: array
+ items:
+ description: IncludeParams allows passing in a specific combinations of Parameters into the Matrix.
+ type: object
+ properties:
+ name:
+ description: Name the specified combination
+ type: string
+ params:
+ description: |-
+ Params takes only `Parameters` of type `"string"`
+ The names of the `params` must match the names of the `params` in the underlying `Task`
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ params:
+ description: |-
+ Params is a list of parameters used to fan out the pipelineTask
+ Params takes only `Parameters` of type `"array"`
+ Each array element is supplied to the `PipelineTask` by substituting `params` of type `"string"` in the underlying `Task`.
+ The names of the `params` in the `Matrix` must match the names of the `params` in the underlying `Task` that they will be substituting.
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ name:
+ description: |-
+ Name is the name of this task within the context of a Pipeline. Name is
+ used as a coordinate with the `from` and `runAfter` fields to establish
+ the execution order of tasks relative to one another.
+ type: string
+ onError:
+ description: |-
+ OnError defines the exiting behavior of a PipelineRun on error
+ can be set to [ continue | stopAndFail ]
+ type: string
+ params:
+ description: Parameters declares parameters passed to this task.
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ pipelineRef:
+ description: |-
+ PipelineRef is a reference to a pipeline definition
+ Note: PipelineRef is in preview mode and not yet supported
+ type: object
+ properties:
+ apiVersion:
+ description: API version of the referent
+ type: string
+ bundle:
+ description: |-
+ Bundle url reference to a Tekton Bundle.
+
+ Deprecated: Please use ResolverRef with the bundles resolver instead.
+ The field is staying there for go client backward compatibility, but is not used/allowed anymore.
+ type: string
+ name:
+ description: 'Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names'
+ type: string
+ params:
+ description: |-
+ Params contains the parameters used to identify the
+ referenced Tekton resource. Example entries might include
+ "repo" or "path" but the set of params ultimately depends on
+ the chosen resolver.
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ resolver:
+ description: |-
+ Resolver is the name of the resolver that should perform
+ resolution of the referenced Tekton resource, such as "git".
+ type: string
+ pipelineSpec:
+ description: |-
+ PipelineSpec is a specification of a pipeline
+ Note: PipelineSpec is in preview mode and not yet supported
+ Specifying PipelineSpec can be disabled by setting
+ `disable-inline-spec` feature flag.
+ See Pipeline.spec (API version: tekton.dev/v1beta1)
+ x-kubernetes-preserve-unknown-fields: true
+ resources:
+ description: 'Deprecated: Unused, preserved only for backwards compatibility'
+ type: object
+ properties:
+ inputs:
+ description: |-
+ Inputs holds the mapping from the PipelineResources declared in
+ DeclaredPipelineResources to the input PipelineResources required by the Task.
+ type: array
+ items:
+ description: |-
+ PipelineTaskInputResource maps the name of a declared PipelineResource input
+ dependency in a Task to the resource in the Pipeline's DeclaredPipelineResources
+ that should be used. This input may come from a previous task.
+
+ Deprecated: Unused, preserved only for backwards compatibility
+ type: object
+ required:
+ - name
+ - resource
+ properties:
+ from:
+ description: |-
+ From is the list of PipelineTask names that the resource has to come from.
+ (Implies an ordering in the execution graph.)
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ name:
+ description: Name is the name of the PipelineResource as declared by the Task.
+ type: string
+ resource:
+ description: Resource is the name of the DeclaredPipelineResource to use.
+ type: string
+ x-kubernetes-list-type: atomic
+ outputs:
+ description: |-
+ Outputs holds the mapping from the PipelineResources declared in
+ DeclaredPipelineResources to the input PipelineResources required by the Task.
+ type: array
+ items:
+ description: |-
+ PipelineTaskOutputResource maps the name of a declared PipelineResource output
+ dependency in a Task to the resource in the Pipeline's DeclaredPipelineResources
+ that should be used.
+
+ Deprecated: Unused, preserved only for backwards compatibility
+ type: object
+ required:
+ - name
+ - resource
+ properties:
+ name:
+ description: Name is the name of the PipelineResource as declared by the Task.
+ type: string
+ resource:
+ description: Resource is the name of the DeclaredPipelineResource to use.
+ type: string
+ x-kubernetes-list-type: atomic
+ retries:
+ description: 'Retries represents how many times this task should be retried in case of task failure: ConditionSucceeded set to False'
+ type: integer
+ runAfter:
+ description: |-
+ RunAfter is the list of PipelineTask names that should be executed before
+ this Task executes. (Used to force a specific ordering in graph execution.)
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ taskRef:
+ description: TaskRef is a reference to a task definition.
+ type: object
+ properties:
+ apiVersion:
+ description: |-
+ API version of the referent
+ Note: A Task with non-empty APIVersion and Kind is considered a Custom Task
+ type: string
+ bundle:
+ description: |-
+ Bundle url reference to a Tekton Bundle.
+
+ Deprecated: Please use ResolverRef with the bundles resolver instead.
+ The field is staying there for go client backward compatibility, but is not used/allowed anymore.
+ type: string
+ kind:
+ description: |-
+ TaskKind indicates the Kind of the Task:
+ 1. Namespaced Task when Kind is set to "Task". If Kind is "", it defaults to "Task".
+ 2. Cluster-Scoped Task when Kind is set to "ClusterTask"
+ 3. Custom Task when Kind is non-empty and APIVersion is non-empty
+ type: string
+ name:
+ description: 'Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names'
+ type: string
+ params:
+ description: |-
+ Params contains the parameters used to identify the
+ referenced Tekton resource. Example entries might include
+ "repo" or "path" but the set of params ultimately depends on
+ the chosen resolver.
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ resolver:
+ description: |-
+ Resolver is the name of the resolver that should perform
+ resolution of the referenced Tekton resource, such as "git".
+ type: string
+ taskSpec:
+ description: |-
+ TaskSpec is a specification of a task
+ Specifying TaskSpec can be disabled by setting
+ `disable-inline-spec` feature flag.
+ See Task.spec (API version: tekton.dev/v1beta1)
+ x-kubernetes-preserve-unknown-fields: true
+ timeout:
+ description: |-
+ Time after which the TaskRun times out. Defaults to 1 hour.
+ Refer Go's ParseDuration documentation for expected format: https://golang.org/pkg/time/#ParseDuration
+ type: string
+ when:
+ description: WhenExpressions is a list of when expressions that need to be true for the task to run
+ type: array
+ items:
+ description: |-
+ WhenExpression allows a PipelineTask to declare expressions to be evaluated before the Task is run
+ to determine whether the Task should be executed or skipped
+ type: object
+ properties:
+ cel:
+ description: |-
+ CEL is a string of Common Language Expression, which can be used to conditionally execute
+ the task based on the result of the expression evaluation
+ More info about CEL syntax: https://github.com/google/cel-spec/blob/master/doc/langdef.md
+ type: string
+ input:
+ description: Input is the string for guard checking which can be a static input or an output from a parent Task
+ type: string
+ operator:
+ description: Operator that represents an Input's relationship to the values
+ type: string
+ values:
+ description: |-
+ Values is an array of strings, which is compared against the input, for guard checking
+ It must be non-empty
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ workspaces:
+ description: |-
+ Workspaces maps workspaces from the pipeline spec to the workspaces
+ declared in the Task.
+ type: array
+ items:
+ description: |-
+ WorkspacePipelineTaskBinding describes how a workspace passed into the pipeline should be
+ mapped to a task's declared workspace.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: Name is the name of the workspace as declared by the task
+ type: string
+ subPath:
+ description: |-
+ SubPath is optionally a directory on the volume which should be used
+ for this binding (i.e. the volume will be mounted at this sub directory).
+ type: string
+ workspace:
+ description: Workspace is the name of the workspace declared by the pipeline
+ type: string
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ workspaces:
+ description: |-
+ Workspaces declares a set of named workspaces that are expected to be
+ provided by a PipelineRun.
+ type: array
+ items:
+ description: |-
+ PipelineWorkspaceDeclaration creates a named slot in a Pipeline that a PipelineRun
+ is expected to populate with a workspace binding.
+ type: object
+ required:
+ - name
+ properties:
+ description:
+ description: |-
+ Description is a human readable string describing how the workspace will be
+ used in the Pipeline. It can be useful to include a bit of detail about which
+ tasks are intended to have access to the data on the workspace.
+ type: string
+ name:
+ description: Name is the name of a workspace to be provided by a PipelineRun.
+ type: string
+ optional:
+ description: |-
+ Optional marks a Workspace as not being required in PipelineRuns. By default
+ this field is false and so declared workspaces are required.
+ type: boolean
+ x-kubernetes-list-type: atomic
+ - name: v1
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ description: |-
+ Pipeline describes a list of Tasks to execute. It expresses how outputs
+ of tasks feed into inputs of subsequent tasks.
+ type: object
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec holds the desired state of the Pipeline from the client
+ type: object
+ properties:
+ description:
+ description: |-
+ Description is a user-facing description of the pipeline that may be
+ used to populate a UI.
+ type: string
+ displayName:
+ description: |-
+ DisplayName is a user-facing name of the pipeline that may be
+ used to populate a UI.
+ type: string
+ finally:
+ description: |-
+ Finally declares the list of Tasks that execute just before leaving the Pipeline
+ i.e. either after all Tasks are finished executing successfully
+ or after a failure which would result in ending the Pipeline
+ type: array
+ items:
+ description: |-
+ PipelineTask defines a task in a Pipeline, passing inputs from both
+ Params and from the output of previous tasks.
+ type: object
+ properties:
+ description:
+ description: |-
+ Description is the description of this task within the context of a Pipeline.
+ This description may be used to populate a UI.
+ type: string
+ displayName:
+ description: |-
+ DisplayName is the display name of this task within the context of a Pipeline.
+ This display name may be used to populate a UI.
+ type: string
+ matrix:
+ description: Matrix declares parameters used to fan out this task.
+ type: object
+ properties:
+ include:
+ description: Include is a list of IncludeParams which allows passing in specific combinations of Parameters into the Matrix.
+ type: array
+ items:
+ description: IncludeParams allows passing in a specific combinations of Parameters into the Matrix.
+ type: object
+ properties:
+ name:
+ description: Name the specified combination
+ type: string
+ params:
+ description: |-
+ Params takes only `Parameters` of type `"string"`
+ The names of the `params` must match the names of the `params` in the underlying `Task`
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ params:
+ description: |-
+ Params is a list of parameters used to fan out the pipelineTask
+ Params takes only `Parameters` of type `"array"`
+ Each array element is supplied to the `PipelineTask` by substituting `params` of type `"string"` in the underlying `Task`.
+ The names of the `params` in the `Matrix` must match the names of the `params` in the underlying `Task` that they will be substituting.
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ name:
+ description: |-
+ Name is the name of this task within the context of a Pipeline. Name is
+ used as a coordinate with the `from` and `runAfter` fields to establish
+ the execution order of tasks relative to one another.
+ type: string
+ onError:
+ description: |-
+ OnError defines the exiting behavior of a PipelineRun on error
+ can be set to [ continue | stopAndFail ]
+ type: string
+ params:
+ description: Parameters declares parameters passed to this task.
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ pipelineRef:
+ description: |-
+ PipelineRef is a reference to a pipeline definition
+ Note: PipelineRef is in preview mode and not yet supported
+ type: object
+ properties:
+ apiVersion:
+ description: API version of the referent
+ type: string
+ name:
+ description: 'Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names'
+ type: string
+ params:
+ description: |-
+ Params contains the parameters used to identify the
+ referenced Tekton resource. Example entries might include
+ "repo" or "path" but the set of params ultimately depends on
+ the chosen resolver.
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ resolver:
+ description: |-
+ Resolver is the name of the resolver that should perform
+ resolution of the referenced Tekton resource, such as "git".
+ type: string
+ pipelineSpec:
+ description: |-
+ PipelineSpec is a specification of a pipeline
+ Note: PipelineSpec is in preview mode and not yet supported
+ Specifying PipelineSpec can be disabled by setting
+ `disable-inline-spec` feature flag.
+ See Pipeline.spec (API version: tekton.dev/v1)
+ x-kubernetes-preserve-unknown-fields: true
+ retries:
+ description: 'Retries represents how many times this task should be retried in case of task failure: ConditionSucceeded set to False'
+ type: integer
+ runAfter:
+ description: |-
+ RunAfter is the list of PipelineTask names that should be executed before
+ this Task executes. (Used to force a specific ordering in graph execution.)
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ taskRef:
+ description: TaskRef is a reference to a task definition.
+ type: object
+ properties:
+ apiVersion:
+ description: |-
+ API version of the referent
+ Note: A Task with non-empty APIVersion and Kind is considered a Custom Task
+ type: string
+ kind:
+ description: |-
+ TaskKind indicates the Kind of the Task:
+ 1. Namespaced Task when Kind is set to "Task". If Kind is "", it defaults to "Task".
+ 2. Custom Task when Kind is non-empty and APIVersion is non-empty
+ type: string
+ name:
+ description: 'Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names'
+ type: string
+ params:
+ description: |-
+ Params contains the parameters used to identify the
+ referenced Tekton resource. Example entries might include
+ "repo" or "path" but the set of params ultimately depends on
+ the chosen resolver.
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ resolver:
+ description: |-
+ Resolver is the name of the resolver that should perform
+ resolution of the referenced Tekton resource, such as "git".
+ type: string
+ taskSpec:
+ description: |-
+ TaskSpec is a specification of a task
+ Specifying TaskSpec can be disabled by setting
+ `disable-inline-spec` feature flag.
+ See Task.spec (API version: tekton.dev/v1)
+ x-kubernetes-preserve-unknown-fields: true
+ timeout:
+ description: |-
+ Time after which the TaskRun times out. Defaults to 1 hour.
+ Refer Go's ParseDuration documentation for expected format: https://golang.org/pkg/time/#ParseDuration
+ type: string
+ when:
+ description: When is a list of when expressions that need to be true for the task to run
+ type: array
+ items:
+ description: |-
+ WhenExpression allows a PipelineTask to declare expressions to be evaluated before the Task is run
+ to determine whether the Task should be executed or skipped
+ type: object
+ properties:
+ cel:
+ description: |-
+ CEL is a string of Common Language Expression, which can be used to conditionally execute
+ the task based on the result of the expression evaluation
+ More info about CEL syntax: https://github.com/google/cel-spec/blob/master/doc/langdef.md
+ type: string
+ input:
+ description: Input is the string for guard checking which can be a static input or an output from a parent Task
+ type: string
+ operator:
+ description: Operator that represents an Input's relationship to the values
+ type: string
+ values:
+ description: |-
+ Values is an array of strings, which is compared against the input, for guard checking
+ It must be non-empty
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ workspaces:
+ description: |-
+ Workspaces maps workspaces from the pipeline spec to the workspaces
+ declared in the Task.
+ type: array
+ items:
+ description: |-
+ WorkspacePipelineTaskBinding describes how a workspace passed into the pipeline should be
+ mapped to a task's declared workspace.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: Name is the name of the workspace as declared by the task
+ type: string
+ subPath:
+ description: |-
+ SubPath is optionally a directory on the volume which should be used
+ for this binding (i.e. the volume will be mounted at this sub directory).
+ type: string
+ workspace:
+ description: Workspace is the name of the workspace declared by the pipeline
+ type: string
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ params:
+ description: |-
+ Params declares a list of input parameters that must be supplied when
+ this Pipeline is run.
+ type: array
+ items:
+ description: |-
+ ParamSpec defines arbitrary parameters needed beyond typed inputs (such as
+ resources). Parameter values are provided by users as inputs on a TaskRun
+ or PipelineRun.
+ type: object
+ required:
+ - name
+ properties:
+ default:
+ description: |-
+ Default is the value a parameter takes if no input value is supplied. If
+ default is set, a Task may be executed without a supplied value for the
+ parameter.
+ x-kubernetes-preserve-unknown-fields: true
+ description:
+ description: |-
+ Description is a user-facing description of the parameter that may be
+ used to populate a UI.
+ type: string
+ enum:
+ description: |-
+ Enum declares a set of allowed param input values for tasks/pipelines that can be validated.
+ If Enum is not set, no input validation is performed for the param.
+ type: array
+ items:
+ type: string
+ name:
+ description: Name declares the name by which a parameter is referenced.
+ type: string
+ properties:
+ description: Properties is the JSON Schema properties to support key-value pairs parameter.
+ type: object
+ additionalProperties:
+ description: PropertySpec defines the struct for object keys
+ type: object
+ properties:
+ type:
+ description: |-
+ ParamType indicates the type of an input parameter;
+ Used to distinguish between a single string and an array of strings.
+ type: string
+ type:
+ description: |-
+ Type is the user-specified type of the parameter. The possible types
+ are currently "string", "array" and "object", and "string" is the default.
+ type: string
+ x-kubernetes-list-type: atomic
+ results:
+ description: Results are values that this pipeline can output once run
+ type: array
+ items:
+ description: PipelineResult used to describe the results of a pipeline
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ description:
+ description: Description is a human-readable description of the result
+ type: string
+ name:
+ description: Name the given name
+ type: string
+ type:
+ description: |-
+ Type is the user-specified type of the result.
+ The possible types are 'string', 'array', and 'object', with 'string' as the default.
+ 'array' and 'object' types are alpha features.
+ type: string
+ value:
+ description: Value the expression used to retrieve the value
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ tasks:
+ description: Tasks declares the graph of Tasks that execute when this Pipeline is run.
+ type: array
+ items:
+ description: |-
+ PipelineTask defines a task in a Pipeline, passing inputs from both
+ Params and from the output of previous tasks.
+ type: object
+ properties:
+ description:
+ description: |-
+ Description is the description of this task within the context of a Pipeline.
+ This description may be used to populate a UI.
+ type: string
+ displayName:
+ description: |-
+ DisplayName is the display name of this task within the context of a Pipeline.
+ This display name may be used to populate a UI.
+ type: string
+ matrix:
+ description: Matrix declares parameters used to fan out this task.
+ type: object
+ properties:
+ include:
+ description: Include is a list of IncludeParams which allows passing in specific combinations of Parameters into the Matrix.
+ type: array
+ items:
+ description: IncludeParams allows passing in a specific combinations of Parameters into the Matrix.
+ type: object
+ properties:
+ name:
+ description: Name the specified combination
+ type: string
+ params:
+ description: |-
+ Params takes only `Parameters` of type `"string"`
+ The names of the `params` must match the names of the `params` in the underlying `Task`
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ params:
+ description: |-
+ Params is a list of parameters used to fan out the pipelineTask
+ Params takes only `Parameters` of type `"array"`
+ Each array element is supplied to the `PipelineTask` by substituting `params` of type `"string"` in the underlying `Task`.
+ The names of the `params` in the `Matrix` must match the names of the `params` in the underlying `Task` that they will be substituting.
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ name:
+ description: |-
+ Name is the name of this task within the context of a Pipeline. Name is
+ used as a coordinate with the `from` and `runAfter` fields to establish
+ the execution order of tasks relative to one another.
+ type: string
+ onError:
+ description: |-
+ OnError defines the exiting behavior of a PipelineRun on error
+ can be set to [ continue | stopAndFail ]
+ type: string
+ params:
+ description: Parameters declares parameters passed to this task.
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ pipelineRef:
+ description: |-
+ PipelineRef is a reference to a pipeline definition
+ Note: PipelineRef is in preview mode and not yet supported
+ type: object
+ properties:
+ apiVersion:
+ description: API version of the referent
+ type: string
+ name:
+ description: 'Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names'
+ type: string
+ params:
+ description: |-
+ Params contains the parameters used to identify the
+ referenced Tekton resource. Example entries might include
+ "repo" or "path" but the set of params ultimately depends on
+ the chosen resolver.
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ resolver:
+ description: |-
+ Resolver is the name of the resolver that should perform
+ resolution of the referenced Tekton resource, such as "git".
+ type: string
+ pipelineSpec:
+ description: |-
+ PipelineSpec is a specification of a pipeline
+ Note: PipelineSpec is in preview mode and not yet supported
+ Specifying PipelineSpec can be disabled by setting
+ `disable-inline-spec` feature flag.
+ See Pipeline.spec (API version: tekton.dev/v1)
+ x-kubernetes-preserve-unknown-fields: true
+ retries:
+ description: 'Retries represents how many times this task should be retried in case of task failure: ConditionSucceeded set to False'
+ type: integer
+ runAfter:
+ description: |-
+ RunAfter is the list of PipelineTask names that should be executed before
+ this Task executes. (Used to force a specific ordering in graph execution.)
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ taskRef:
+ description: TaskRef is a reference to a task definition.
+ type: object
+ properties:
+ apiVersion:
+ description: |-
+ API version of the referent
+ Note: A Task with non-empty APIVersion and Kind is considered a Custom Task
+ type: string
+ kind:
+ description: |-
+ TaskKind indicates the Kind of the Task:
+ 1. Namespaced Task when Kind is set to "Task". If Kind is "", it defaults to "Task".
+ 2. Custom Task when Kind is non-empty and APIVersion is non-empty
+ type: string
+ name:
+ description: 'Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names'
+ type: string
+ params:
+ description: |-
+ Params contains the parameters used to identify the
+ referenced Tekton resource. Example entries might include
+ "repo" or "path" but the set of params ultimately depends on
+ the chosen resolver.
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ resolver:
+ description: |-
+ Resolver is the name of the resolver that should perform
+ resolution of the referenced Tekton resource, such as "git".
+ type: string
+ taskSpec:
+ description: |-
+ TaskSpec is a specification of a task
+ Specifying TaskSpec can be disabled by setting
+ `disable-inline-spec` feature flag.
+ See Task.spec (API version: tekton.dev/v1)
+ x-kubernetes-preserve-unknown-fields: true
+ timeout:
+ description: |-
+ Time after which the TaskRun times out. Defaults to 1 hour.
+ Refer Go's ParseDuration documentation for expected format: https://golang.org/pkg/time/#ParseDuration
+ type: string
+ when:
+ description: When is a list of when expressions that need to be true for the task to run
+ type: array
+ items:
+ description: |-
+ WhenExpression allows a PipelineTask to declare expressions to be evaluated before the Task is run
+ to determine whether the Task should be executed or skipped
+ type: object
+ properties:
+ cel:
+ description: |-
+ CEL is a string of Common Language Expression, which can be used to conditionally execute
+ the task based on the result of the expression evaluation
+ More info about CEL syntax: https://github.com/google/cel-spec/blob/master/doc/langdef.md
+ type: string
+ input:
+ description: Input is the string for guard checking which can be a static input or an output from a parent Task
+ type: string
+ operator:
+ description: Operator that represents an Input's relationship to the values
+ type: string
+ values:
+ description: |-
+ Values is an array of strings, which is compared against the input, for guard checking
+ It must be non-empty
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ workspaces:
+ description: |-
+ Workspaces maps workspaces from the pipeline spec to the workspaces
+ declared in the Task.
+ type: array
+ items:
+ description: |-
+ WorkspacePipelineTaskBinding describes how a workspace passed into the pipeline should be
+ mapped to a task's declared workspace.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: Name is the name of the workspace as declared by the task
+ type: string
+ subPath:
+ description: |-
+ SubPath is optionally a directory on the volume which should be used
+ for this binding (i.e. the volume will be mounted at this sub directory).
+ type: string
+ workspace:
+ description: Workspace is the name of the workspace declared by the pipeline
+ type: string
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ workspaces:
+ description: |-
+ Workspaces declares a set of named workspaces that are expected to be
+ provided by a PipelineRun.
+ type: array
+ items:
+ description: |-
+ PipelineWorkspaceDeclaration creates a named slot in a Pipeline that a PipelineRun
+ is expected to populate with a workspace binding.
+ type: object
+ required:
+ - name
+ properties:
+ description:
+ description: |-
+ Description is a human readable string describing how the workspace will be
+ used in the Pipeline. It can be useful to include a bit of detail about which
+ tasks are intended to have access to the data on the workspace.
+ type: string
+ name:
+ description: Name is the name of a workspace to be provided by a PipelineRun.
+ type: string
+ optional:
+ description: |-
+ Optional marks a Workspace as not being required in PipelineRuns. By default
+ this field is false and so declared workspaces are required.
+ type: boolean
+ x-kubernetes-list-type: atomic
+ # Opt into the status subresource so metadata.generation
+ # starts to increment
+ subresources:
+ status: {}
+ names:
+ kind: Pipeline
+ plural: pipelines
+ singular: pipeline
+ categories:
+ - tekton
+ - tekton-pipelines
+ scope: Namespaced
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions: ["v1beta1", "v1"]
+ clientConfig:
+ service:
+ name: tekton-pipelines-webhook
+ namespace: tekton-pipelines
+
+---
+# Copyright 2019 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: pipelineruns.tekton.dev
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+ pipeline.tekton.dev/release: "v0.70.0"
+ version: "v0.70.0"
+spec:
+ group: tekton.dev
+ preserveUnknownFields: false
+ versions:
+ - name: v1beta1
+ served: true
+ storage: false
+ schema:
+ openAPIV3Schema:
+ description: |-
+ PipelineRun represents a single execution of a Pipeline. PipelineRuns are how
+ the graph of Tasks declared in a Pipeline are executed; they specify inputs
+ to Pipelines such as parameter values and capture operational aspects of the
+ Tasks execution such as service account and tolerations. Creating a
+ PipelineRun creates TaskRuns for Tasks in the referenced Pipeline.
+
+ Deprecated: Please use v1.PipelineRun instead.
+ type: object
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: PipelineRunSpec defines the desired state of PipelineRun
+ type: object
+ properties:
+ params:
+ description: Params is a list of parameter names and values.
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ pipelineRef:
+ description: PipelineRef can be used to refer to a specific instance of a Pipeline.
+ type: object
+ properties:
+ apiVersion:
+ description: API version of the referent
+ type: string
+ bundle:
+ description: |-
+ Bundle url reference to a Tekton Bundle.
+
+ Deprecated: Please use ResolverRef with the bundles resolver instead.
+ The field is staying there for go client backward compatibility, but is not used/allowed anymore.
+ type: string
+ name:
+ description: 'Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names'
+ type: string
+ params:
+ description: |-
+ Params contains the parameters used to identify the
+ referenced Tekton resource. Example entries might include
+ "repo" or "path" but the set of params ultimately depends on
+ the chosen resolver.
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ resolver:
+ description: |-
+ Resolver is the name of the resolver that should perform
+ resolution of the referenced Tekton resource, such as "git".
+ type: string
+ pipelineSpec:
+ description: |-
+ Specifying PipelineSpec can be disabled by setting
+ `disable-inline-spec` feature flag.
+ See Pipeline.spec (API version: tekton.dev/v1beta1)
+ x-kubernetes-preserve-unknown-fields: true
+ podTemplate:
+ description: PodTemplate holds pod specific configuration
+ type: object
+ properties:
+ affinity:
+ description: |-
+ If specified, the pod's scheduling constraints.
+ See Pod.spec.affinity (API version: v1)
+ x-kubernetes-preserve-unknown-fields: true
+ automountServiceAccountToken:
+ description: |-
+ AutomountServiceAccountToken indicates whether pods running as this
+ service account should have an API token automatically mounted.
+ type: boolean
+ dnsConfig:
+ description: |-
+ Specifies the DNS parameters of a pod.
+ Parameters specified here will be merged to the generated DNS
+ configuration based on DNSPolicy.
+ type: object
+ properties:
+ nameservers:
+ description: |-
+ A list of DNS name server IP addresses.
+ This will be appended to the base nameservers generated from DNSPolicy.
+ Duplicated nameservers will be removed.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ options:
+ description: |-
+ A list of DNS resolver options.
+ This will be merged with the base options generated from DNSPolicy.
+ Duplicated entries will be removed. Resolution options given in Options
+ will override those that appear in the base DNSPolicy.
+ type: array
+ items:
+ description: PodDNSConfigOption defines DNS resolver options of a pod.
+ type: object
+ properties:
+ name:
+ description: Required.
+ type: string
+ value:
+ type: string
+ x-kubernetes-list-type: atomic
+ searches:
+ description: |-
+ A list of DNS search domains for host-name lookup.
+ This will be appended to the base search paths generated from DNSPolicy.
+ Duplicated search paths will be removed.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ dnsPolicy:
+ description: |-
+ Set DNS policy for the pod. Defaults to "ClusterFirst". Valid values are
+ 'ClusterFirst', 'Default' or 'None'. DNS parameters given in DNSConfig
+ will be merged with the policy selected with DNSPolicy.
+ type: string
+ enableServiceLinks:
+ description: |-
+ EnableServiceLinks indicates whether information about services should be injected into pod's
+ environment variables, matching the syntax of Docker links.
+ Optional: Defaults to true.
+ type: boolean
+ env:
+ description: List of environment variables that can be provided to the containers belonging to the pod.
+ type: array
+ items:
+ description: EnvVar represents an environment variable present in a Container.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: Name of the environment variable. Must be a C_IDENTIFIER.
+ type: string
+ value:
+ description: |-
+ Variable references $(VAR_NAME) are expanded
+ using the previously defined environment variables in the container and
+ any service environment variables. If a variable cannot be resolved,
+ the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+ "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+ Escaped references will never be expanded, regardless of whether the variable
+ exists or not.
+ Defaults to "".
+ type: string
+ valueFrom:
+ description: Source for the environment variable's value. Cannot be used if value is not empty.
+ type: object
+ properties:
+ configMapKeyRef:
+ description: Selects a key of a ConfigMap.
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key to select.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the ConfigMap or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ fieldRef:
+ description: |-
+ Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
+ spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+ type: object
+ required:
+ - fieldPath
+ properties:
+ apiVersion:
+ description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
+ type: string
+ fieldPath:
+ description: Path of the field to select in the specified API version.
+ type: string
+ x-kubernetes-map-type: atomic
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+ type: object
+ required:
+ - resource
+ properties:
+ containerName:
+ description: 'Container name: required for volumes, optional for env vars'
+ type: string
+ divisor:
+ description: Specifies the output format of the exposed resources, defaults to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required: resource to select'
+ type: string
+ x-kubernetes-map-type: atomic
+ secretKeyRef:
+ description: Selects a key of a secret in the pod's namespace
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key of the secret to select from. Must be a valid secret key.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the Secret or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ hostAliases:
+ description: |-
+ HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts
+ file if specified. This is only valid for non-hostNetwork pods.
+ type: array
+ items:
+ description: |-
+ HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the
+ pod's hosts file.
+ type: object
+ required:
+ - ip
+ properties:
+ hostnames:
+ description: Hostnames for the above IP address.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ ip:
+ description: IP address of the host file entry.
+ type: string
+ x-kubernetes-list-type: atomic
+ hostNetwork:
+ description: HostNetwork specifies whether the pod may use the node network namespace
+ type: boolean
+ imagePullSecrets:
+ description: ImagePullSecrets gives the name of the secret used by the pod to pull the image if specified
+ type: array
+ items:
+ description: |-
+ LocalObjectReference contains enough information to let you locate the
+ referenced object inside the same namespace.
+ type: object
+ properties:
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ nodeSelector:
+ description: |-
+ NodeSelector is a selector which must be true for the pod to fit on a node.
+ Selector which must match a node's labels for the pod to be scheduled on that node.
+ More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+ type: object
+ additionalProperties:
+ type: string
+ priorityClassName:
+ description: |-
+ If specified, indicates the pod's priority. "system-node-critical" and
+ "system-cluster-critical" are two special keywords which indicate the
+ highest priorities with the former being the highest priority. Any other
+ name must be defined by creating a PriorityClass object with that name.
+ If not specified, the pod priority will be default or zero if there is no
+ default.
+ type: string
+ runtimeClassName:
+ description: |-
+ RuntimeClassName refers to a RuntimeClass object in the node.k8s.io
+ group, which should be used to run this pod. If no RuntimeClass resource
+ matches the named class, the pod will not be run. If unset or empty, the
+ "legacy" RuntimeClass will be used, which is an implicit class with an
+ empty definition that uses the default runtime handler.
+ More info: https://git.k8s.io/enhancements/keps/sig-node/runtime-class.md
+ This is a beta feature as of Kubernetes v1.14.
+ type: string
+ schedulerName:
+ description: SchedulerName specifies the scheduler to be used to dispatch the Pod
+ type: string
+ securityContext:
+ description: |-
+ SecurityContext holds pod-level security attributes and common container settings.
+ Optional: Defaults to empty. See type description for default values of each field.
+ type: object
+ properties:
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ fsGroup:
+ description: |-
+ A special supplemental group that applies to all containers in a pod.
+ Some volume types allow the Kubelet to change the ownership of that volume
+ to be owned by the pod:
+
+ 1. The owning GID will be the FSGroup
+ 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+ 3. The permission bits are OR'd with rw-rw----
+
+ If unset, the Kubelet will not modify the ownership and permissions of any volume.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ fsGroupChangePolicy:
+ description: |-
+ fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+ before being exposed inside Pod. This field will only apply to
+ volume types which support fsGroup based ownership(and permissions).
+ It will have no effect on ephemeral volume types such as: secret, configmaps
+ and emptydir.
+ Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ runAsGroup:
+ description: |-
+ The GID to run the entrypoint of the container process.
+ Uses runtime default if unset.
+ May also be set in SecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence
+ for that container.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ runAsNonRoot:
+ description: |-
+ Indicates that the container must run as a non-root user.
+ If true, the Kubelet will validate the image at runtime to ensure that it
+ does not run as UID 0 (root) and fail to start the container if it does.
+ If unset or false, no such validation will be performed.
+ May also be set in SecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: |-
+ The UID to run the entrypoint of the container process.
+ Defaults to user specified in image metadata if unspecified.
+ May also be set in SecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence
+ for that container.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ seLinuxOptions:
+ description: |-
+ The SELinux context to be applied to all containers.
+ If unspecified, the container runtime will allocate a random SELinux context for each
+ container. May also be set in SecurityContext. If set in
+ both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+ takes precedence for that container.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ properties:
+ level:
+ description: Level is SELinux level label that applies to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label that applies to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label that applies to the container.
+ type: string
+ user:
+ description: User is a SELinux user label that applies to the container.
+ type: string
+ seccompProfile:
+ description: |-
+ The seccomp options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile defined in a file on the node should be used.
+ The profile must be preconfigured on the node to work.
+ Must be a descending path, relative to the kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT be set for any other type.
+ type: string
+ type:
+ description: |-
+ type indicates which kind of seccomp profile will be applied.
+ Valid options are:
+
+ Localhost - a profile defined in a file on the node should be used.
+ RuntimeDefault - the container runtime default profile should be used.
+ Unconfined - no profile should be applied.
+ type: string
+ supplementalGroups:
+ description: |-
+ A list of groups applied to the first process run in each container, in
+ addition to the container's primary GID and fsGroup (if specified). If
+ the SupplementalGroupsPolicy feature is enabled, the
+ supplementalGroupsPolicy field determines whether these are in addition
+ to or instead of any group memberships defined in the container image.
+ If unspecified, no additional groups are added, though group memberships
+ defined in the container image may still be used, depending on the
+ supplementalGroupsPolicy field.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: array
+ items:
+ type: integer
+ format: int64
+ x-kubernetes-list-type: atomic
+ supplementalGroupsPolicy:
+ description: |-
+ Defines how supplemental groups of the first container processes are calculated.
+ Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
+ (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
+ and the container runtime must implement support for this feature.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ sysctls:
+ description: |-
+ Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+ sysctls (by the container runtime) might fail to launch.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: array
+ items:
+ description: Sysctl defines a kernel parameter to be set
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: Name of a property to set
+ type: string
+ value:
+ description: Value of a property to set
+ type: string
+ x-kubernetes-list-type: atomic
+ windowsOptions:
+ description: |-
+ The Windows specific settings applied to all containers.
+ If unspecified, the options within a container's SecurityContext will be used.
+ If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is linux.
+ type: object
+ properties:
+ gmsaCredentialSpec:
+ description: |-
+ GMSACredentialSpec is where the GMSA admission webhook
+ (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the name of the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: |-
+ HostProcess determines if a container should be run as a 'Host Process' container.
+ All of a Pod's containers must have the same effective HostProcess value
+ (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then HostNetwork must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: |-
+ The UserName in Windows to run the entrypoint of the container process.
+ Defaults to the user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: string
+ tolerations:
+ description: If specified, the pod's tolerations.
+ type: array
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple <key,value,effect> using the matching operator <operator>.
+ type: object
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ type: integer
+ format: int64
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ x-kubernetes-list-type: atomic
+ topologySpreadConstraints:
+ description: |-
+ TopologySpreadConstraints controls how Pods are spread across your cluster among
+ failure-domains such as regions, zones, nodes, and other user-defined topology domains.
+ type: array
+ items:
+ description: TopologySpreadConstraint specifies how to spread matching pods among the given topology.
+ type: object
+ required:
+ - maxSkew
+ - topologyKey
+ - whenUnsatisfiable
+ properties:
+ labelSelector:
+ description: |-
+ LabelSelector is used to find matching pods.
+ Pods that match this label selector are counted to determine the number of pods
+ in their corresponding topology domain.
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ type: array
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select the pods over which
+ spreading will be calculated. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are ANDed with labelSelector
+ to select the group of existing pods over which spreading will be calculated
+ for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ MatchLabelKeys cannot be set when LabelSelector isn't set.
+ Keys that don't exist in the incoming pod labels will
+ be ignored. A null or empty list means only match against labelSelector.
+
+ This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ maxSkew:
+ description: |-
+ MaxSkew describes the degree to which pods may be unevenly distributed.
+ When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+ between the number of matching pods in the target topology and the global minimum.
+ The global minimum is the minimum number of matching pods in an eligible domain
+ or zero if the number of eligible domains is less than MinDomains.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 2/2/1:
+ In this case, the global minimum is 1.
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P |
+ - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+ scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+ violate MaxSkew(1).
+ - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+ When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+ to topologies that satisfy it.
+ It's a required field. Default value is 1 and 0 is not allowed.
+ type: integer
+ format: int32
+ minDomains:
+ description: |-
+ MinDomains indicates a minimum number of eligible domains.
+ When the number of eligible domains with matching topology keys is less than minDomains,
+ Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+ And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+ this value has no effect on scheduling.
+ As a result, when the number of eligible domains is less than minDomains,
+ scheduler won't schedule more than maxSkew Pods to those domains.
+ If value is nil, the constraint behaves as if MinDomains is equal to 1.
+ Valid values are integers greater than 0.
+ When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+
+ For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+ labelSelector spread as 2/2/2:
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P P |
+ The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+ In this situation, new pod with the same labelSelector cannot be scheduled,
+ because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+ it will violate MaxSkew.
+ type: integer
+ format: int32
+ nodeAffinityPolicy:
+ description: |-
+ NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+ when calculating pod topology spread skew. Options are:
+ - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+ - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+
+ If this value is nil, the behavior is equivalent to the Honor policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ nodeTaintsPolicy:
+ description: |-
+ NodeTaintsPolicy indicates how we will treat node taints when calculating
+ pod topology spread skew. Options are:
+ - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+ has a toleration, are included.
+ - Ignore: node taints are ignored. All nodes are included.
+
+ If this value is nil, the behavior is equivalent to the Ignore policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ topologyKey:
+ description: |-
+ TopologyKey is the key of node labels. Nodes that have a label with this key
+ and identical values are considered to be in the same topology.
+ We consider each <key, value> as a "bucket", and try to put balanced number
+ of pods into each bucket.
+ We define a domain as a particular instance of a topology.
+ Also, we define an eligible domain as a domain whose nodes meet the requirements of
+ nodeAffinityPolicy and nodeTaintsPolicy.
+ e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+ And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+ It's a required field.
+ type: string
+ whenUnsatisfiable:
+ description: |-
+ WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+ the spread constraint.
+ - DoNotSchedule (default) tells the scheduler not to schedule it.
+ - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+ but giving higher precedence to topologies that would help reduce the
+ skew.
+ A constraint is considered "Unsatisfiable" for an incoming pod
+ if and only if every possible node assignment for that pod would violate
+ "MaxSkew" on some topology.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 3/1/1:
+ | zone1 | zone2 | zone3 |
+ | P P P | P | P |
+ If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+ to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+ MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+ won't make it *more* imbalanced.
+ It's a required field.
+ type: string
+ x-kubernetes-list-type: atomic
+ volumes:
+ description: |-
+ List of volumes that can be mounted by containers belonging to the pod.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes
+ See Pod.spec.volumes (API version: v1)
+ x-kubernetes-preserve-unknown-fields: true
+ resources:
+ description: |-
+ Resources is a list of bindings specifying which actual instances of
+ PipelineResources to use for the resources the Pipeline has declared
+ it needs.
+
+ Deprecated: Unused, preserved only for backwards compatibility
+ type: array
+ items:
+ description: |-
+ PipelineResourceBinding connects a reference to an instance of a PipelineResource
+ with a PipelineResource dependency that the Pipeline has declared
+
+ Deprecated: Unused, preserved only for backwards compatibility
+ type: object
+ properties:
+ name:
+ description: Name is the name of the PipelineResource in the Pipeline's declaration
+ type: string
+ resourceRef:
+ description: |-
+ ResourceRef is a reference to the instance of the actual PipelineResource
+ that should be used
+ type: object
+ properties:
+ apiVersion:
+ description: API version of the referent
+ type: string
+ name:
+ description: 'Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names'
+ type: string
+ resourceSpec:
+ description: |-
+ ResourceSpec is specification of a resource that should be created and
+ consumed by the task
+ type: object
+ required:
+ - params
+ - type
+ properties:
+ description:
+ description: |-
+ Description is a user-facing description of the resource that may be
+ used to populate a UI.
+ type: string
+ params:
+ type: array
+ items:
+ description: |-
+ ResourceParam declares a string value to use for the parameter called Name, and is used in
+ the specific context of PipelineResources.
+
+ Deprecated: Unused, preserved only for backwards compatibility
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ x-kubernetes-list-type: atomic
+ secrets:
+ description: Secrets to fetch to populate some of resource fields
+ type: array
+ items:
+ description: |-
+ SecretParam indicates which secret can be used to populate a field of the resource
+
+ Deprecated: Unused, preserved only for backwards compatibility
+ type: object
+ required:
+ - fieldName
+ - secretKey
+ - secretName
+ properties:
+ fieldName:
+ type: string
+ secretKey:
+ type: string
+ secretName:
+ type: string
+ x-kubernetes-list-type: atomic
+ type:
+ description: |-
+ PipelineResourceType represents the type of endpoint the pipelineResource is, so that the
+ controller will know this pipelineResource shouldx be fetched and optionally what
+ additional metatdata should be provided for it.
+
+ Deprecated: Unused, preserved only for backwards compatibility
+ type: string
+ x-kubernetes-list-type: atomic
+ serviceAccountName:
+ type: string
+ status:
+ description: Used for cancelling a pipelinerun (and maybe more later on)
+ type: string
+ taskRunSpecs:
+ description: TaskRunSpecs holds a set of runtime specs
+ type: array
+ items:
+ description: |-
+ PipelineTaskRunSpec can be used to configure specific
+ specs for a concrete Task
+ type: object
+ properties:
+ computeResources:
+ description: Compute resources to use for this TaskRun
+ type: object
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ type: array
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ requests:
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ metadata:
+ description: PipelineTaskMetadata contains the labels or annotations for an EmbeddedTask
+ type: object
+ properties:
+ annotations:
+ type: object
+ additionalProperties:
+ type: string
+ labels:
+ type: object
+ additionalProperties:
+ type: string
+ pipelineTaskName:
+ type: string
+ sidecarOverrides:
+ type: array
+ items:
+ description: TaskRunSidecarOverride is used to override the values of a Sidecar in the corresponding Task.
+ type: object
+ required:
+ - name
+ - resources
+ properties:
+ name:
+ description: The name of the Sidecar to override.
+ type: string
+ resources:
+ description: The resource requirements to apply to the Sidecar.
+ type: object
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ type: array
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ requests:
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ x-kubernetes-list-type: atomic
+ stepOverrides:
+ type: array
+ items:
+ description: TaskRunStepOverride is used to override the values of a Step in the corresponding Task.
+ type: object
+ required:
+ - name
+ - resources
+ properties:
+ name:
+ description: The name of the Step to override.
+ type: string
+ resources:
+ description: The resource requirements to apply to the Step.
+ type: object
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ type: array
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ requests:
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ x-kubernetes-list-type: atomic
+ taskPodTemplate:
+ description: PodTemplate holds pod specific configuration
+ type: object
+ properties:
+ affinity:
+ description: |-
+ If specified, the pod's scheduling constraints.
+ See Pod.spec.affinity (API version: v1)
+ x-kubernetes-preserve-unknown-fields: true
+ automountServiceAccountToken:
+ description: |-
+ AutomountServiceAccountToken indicates whether pods running as this
+ service account should have an API token automatically mounted.
+ type: boolean
+ dnsConfig:
+ description: |-
+ Specifies the DNS parameters of a pod.
+ Parameters specified here will be merged to the generated DNS
+ configuration based on DNSPolicy.
+ type: object
+ properties:
+ nameservers:
+ description: |-
+ A list of DNS name server IP addresses.
+ This will be appended to the base nameservers generated from DNSPolicy.
+ Duplicated nameservers will be removed.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ options:
+ description: |-
+ A list of DNS resolver options.
+ This will be merged with the base options generated from DNSPolicy.
+ Duplicated entries will be removed. Resolution options given in Options
+ will override those that appear in the base DNSPolicy.
+ type: array
+ items:
+ description: PodDNSConfigOption defines DNS resolver options of a pod.
+ type: object
+ properties:
+ name:
+ description: Required.
+ type: string
+ value:
+ type: string
+ x-kubernetes-list-type: atomic
+ searches:
+ description: |-
+ A list of DNS search domains for host-name lookup.
+ This will be appended to the base search paths generated from DNSPolicy.
+ Duplicated search paths will be removed.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ dnsPolicy:
+ description: |-
+ Set DNS policy for the pod. Defaults to "ClusterFirst". Valid values are
+ 'ClusterFirst', 'Default' or 'None'. DNS parameters given in DNSConfig
+ will be merged with the policy selected with DNSPolicy.
+ type: string
+ enableServiceLinks:
+ description: |-
+ EnableServiceLinks indicates whether information about services should be injected into pod's
+ environment variables, matching the syntax of Docker links.
+ Optional: Defaults to true.
+ type: boolean
+ env:
+ description: List of environment variables that can be provided to the containers belonging to the pod.
+ type: array
+ items:
+ description: EnvVar represents an environment variable present in a Container.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: Name of the environment variable. Must be a C_IDENTIFIER.
+ type: string
+ value:
+ description: |-
+ Variable references $(VAR_NAME) are expanded
+ using the previously defined environment variables in the container and
+ any service environment variables. If a variable cannot be resolved,
+ the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+ "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+ Escaped references will never be expanded, regardless of whether the variable
+ exists or not.
+ Defaults to "".
+ type: string
+ valueFrom:
+ description: Source for the environment variable's value. Cannot be used if value is not empty.
+ type: object
+ properties:
+ configMapKeyRef:
+ description: Selects a key of a ConfigMap.
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key to select.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the ConfigMap or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ fieldRef:
+ description: |-
+ Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
+ spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+ type: object
+ required:
+ - fieldPath
+ properties:
+ apiVersion:
+ description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
+ type: string
+ fieldPath:
+ description: Path of the field to select in the specified API version.
+ type: string
+ x-kubernetes-map-type: atomic
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+ type: object
+ required:
+ - resource
+ properties:
+ containerName:
+ description: 'Container name: required for volumes, optional for env vars'
+ type: string
+ divisor:
+ description: Specifies the output format of the exposed resources, defaults to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required: resource to select'
+ type: string
+ x-kubernetes-map-type: atomic
+ secretKeyRef:
+ description: Selects a key of a secret in the pod's namespace
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key of the secret to select from. Must be a valid secret key.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the Secret or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ hostAliases:
+ description: |-
+ HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts
+ file if specified. This is only valid for non-hostNetwork pods.
+ type: array
+ items:
+ description: |-
+ HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the
+ pod's hosts file.
+ type: object
+ required:
+ - ip
+ properties:
+ hostnames:
+ description: Hostnames for the above IP address.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ ip:
+ description: IP address of the host file entry.
+ type: string
+ x-kubernetes-list-type: atomic
+ hostNetwork:
+ description: HostNetwork specifies whether the pod may use the node network namespace
+ type: boolean
+ imagePullSecrets:
+ description: ImagePullSecrets gives the name of the secret used by the pod to pull the image if specified
+ type: array
+ items:
+ description: |-
+ LocalObjectReference contains enough information to let you locate the
+ referenced object inside the same namespace.
+ type: object
+ properties:
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ nodeSelector:
+ description: |-
+ NodeSelector is a selector which must be true for the pod to fit on a node.
+ Selector which must match a node's labels for the pod to be scheduled on that node.
+ More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+ type: object
+ additionalProperties:
+ type: string
+ priorityClassName:
+ description: |-
+ If specified, indicates the pod's priority. "system-node-critical" and
+ "system-cluster-critical" are two special keywords which indicate the
+ highest priorities with the former being the highest priority. Any other
+ name must be defined by creating a PriorityClass object with that name.
+ If not specified, the pod priority will be default or zero if there is no
+ default.
+ type: string
+ runtimeClassName:
+ description: |-
+ RuntimeClassName refers to a RuntimeClass object in the node.k8s.io
+ group, which should be used to run this pod. If no RuntimeClass resource
+ matches the named class, the pod will not be run. If unset or empty, the
+ "legacy" RuntimeClass will be used, which is an implicit class with an
+ empty definition that uses the default runtime handler.
+ More info: https://git.k8s.io/enhancements/keps/sig-node/runtime-class.md
+ This is a beta feature as of Kubernetes v1.14.
+ type: string
+ schedulerName:
+ description: SchedulerName specifies the scheduler to be used to dispatch the Pod
+ type: string
+ securityContext:
+ description: |-
+ SecurityContext holds pod-level security attributes and common container settings.
+ Optional: Defaults to empty. See type description for default values of each field.
+ type: object
+ properties:
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ fsGroup:
+ description: |-
+ A special supplemental group that applies to all containers in a pod.
+ Some volume types allow the Kubelet to change the ownership of that volume
+ to be owned by the pod:
+
+ 1. The owning GID will be the FSGroup
+ 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+ 3. The permission bits are OR'd with rw-rw----
+
+ If unset, the Kubelet will not modify the ownership and permissions of any volume.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ fsGroupChangePolicy:
+ description: |-
+ fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+ before being exposed inside Pod. This field will only apply to
+ volume types which support fsGroup based ownership(and permissions).
+ It will have no effect on ephemeral volume types such as: secret, configmaps
+ and emptydir.
+ Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ runAsGroup:
+ description: |-
+ The GID to run the entrypoint of the container process.
+ Uses runtime default if unset.
+ May also be set in SecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence
+ for that container.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ runAsNonRoot:
+ description: |-
+ Indicates that the container must run as a non-root user.
+ If true, the Kubelet will validate the image at runtime to ensure that it
+ does not run as UID 0 (root) and fail to start the container if it does.
+ If unset or false, no such validation will be performed.
+ May also be set in SecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: |-
+ The UID to run the entrypoint of the container process.
+ Defaults to user specified in image metadata if unspecified.
+ May also be set in SecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence
+ for that container.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ seLinuxOptions:
+ description: |-
+ The SELinux context to be applied to all containers.
+ If unspecified, the container runtime will allocate a random SELinux context for each
+ container. May also be set in SecurityContext. If set in
+ both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+ takes precedence for that container.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ properties:
+ level:
+ description: Level is SELinux level label that applies to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label that applies to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label that applies to the container.
+ type: string
+ user:
+ description: User is a SELinux user label that applies to the container.
+ type: string
+ seccompProfile:
+ description: |-
+ The seccomp options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile defined in a file on the node should be used.
+ The profile must be preconfigured on the node to work.
+ Must be a descending path, relative to the kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT be set for any other type.
+ type: string
+ type:
+ description: |-
+ type indicates which kind of seccomp profile will be applied.
+ Valid options are:
+
+ Localhost - a profile defined in a file on the node should be used.
+ RuntimeDefault - the container runtime default profile should be used.
+ Unconfined - no profile should be applied.
+ type: string
+ supplementalGroups:
+ description: |-
+ A list of groups applied to the first process run in each container, in
+ addition to the container's primary GID and fsGroup (if specified). If
+ the SupplementalGroupsPolicy feature is enabled, the
+ supplementalGroupsPolicy field determines whether these are in addition
+ to or instead of any group memberships defined in the container image.
+ If unspecified, no additional groups are added, though group memberships
+ defined in the container image may still be used, depending on the
+ supplementalGroupsPolicy field.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: array
+ items:
+ type: integer
+ format: int64
+ x-kubernetes-list-type: atomic
+ supplementalGroupsPolicy:
+ description: |-
+ Defines how supplemental groups of the first container processes are calculated.
+ Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
+ (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
+ and the container runtime must implement support for this feature.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ sysctls:
+ description: |-
+ Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+ sysctls (by the container runtime) might fail to launch.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: array
+ items:
+ description: Sysctl defines a kernel parameter to be set
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: Name of a property to set
+ type: string
+ value:
+ description: Value of a property to set
+ type: string
+ x-kubernetes-list-type: atomic
+ windowsOptions:
+ description: |-
+ The Windows specific settings applied to all containers.
+ If unspecified, the options within a container's SecurityContext will be used.
+ If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is linux.
+ type: object
+ properties:
+ gmsaCredentialSpec:
+ description: |-
+ GMSACredentialSpec is where the GMSA admission webhook
+ (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the name of the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: |-
+ HostProcess determines if a container should be run as a 'Host Process' container.
+ All of a Pod's containers must have the same effective HostProcess value
+ (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then HostNetwork must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: |-
+ The UserName in Windows to run the entrypoint of the container process.
+ Defaults to the user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: string
+ tolerations:
+ description: If specified, the pod's tolerations.
+ type: array
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple <key,value,effect> using the matching operator <operator>.
+ type: object
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ type: integer
+ format: int64
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ x-kubernetes-list-type: atomic
+ topologySpreadConstraints:
+ description: |-
+ TopologySpreadConstraints controls how Pods are spread across your cluster among
+ failure-domains such as regions, zones, nodes, and other user-defined topology domains.
+ type: array
+ items:
+ description: TopologySpreadConstraint specifies how to spread matching pods among the given topology.
+ type: object
+ required:
+ - maxSkew
+ - topologyKey
+ - whenUnsatisfiable
+ properties:
+ labelSelector:
+ description: |-
+ LabelSelector is used to find matching pods.
+ Pods that match this label selector are counted to determine the number of pods
+ in their corresponding topology domain.
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ type: array
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select the pods over which
+ spreading will be calculated. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are ANDed with labelSelector
+ to select the group of existing pods over which spreading will be calculated
+ for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ MatchLabelKeys cannot be set when LabelSelector isn't set.
+ Keys that don't exist in the incoming pod labels will
+ be ignored. A null or empty list means only match against labelSelector.
+
+ This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ maxSkew:
+ description: |-
+ MaxSkew describes the degree to which pods may be unevenly distributed.
+ When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+ between the number of matching pods in the target topology and the global minimum.
+ The global minimum is the minimum number of matching pods in an eligible domain
+ or zero if the number of eligible domains is less than MinDomains.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 2/2/1:
+ In this case, the global minimum is 1.
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P |
+ - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+ scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+ violate MaxSkew(1).
+ - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+ When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+ to topologies that satisfy it.
+ It's a required field. Default value is 1 and 0 is not allowed.
+ type: integer
+ format: int32
+ minDomains:
+ description: |-
+ MinDomains indicates a minimum number of eligible domains.
+ When the number of eligible domains with matching topology keys is less than minDomains,
+ Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+ And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+ this value has no effect on scheduling.
+ As a result, when the number of eligible domains is less than minDomains,
+ scheduler won't schedule more than maxSkew Pods to those domains.
+ If value is nil, the constraint behaves as if MinDomains is equal to 1.
+ Valid values are integers greater than 0.
+ When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+
+ For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+ labelSelector spread as 2/2/2:
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P P |
+ The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+ In this situation, new pod with the same labelSelector cannot be scheduled,
+ because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+ it will violate MaxSkew.
+ type: integer
+ format: int32
+ nodeAffinityPolicy:
+ description: |-
+ NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+ when calculating pod topology spread skew. Options are:
+ - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+ - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+
+ If this value is nil, the behavior is equivalent to the Honor policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ nodeTaintsPolicy:
+ description: |-
+ NodeTaintsPolicy indicates how we will treat node taints when calculating
+ pod topology spread skew. Options are:
+ - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+ has a toleration, are included.
+ - Ignore: node taints are ignored. All nodes are included.
+
+ If this value is nil, the behavior is equivalent to the Ignore policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ topologyKey:
+ description: |-
+ TopologyKey is the key of node labels. Nodes that have a label with this key
+ and identical values are considered to be in the same topology.
+ We consider each <key, value> as a "bucket", and try to put balanced number
+ of pods into each bucket.
+ We define a domain as a particular instance of a topology.
+ Also, we define an eligible domain as a domain whose nodes meet the requirements of
+ nodeAffinityPolicy and nodeTaintsPolicy.
+ e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+ And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+ It's a required field.
+ type: string
+ whenUnsatisfiable:
+ description: |-
+ WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+ the spread constraint.
+ - DoNotSchedule (default) tells the scheduler not to schedule it.
+ - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+ but giving higher precedence to topologies that would help reduce the
+ skew.
+ A constraint is considered "Unsatisfiable" for an incoming pod
+ if and only if every possible node assignment for that pod would violate
+ "MaxSkew" on some topology.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 3/1/1:
+ | zone1 | zone2 | zone3 |
+ | P P P | P | P |
+ If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+ to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+ MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+ won't make it *more* imbalanced.
+ It's a required field.
+ type: string
+ x-kubernetes-list-type: atomic
+ volumes:
+ description: |-
+ List of volumes that can be mounted by containers belonging to the pod.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes
+ See Pod.spec.volumes (API version: v1)
+ x-kubernetes-preserve-unknown-fields: true
+ taskServiceAccountName:
+ type: string
+ x-kubernetes-list-type: atomic
+ timeout:
+ description: |-
+ Timeout is the Time after which the Pipeline times out.
+ Defaults to never.
+ Refer to Go's ParseDuration documentation for expected format: https://golang.org/pkg/time/#ParseDuration
+
+ Deprecated: use pipelineRunSpec.Timeouts.Pipeline instead
+ type: string
+ timeouts:
+ description: |-
+ Time after which the Pipeline times out.
+ Currently three keys are accepted in the map
+ pipeline, tasks and finally
+ with Timeouts.pipeline >= Timeouts.tasks + Timeouts.finally
+ type: object
+ properties:
+ finally:
+ description: Finally sets the maximum allowed duration of this pipeline's finally
+ type: string
+ pipeline:
+ description: Pipeline sets the maximum allowed duration for execution of the entire pipeline. The sum of individual timeouts for tasks and finally must not exceed this value.
+ type: string
+ tasks:
+ description: Tasks sets the maximum allowed duration of this pipeline's tasks
+ type: string
+ workspaces:
+ description: |-
+ Workspaces holds a set of workspace bindings that must match names
+ with those declared in the pipeline.
+ type: array
+ items:
+ description: WorkspaceBinding maps a Task's declared workspace to a Volume.
+ type: object
+ required:
+ - name
+ properties:
+ configMap:
+ description: ConfigMap represents a configMap that should populate this workspace.
+ type: object
+ properties:
+ defaultMode:
+ description: |-
+ defaultMode is optional: mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ Defaults to 0644.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ items:
+ description: |-
+ items if unspecified, each key-value pair in the Data field of the referenced
+ ConfigMap will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the ConfigMap,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
+ type: array
+ items:
+ description: Maps a string key to a path within a volume.
+ type: object
+ required:
+ - key
+ - path
+ properties:
+ key:
+ description: key is the key to project.
+ type: string
+ mode:
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ path:
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
+ type: string
+ x-kubernetes-list-type: atomic
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: optional specify whether the ConfigMap or its keys must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ csi:
+ description: CSI (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers.
+ type: object
+ required:
+ - driver
+ properties:
+ driver:
+ description: |-
+ driver is the name of the CSI driver that handles this volume.
+ Consult with your admin for the correct name as registered in the cluster.
+ type: string
+ fsType:
+ description: |-
+ fsType to mount. Ex. "ext4", "xfs", "ntfs".
+ If not provided, the empty value is passed to the associated CSI driver
+ which will determine the default filesystem to apply.
+ type: string
+ nodePublishSecretRef:
+ description: |-
+ nodePublishSecretRef is a reference to the secret object containing
+ sensitive information to pass to the CSI driver to complete the CSI
+ NodePublishVolume and NodeUnpublishVolume calls.
+ This field is optional, and may be empty if no secret is required. If the
+ secret object contains more than one secret, all secret references are passed.
+ type: object
+ properties:
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ x-kubernetes-map-type: atomic
+ readOnly:
+ description: |-
+ readOnly specifies a read-only configuration for the volume.
+ Defaults to false (read/write).
+ type: boolean
+ volumeAttributes:
+ description: |-
+ volumeAttributes stores driver-specific properties that are passed to the CSI
+ driver. Consult your driver's documentation for supported values.
+ type: object
+ additionalProperties:
+ type: string
+ emptyDir:
+ description: |-
+ EmptyDir represents a temporary directory that shares a Task's lifetime.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+ Either this OR PersistentVolumeClaim can be used.
+ type: object
+ properties:
+ medium:
+ description: |-
+ medium represents what type of storage medium should back this directory.
+ The default is "" which means to use the node's default medium.
+ Must be an empty string (default) or Memory.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+ type: string
+ sizeLimit:
+ description: |-
+ sizeLimit is the total amount of local storage required for this EmptyDir volume.
+ The size limit is also applicable for memory medium.
+ The maximum usage on memory medium EmptyDir would be the minimum value between
+ the SizeLimit specified here and the sum of memory limits of all containers in a pod.
+ The default is nil which means that the limit is undefined.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ name:
+ description: Name is the name of the workspace populated by the volume.
+ type: string
+ persistentVolumeClaim:
+ description: |-
+ PersistentVolumeClaimVolumeSource represents a reference to a
+ PersistentVolumeClaim in the same namespace. Either this OR EmptyDir can be used.
+ type: object
+ required:
+ - claimName
+ properties:
+ claimName:
+ description: |-
+ claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.
+ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+ type: string
+ readOnly:
+ description: |-
+ readOnly Will force the ReadOnly setting in VolumeMounts.
+ Default false.
+ type: boolean
+ projected:
+ description: Projected represents a projected volume that should populate this workspace.
+ type: object
+ properties:
+ defaultMode:
+ description: |-
+ defaultMode are the mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ sources:
+ description: |-
+ sources is the list of volume projections. Each entry in this list
+ handles one source.
+ type: array
+ items:
+ description: |-
+ Projection that may be projected along with other supported volume types.
+ Exactly one of these fields must be set.
+ type: object
+ properties:
+ clusterTrustBundle:
+ description: |-
+ ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+ of ClusterTrustBundle objects in an auto-updating file.
+
+ Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+ ClusterTrustBundle objects can either be selected by name, or by the
+ combination of signer name and a label selector.
+
+ Kubelet performs aggressive normalization of the PEM contents written
+ into the pod filesystem. Esoteric PEM features such as inter-block
+ comments and block headers are stripped. Certificates are deduplicated.
+ The ordering of certificates within the file is arbitrary, and Kubelet
+ may change the order over time.
+ type: object
+ required:
+ - path
+ properties:
+ labelSelector:
+ description: |-
+ Select all ClusterTrustBundles that match this label selector. Only has
+ effect if signerName is set. Mutually-exclusive with name. If unset,
+ interpreted as "match nothing". If set but empty, interpreted as "match
+ everything".
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ type: array
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ x-kubernetes-map-type: atomic
+ name:
+ description: |-
+ Select a single ClusterTrustBundle by object name. Mutually-exclusive
+ with signerName and labelSelector.
+ type: string
+ optional:
+ description: |-
+ If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+ aren't available. If using name, then the named ClusterTrustBundle is
+ allowed not to exist. If using signerName, then the combination of
+ signerName and labelSelector is allowed to match zero
+ ClusterTrustBundles.
+ type: boolean
+ path:
+ description: Relative path from the volume root to write the bundle.
+ type: string
+ signerName:
+ description: |-
+ Select all ClusterTrustBundles that match this signer name.
+ Mutually-exclusive with name. The contents of all selected
+ ClusterTrustBundles will be unified and deduplicated.
+ type: string
+ configMap:
+ description: configMap information about the configMap data to project
+ type: object
+ properties:
+ items:
+ description: |-
+ items if unspecified, each key-value pair in the Data field of the referenced
+ ConfigMap will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the ConfigMap,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
+ type: array
+ items:
+ description: Maps a string key to a path within a volume.
+ type: object
+ required:
+ - key
+ - path
+ properties:
+ key:
+ description: key is the key to project.
+ type: string
+ mode:
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ path:
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
+ type: string
+ x-kubernetes-list-type: atomic
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: optional specify whether the ConfigMap or its keys must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ downwardAPI:
+ description: downwardAPI information about the downwardAPI data to project
+ type: object
+ properties:
+ items:
+ description: Items is a list of DownwardAPIVolume file
+ type: array
+ items:
+ description: DownwardAPIVolumeFile represents information to create the file containing the pod field
+ type: object
+ required:
+ - path
+ properties:
+ fieldRef:
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
+ type: object
+ required:
+ - fieldPath
+ properties:
+ apiVersion:
+ description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
+ type: string
+ fieldPath:
+ description: Path of the field to select in the specified API version.
+ type: string
+ x-kubernetes-map-type: atomic
+ mode:
+ description: |-
+ Optional: mode bits used to set permissions on this file, must be an octal value
+ between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ path:
+ description: 'Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ''..'' path. Must be utf-8 encoded. The first item of the relative path must not start with ''..'''
+ type: string
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+ type: object
+ required:
+ - resource
+ properties:
+ containerName:
+ description: 'Container name: required for volumes, optional for env vars'
+ type: string
+ divisor:
+ description: Specifies the output format of the exposed resources, defaults to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required: resource to select'
+ type: string
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ secret:
+ description: secret information about the secret data to project
+ type: object
+ properties:
+ items:
+ description: |-
+ items if unspecified, each key-value pair in the Data field of the referenced
+ Secret will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the Secret,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
+ type: array
+ items:
+ description: Maps a string key to a path within a volume.
+ type: object
+ required:
+ - key
+ - path
+ properties:
+ key:
+ description: key is the key to project.
+ type: string
+ mode:
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ path:
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
+ type: string
+ x-kubernetes-list-type: atomic
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: optional field specify whether the Secret or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ serviceAccountToken:
+ description: serviceAccountToken is information about the serviceAccountToken data to project
+ type: object
+ required:
+ - path
+ properties:
+ audience:
+ description: |-
+ audience is the intended audience of the token. A recipient of a token
+ must identify itself with an identifier specified in the audience of the
+ token, and otherwise should reject the token. The audience defaults to the
+ identifier of the apiserver.
+ type: string
+ expirationSeconds:
+ description: |-
+ expirationSeconds is the requested duration of validity of the service
+ account token. As the token approaches expiration, the kubelet volume
+ plugin will proactively rotate the service account token. The kubelet will
+ start trying to rotate the token if the token is older than 80 percent of
+ its time to live or if the token is older than 24 hours.Defaults to 1 hour
+ and must be at least 10 minutes.
+ type: integer
+ format: int64
+ path:
+ description: |-
+ path is the path relative to the mount point of the file to project the
+ token into.
+ type: string
+ x-kubernetes-list-type: atomic
+ secret:
+ description: Secret represents a secret that should populate this workspace.
+ type: object
+ properties:
+ defaultMode:
+ description: |-
+ defaultMode is Optional: mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values
+ for mode bits. Defaults to 0644.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ items:
+ description: |-
+ items If unspecified, each key-value pair in the Data field of the referenced
+ Secret will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the Secret,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
+ type: array
+ items:
+ description: Maps a string key to a path within a volume.
+ type: object
+ required:
+ - key
+ - path
+ properties:
+ key:
+ description: key is the key to project.
+ type: string
+ mode:
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ path:
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
+ type: string
+ x-kubernetes-list-type: atomic
+ optional:
+ description: optional field specify whether the Secret or its keys must be defined
+ type: boolean
+ secretName:
+ description: |-
+ secretName is the name of the secret in the pod's namespace to use.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+ type: string
+ subPath:
+ description: |-
+ SubPath is optionally a directory on the volume which should be used
+ for this binding (i.e. the volume will be mounted at this sub directory).
+ type: string
+ volumeClaimTemplate:
+ description: |-
+ VolumeClaimTemplate is a template for a claim that will be created in the same namespace.
+ The PipelineRun controller is responsible for creating a unique claim for each instance of PipelineRun.
+ See PersistentVolumeClaim (API version: v1)
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ status:
+ description: PipelineRunStatus defines the observed state of PipelineRun
+ type: object
+ properties:
+ annotations:
+ description: |-
+ Annotations is additional Status fields for the Resource to save some
+ additional State as well as convey more information to the user. This is
+ roughly akin to Annotations on any k8s resource, just the reconciler conveying
+ richer information outwards.
+ type: object
+ additionalProperties:
+ type: string
+ childReferences:
+ description: list of TaskRun and Run names, PipelineTask names, and API versions/kinds for children of this PipelineRun.
+ type: array
+ items:
+ description: ChildStatusReference is used to point to the statuses of individual TaskRuns and Runs within this PipelineRun.
+ type: object
+ properties:
+ apiVersion:
+ type: string
+ displayName:
+ description: |-
+ DisplayName is a user-facing name of the pipelineTask that may be
+ used to populate a UI.
+ type: string
+ kind:
+ type: string
+ name:
+ description: Name is the name of the TaskRun or Run this is referencing.
+ type: string
+ pipelineTaskName:
+ description: PipelineTaskName is the name of the PipelineTask this is referencing.
+ type: string
+ whenExpressions:
+ description: WhenExpressions is the list of checks guarding the execution of the PipelineTask
+ type: array
+ items:
+ description: |-
+ WhenExpression allows a PipelineTask to declare expressions to be evaluated before the Task is run
+ to determine whether the Task should be executed or skipped
+ type: object
+ properties:
+ cel:
+ description: |-
+ CEL is a string of Common Language Expression, which can be used to conditionally execute
+ the task based on the result of the expression evaluation
+ More info about CEL syntax: https://github.com/google/cel-spec/blob/master/doc/langdef.md
+ type: string
+ input:
+ description: Input is the string for guard checking which can be a static input or an output from a parent Task
+ type: string
+ operator:
+ description: Operator that represents an Input's relationship to the values
+ type: string
+ values:
+ description: |-
+ Values is an array of strings, which is compared against the input, for guard checking
+ It must be non-empty
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ completionTime:
+ description: CompletionTime is the time the PipelineRun completed.
+ type: string
+ format: date-time
+ conditions:
+ description: Conditions the latest available observations of a resource's current state.
+ type: array
+ items:
+ description: |-
+ Condition defines a readiness condition for a Knative resource.
+ See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
+ type: object
+ required:
+ - status
+ - type
+ properties:
+ lastTransitionTime:
+ description: |-
+ LastTransitionTime is the last time the condition transitioned from one status to another.
+ We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic
+ differences (all other things held constant).
+ type: string
+ message:
+ description: A human readable message indicating details about the transition.
+ type: string
+ reason:
+ description: The reason for the condition's last transition.
+ type: string
+ severity:
+ description: |-
+ Severity with which to treat failures of this type of condition.
+ When this is not specified, it defaults to Error.
+ type: string
+ status:
+ description: Status of the condition, one of True, False, Unknown.
+ type: string
+ type:
+ description: Type of condition.
+ type: string
+ finallyStartTime:
+ description: FinallyStartTime is when all non-finally tasks have been completed and only finally tasks are being executed.
+ type: string
+ format: date-time
+ observedGeneration:
+ description: |-
+ ObservedGeneration is the 'Generation' of the Service that
+ was last processed by the controller.
+ type: integer
+ format: int64
+ pipelineResults:
+ description: PipelineResults are the list of results written out by the pipeline task's containers
+ type: array
+ items:
+ description: PipelineRunResult used to describe the results of a pipeline
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: Name is the result's name as declared by the Pipeline
+ type: string
+ value:
+ description: Value is the result returned from the execution of this PipelineRun
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ pipelineSpec:
+ description: |-
+ PipelineSpec contains the exact spec used to instantiate the run.
+ See Pipeline.spec (API version: tekton.dev/v1beta1)
+ x-kubernetes-preserve-unknown-fields: true
+ provenance:
+ description: Provenance contains some key authenticated metadata about how a software artifact was built (what sources, what inputs/outputs, etc.).
+ type: object
+ properties:
+ configSource:
+ description: 'Deprecated: Use RefSource instead'
+ type: object
+ properties:
+ digest:
+ description: |-
+ Digest is a collection of cryptographic digests for the contents of the artifact specified by URI.
+ Example: {"sha1": "f99d13e554ffcb696dee719fa85b695cb5b0f428"}
+ type: object
+ additionalProperties:
+ type: string
+ entryPoint:
+ description: |-
+ EntryPoint identifies the entry point into the build. This is often a path to a
+ build definition file and/or a target label within that file.
+ Example: "task/git-clone/0.8/git-clone.yaml"
+ type: string
+ uri:
+ description: |-
+ URI indicates the identity of the source of the build definition.
+ Example: "https://github.com/tektoncd/catalog"
+ type: string
+ featureFlags:
+ description: FeatureFlags identifies the feature flags that were used during the task/pipeline run
+ type: object
+ properties:
+ awaitSidecarReadiness:
+ type: boolean
+ coschedule:
+ type: string
+ disableAffinityAssistant:
+ type: boolean
+ disableCredsInit:
+ type: boolean
+ disableInlineSpec:
+ type: string
+ enableAPIFields:
+ type: string
+ enableArtifacts:
+ type: boolean
+ enableCELInWhenExpression:
+ type: boolean
+ enableConciseResolverSyntax:
+ type: boolean
+ enableKeepPodOnCancel:
+ type: boolean
+ enableKubernetesSidecar:
+ type: boolean
+ enableParamEnum:
+ type: boolean
+ enableProvenanceInStatus:
+ type: boolean
+ enableStepActions:
+ type: boolean
+ enforceNonfalsifiability:
+ type: string
+ maxResultSize:
+ type: integer
+ requireGitSSHSecretKnownHosts:
+ type: boolean
+ resultExtractionMethod:
+ type: string
+ runningInEnvWithInjectedSidecars:
+ type: boolean
+ sendCloudEventsForRuns:
+ type: boolean
+ setSecurityContext:
+ type: boolean
+ setSecurityContextReadOnlyRootFilesystem:
+ type: boolean
+ verificationNoMatchPolicy:
+ description: |-
+ VerificationNoMatchPolicy is the feature flag for "trusted-resources-verification-no-match-policy"
+ VerificationNoMatchPolicy can be set to "ignore", "warn" and "fail" values.
+ ignore: skip trusted resources verification when no matching verification policies found
+ warn: skip trusted resources verification when no matching verification policies found and log a warning
+ fail: fail the taskrun or pipelines run if no matching verification policies found
+ type: string
+ refSource:
+ description: RefSource identifies the source where a remote task/pipeline came from.
+ type: object
+ properties:
+ digest:
+ description: |-
+ Digest is a collection of cryptographic digests for the contents of the artifact specified by URI.
+ Example: {"sha1": "f99d13e554ffcb696dee719fa85b695cb5b0f428"}
+ type: object
+ additionalProperties:
+ type: string
+ entryPoint:
+ description: |-
+ EntryPoint identifies the entry point into the build. This is often a path to a
+ build definition file and/or a target label within that file.
+ Example: "task/git-clone/0.8/git-clone.yaml"
+ type: string
+ uri:
+ description: |-
+ URI indicates the identity of the source of the build definition.
+ Example: "https://github.com/tektoncd/catalog"
+ type: string
+ runs:
+ description: |-
+ Runs is a map of PipelineRunRunStatus with the run name as the key
+
+ Deprecated: use ChildReferences instead. As of v0.45.0, this field is no
+ longer populated and is only included for backwards compatibility with
+ older server versions.
+ type: object
+ additionalProperties:
+ description: PipelineRunRunStatus contains the name of the PipelineTask for this CustomRun or Run and the CustomRun or Run's Status
+ type: object
+ properties:
+ pipelineTaskName:
+ description: PipelineTaskName is the name of the PipelineTask.
+ type: string
+ status:
+ description: Status is the CustomRunStatus for the corresponding CustomRun or Run
+ type: object
+ properties:
+ annotations:
+ description: |-
+ Annotations is additional Status fields for the Resource to save some
+ additional State as well as convey more information to the user. This is
+ roughly akin to Annotations on any k8s resource, just the reconciler conveying
+ richer information outwards.
+ type: object
+ additionalProperties:
+ type: string
+ completionTime:
+ description: CompletionTime is the time the build completed.
+ type: string
+ format: date-time
+ conditions:
+ description: Conditions the latest available observations of a resource's current state.
+ type: array
+ items:
+ description: |-
+ Condition defines a readiness condition for a Knative resource.
+ See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
+ type: object
+ required:
+ - status
+ - type
+ properties:
+ lastTransitionTime:
+ description: |-
+ LastTransitionTime is the last time the condition transitioned from one status to another.
+ We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic
+ differences (all other things held constant).
+ type: string
+ message:
+ description: A human readable message indicating details about the transition.
+ type: string
+ reason:
+ description: The reason for the condition's last transition.
+ type: string
+ severity:
+ description: |-
+ Severity with which to treat failures of this type of condition.
+ When this is not specified, it defaults to Error.
+ type: string
+ status:
+ description: Status of the condition, one of True, False, Unknown.
+ type: string
+ type:
+ description: Type of condition.
+ type: string
+ extraFields:
+ description: |-
+ ExtraFields holds arbitrary fields provided by the custom task
+ controller.
+ x-kubernetes-preserve-unknown-fields: true
+ observedGeneration:
+ description: |-
+ ObservedGeneration is the 'Generation' of the Service that
+ was last processed by the controller.
+ type: integer
+ format: int64
+ results:
+ description: |-
+ Results reports any output result values to be consumed by later
+ tasks in a pipeline.
+ type: array
+ items:
+ description: CustomRunResult used to describe the results of a task
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: Name the given name
+ type: string
+ value:
+ description: Value the given value of the result
+ type: string
+ retriesStatus:
+ description: |-
+ RetriesStatus contains the history of CustomRunStatus, in case of a retry.
+ See CustomRun.status (API version: tekton.dev/v1beta1)
+ x-kubernetes-preserve-unknown-fields: true
+ startTime:
+ description: StartTime is the time the build is actually started.
+ type: string
+ format: date-time
+ whenExpressions:
+ description: WhenExpressions is the list of checks guarding the execution of the PipelineTask
+ type: array
+ items:
+ description: |-
+ WhenExpression allows a PipelineTask to declare expressions to be evaluated before the Task is run
+ to determine whether the Task should be executed or skipped
+ type: object
+ properties:
+ cel:
+ description: |-
+ CEL is a string of Common Language Expression, which can be used to conditionally execute
+ the task based on the result of the expression evaluation
+ More info about CEL syntax: https://github.com/google/cel-spec/blob/master/doc/langdef.md
+ type: string
+ input:
+ description: Input is the string for guard checking which can be a static input or an output from a parent Task
+ type: string
+ operator:
+ description: Operator that represents an Input's relationship to the values
+ type: string
+ values:
+ description: |-
+ Values is an array of strings, which is compared against the input, for guard checking
+ It must be non-empty
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ skippedTasks:
+ description: list of tasks that were skipped due to when expressions evaluating to false
+ type: array
+ items:
+ description: |-
+ SkippedTask is used to describe the Tasks that were skipped due to their When Expressions
+ evaluating to False. This is a struct because we are looking into including more details
+ about the When Expressions that caused this Task to be skipped.
+ type: object
+ required:
+ - name
+ - reason
+ properties:
+ name:
+ description: Name is the Pipeline Task name
+ type: string
+ reason:
+ description: Reason is the cause of the PipelineTask being skipped.
+ type: string
+ whenExpressions:
+ description: WhenExpressions is the list of checks guarding the execution of the PipelineTask
+ type: array
+ items:
+ description: |-
+ WhenExpression allows a PipelineTask to declare expressions to be evaluated before the Task is run
+ to determine whether the Task should be executed or skipped
+ type: object
+ properties:
+ cel:
+ description: |-
+ CEL is a string of Common Language Expression, which can be used to conditionally execute
+ the task based on the result of the expression evaluation
+ More info about CEL syntax: https://github.com/google/cel-spec/blob/master/doc/langdef.md
+ type: string
+ input:
+ description: Input is the string for guard checking which can be a static input or an output from a parent Task
+ type: string
+ operator:
+ description: Operator that represents an Input's relationship to the values
+ type: string
+ values:
+ description: |-
+ Values is an array of strings, which is compared against the input, for guard checking
+ It must be non-empty
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ spanContext:
+ description: SpanContext contains tracing span context fields
+ type: object
+ additionalProperties:
+ type: string
+ startTime:
+ description: StartTime is the time the PipelineRun is actually started.
+ type: string
+ format: date-time
+ taskRuns:
+ description: |-
+ TaskRuns is a map of PipelineRunTaskRunStatus with the taskRun name as the key.
+
+ Deprecated: use ChildReferences instead. As of v0.45.0, this field is no
+ longer populated and is only included for backwards compatibility with
+ older server versions.
+ type: object
+ additionalProperties:
+ description: PipelineRunTaskRunStatus contains the name of the PipelineTask for this TaskRun and the TaskRun's Status
+ type: object
+ properties:
+ pipelineTaskName:
+ description: PipelineTaskName is the name of the PipelineTask.
+ type: string
+ status:
+ description: Status is the TaskRunStatus for the corresponding TaskRun
+ type: object
+ required:
+ - podName
+ properties:
+ annotations:
+ description: |-
+ Annotations is additional Status fields for the Resource to save some
+ additional State as well as convey more information to the user. This is
+ roughly akin to Annotations on any k8s resource, just the reconciler conveying
+ richer information outwards.
+ type: object
+ additionalProperties:
+ type: string
+ cloudEvents:
+ description: |-
+ CloudEvents describe the state of each cloud event requested via a
+ CloudEventResource.
+
+ Deprecated: Removed in v0.44.0.
+ type: array
+ items:
+ description: |-
+ CloudEventDelivery is the target of a cloud event along with the state of
+ delivery.
+ type: object
+ properties:
+ status:
+ description: CloudEventDeliveryState reports the state of a cloud event to be sent.
+ type: object
+ required:
+ - message
+ - retryCount
+ properties:
+ condition:
+ description: Current status
+ type: string
+ message:
+ description: Error is the text of error (if any)
+ type: string
+ retryCount:
+ description: RetryCount is the number of attempts of sending the cloud event
+ type: integer
+ format: int32
+ sentAt:
+ description: SentAt is the time at which the last attempt to send the event was made
+ type: string
+ format: date-time
+ target:
+ description: Target points to an addressable
+ type: string
+ x-kubernetes-list-type: atomic
+ completionTime:
+ description: CompletionTime is the time the build completed.
+ type: string
+ format: date-time
+ conditions:
+ description: Conditions the latest available observations of a resource's current state.
+ type: array
+ items:
+ description: |-
+ Condition defines a readiness condition for a Knative resource.
+ See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
+ type: object
+ required:
+ - status
+ - type
+ properties:
+ lastTransitionTime:
+ description: |-
+ LastTransitionTime is the last time the condition transitioned from one status to another.
+ We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic
+ differences (all other things held constant).
+ type: string
+ message:
+ description: A human readable message indicating details about the transition.
+ type: string
+ reason:
+ description: The reason for the condition's last transition.
+ type: string
+ severity:
+ description: |-
+ Severity with which to treat failures of this type of condition.
+ When this is not specified, it defaults to Error.
+ type: string
+ status:
+ description: Status of the condition, one of True, False, Unknown.
+ type: string
+ type:
+ description: Type of condition.
+ type: string
+ observedGeneration:
+ description: |-
+ ObservedGeneration is the 'Generation' of the Service that
+ was last processed by the controller.
+ type: integer
+ format: int64
+ podName:
+ description: PodName is the name of the pod responsible for executing this task's steps.
+ type: string
+ provenance:
+ description: Provenance contains some key authenticated metadata about how a software artifact was built (what sources, what inputs/outputs, etc.).
+ type: object
+ properties:
+ configSource:
+ description: 'Deprecated: Use RefSource instead'
+ type: object
+ properties:
+ digest:
+ description: |-
+ Digest is a collection of cryptographic digests for the contents of the artifact specified by URI.
+ Example: {"sha1": "f99d13e554ffcb696dee719fa85b695cb5b0f428"}
+ type: object
+ additionalProperties:
+ type: string
+ entryPoint:
+ description: |-
+ EntryPoint identifies the entry point into the build. This is often a path to a
+ build definition file and/or a target label within that file.
+ Example: "task/git-clone/0.8/git-clone.yaml"
+ type: string
+ uri:
+ description: |-
+ URI indicates the identity of the source of the build definition.
+ Example: "https://github.com/tektoncd/catalog"
+ type: string
+ featureFlags:
+ description: FeatureFlags identifies the feature flags that were used during the task/pipeline run
+ type: object
+ properties:
+ awaitSidecarReadiness:
+ type: boolean
+ coschedule:
+ type: string
+ disableAffinityAssistant:
+ type: boolean
+ disableCredsInit:
+ type: boolean
+ disableInlineSpec:
+ type: string
+ enableAPIFields:
+ type: string
+ enableArtifacts:
+ type: boolean
+ enableCELInWhenExpression:
+ type: boolean
+ enableConciseResolverSyntax:
+ type: boolean
+ enableKeepPodOnCancel:
+ type: boolean
+ enableKubernetesSidecar:
+ type: boolean
+ enableParamEnum:
+ type: boolean
+ enableProvenanceInStatus:
+ type: boolean
+ enableStepActions:
+ type: boolean
+ enforceNonfalsifiability:
+ type: string
+ maxResultSize:
+ type: integer
+ requireGitSSHSecretKnownHosts:
+ type: boolean
+ resultExtractionMethod:
+ type: string
+ runningInEnvWithInjectedSidecars:
+ type: boolean
+ sendCloudEventsForRuns:
+ type: boolean
+ setSecurityContext:
+ type: boolean
+ setSecurityContextReadOnlyRootFilesystem:
+ type: boolean
+ verificationNoMatchPolicy:
+ description: |-
+ VerificationNoMatchPolicy is the feature flag for "trusted-resources-verification-no-match-policy"
+ VerificationNoMatchPolicy can be set to "ignore", "warn" and "fail" values.
+ ignore: skip trusted resources verification when no matching verification policies found
+ warn: skip trusted resources verification when no matching verification policies found and log a warning
+ fail: fail the taskrun or pipelines run if no matching verification policies found
+ type: string
+ refSource:
+ description: RefSource identifies the source where a remote task/pipeline came from.
+ type: object
+ properties:
+ digest:
+ description: |-
+ Digest is a collection of cryptographic digests for the contents of the artifact specified by URI.
+ Example: {"sha1": "f99d13e554ffcb696dee719fa85b695cb5b0f428"}
+ type: object
+ additionalProperties:
+ type: string
+ entryPoint:
+ description: |-
+ EntryPoint identifies the entry point into the build. This is often a path to a
+ build definition file and/or a target label within that file.
+ Example: "task/git-clone/0.8/git-clone.yaml"
+ type: string
+ uri:
+ description: |-
+ URI indicates the identity of the source of the build definition.
+ Example: "https://github.com/tektoncd/catalog"
+ type: string
+ resourcesResult:
+ description: |-
+ Results from Resources built during the TaskRun.
+ This is tomb-stoned along with the removal of pipelineResources
+ Deprecated: this field is not populated and is preserved only for backwards compatibility
+ type: array
+ items:
+ description: |-
+ RunResult is used to write key/value pairs to TaskRun pod termination messages.
+ The key/value pairs may come from the entrypoint binary, or represent a TaskRunResult.
+ If they represent a TaskRunResult, the key is the name of the result and the value is the
+ JSON-serialized value of the result.
+ type: object
+ required:
+ - key
+ - value
+ properties:
+ key:
+ type: string
+ resourceName:
+ description: |-
+ ResourceName may be used in tests, but it is not populated in termination messages.
+ It is preserved here for backwards compatibility and will not be ported to v1.
+ type: string
+ type:
+ description: |-
+ ResultType used to find out whether a RunResult is from a task result or not
+ Note that ResultsType is another type which is used to define the data type
+ (e.g. string, array, etc) we used for Results
+ type: integer
+ value:
+ type: string
+ x-kubernetes-list-type: atomic
+ retriesStatus:
+ description: |-
+ RetriesStatus contains the history of TaskRunStatus in case of a retry in order to keep record of failures.
+ All TaskRunStatus stored in RetriesStatus will have no date within the RetriesStatus as is redundant.
+ See TaskRun.status (API version: tekton.dev/v1beta1)
+ x-kubernetes-preserve-unknown-fields: true
+ sidecars:
+ description: |-
+ The list has one entry per sidecar in the manifest. Each entry is
+ represents the imageid of the corresponding sidecar.
+ type: array
+ items:
+ description: SidecarState reports the results of running a sidecar in a Task.
+ type: object
+ properties:
+ container:
+ type: string
+ imageID:
+ type: string
+ name:
+ type: string
+ running:
+ description: Details about a running container
+ type: object
+ properties:
+ startedAt:
+ description: Time at which the container was last (re-)started
+ type: string
+ format: date-time
+ terminated:
+ description: Details about a terminated container
+ type: object
+ required:
+ - exitCode
+ properties:
+ containerID:
+ description: Container's ID in the format '<type>://<container_id>'
+ type: string
+ exitCode:
+ description: Exit status from the last termination of the container
+ type: integer
+ format: int32
+ finishedAt:
+ description: Time at which the container last terminated
+ type: string
+ format: date-time
+ message:
+ description: Message regarding the last termination of the container
+ type: string
+ reason:
+ description: (brief) reason from the last termination of the container
+ type: string
+ signal:
+ description: Signal from the last termination of the container
+ type: integer
+ format: int32
+ startedAt:
+ description: Time at which previous execution of the container started
+ type: string
+ format: date-time
+ waiting:
+ description: Details about a waiting container
+ type: object
+ properties:
+ message:
+ description: Message regarding why the container is not yet running.
+ type: string
+ reason:
+ description: (brief) reason the container is not yet running.
+ type: string
+ x-kubernetes-list-type: atomic
+ spanContext:
+ description: SpanContext contains tracing span context fields
+ type: object
+ additionalProperties:
+ type: string
+ startTime:
+ description: StartTime is the time the build is actually started.
+ type: string
+ format: date-time
+ steps:
+ description: Steps describes the state of each build step container.
+ type: array
+ items:
+ description: StepState reports the results of running a step in a Task.
+ type: object
+ properties:
+ container:
+ type: string
+ imageID:
+ type: string
+ inputs:
+ type: array
+ items:
+ description: |-
+ Artifact represents an artifact within a system, potentially containing multiple values
+ associated with it.
+ type: object
+ properties:
+ buildOutput:
+ description: Indicate if the artifact is a build output or a by-product
+ type: boolean
+ name:
+ description: The artifact's identifying category name
+ type: string
+ values:
+ description: A collection of values related to the artifact
+ type: array
+ items:
+ description: ArtifactValue represents a specific value or data element within an Artifact.
+ type: object
+ properties:
+ digest:
+ type: object
+ additionalProperties:
+ type: string
+ uri:
+ type: string
+ name:
+ type: string
+ outputs:
+ type: array
+ items:
+ description: |-
+ Artifact represents an artifact within a system, potentially containing multiple values
+ associated with it.
+ type: object
+ properties:
+ buildOutput:
+ description: Indicate if the artifact is a build output or a by-product
+ type: boolean
+ name:
+ description: The artifact's identifying category name
+ type: string
+ values:
+ description: A collection of values related to the artifact
+ type: array
+ items:
+ description: ArtifactValue represents a specific value or data element within an Artifact.
+ type: object
+ properties:
+ digest:
+ type: object
+ additionalProperties:
+ type: string
+ uri:
+ type: string
+ provenance:
+ description: |-
+ Provenance contains metadata about resources used in the TaskRun/PipelineRun
+ such as the source from where a remote build definition was fetched.
+ This field aims to carry minimum amoumt of metadata in *Run status so that
+ Tekton Chains can capture them in the provenance.
+ type: object
+ properties:
+ configSource:
+ description: 'Deprecated: Use RefSource instead'
+ type: object
+ properties:
+ digest:
+ description: |-
+ Digest is a collection of cryptographic digests for the contents of the artifact specified by URI.
+ Example: {"sha1": "f99d13e554ffcb696dee719fa85b695cb5b0f428"}
+ type: object
+ additionalProperties:
+ type: string
+ entryPoint:
+ description: |-
+ EntryPoint identifies the entry point into the build. This is often a path to a
+ build definition file and/or a target label within that file.
+ Example: "task/git-clone/0.8/git-clone.yaml"
+ type: string
+ uri:
+ description: |-
+ URI indicates the identity of the source of the build definition.
+ Example: "https://github.com/tektoncd/catalog"
+ type: string
+ featureFlags:
+ description: FeatureFlags identifies the feature flags that were used during the task/pipeline run
+ type: object
+ properties:
+ awaitSidecarReadiness:
+ type: boolean
+ coschedule:
+ type: string
+ disableAffinityAssistant:
+ type: boolean
+ disableCredsInit:
+ type: boolean
+ disableInlineSpec:
+ type: string
+ enableAPIFields:
+ type: string
+ enableArtifacts:
+ type: boolean
+ enableCELInWhenExpression:
+ type: boolean
+ enableConciseResolverSyntax:
+ type: boolean
+ enableKeepPodOnCancel:
+ type: boolean
+ enableKubernetesSidecar:
+ type: boolean
+ enableParamEnum:
+ type: boolean
+ enableProvenanceInStatus:
+ type: boolean
+ enableStepActions:
+ type: boolean
+ enforceNonfalsifiability:
+ type: string
+ maxResultSize:
+ type: integer
+ requireGitSSHSecretKnownHosts:
+ type: boolean
+ resultExtractionMethod:
+ type: string
+ runningInEnvWithInjectedSidecars:
+ type: boolean
+ sendCloudEventsForRuns:
+ type: boolean
+ setSecurityContext:
+ type: boolean
+ setSecurityContextReadOnlyRootFilesystem:
+ type: boolean
+ verificationNoMatchPolicy:
+ description: |-
+ VerificationNoMatchPolicy is the feature flag for "trusted-resources-verification-no-match-policy"
+ VerificationNoMatchPolicy can be set to "ignore", "warn" and "fail" values.
+ ignore: skip trusted resources verification when no matching verification policies found
+ warn: skip trusted resources verification when no matching verification policies found and log a warning
+ fail: fail the taskrun or pipelines run if no matching verification policies found
+ type: string
+ refSource:
+ description: RefSource identifies the source where a remote task/pipeline came from.
+ type: object
+ properties:
+ digest:
+ description: |-
+ Digest is a collection of cryptographic digests for the contents of the artifact specified by URI.
+ Example: {"sha1": "f99d13e554ffcb696dee719fa85b695cb5b0f428"}
+ type: object
+ additionalProperties:
+ type: string
+ entryPoint:
+ description: |-
+ EntryPoint identifies the entry point into the build. This is often a path to a
+ build definition file and/or a target label within that file.
+ Example: "task/git-clone/0.8/git-clone.yaml"
+ type: string
+ uri:
+ description: |-
+ URI indicates the identity of the source of the build definition.
+ Example: "https://github.com/tektoncd/catalog"
+ type: string
+ results:
+ type: array
+ items:
+ description: TaskRunResult used to describe the results of a task
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: Name the given name
+ type: string
+ type:
+ description: |-
+ Type is the user-specified type of the result. The possible type
+ is currently "string" and will support "array" in following work.
+ type: string
+ value:
+ description: Value the given value of the result
+ x-kubernetes-preserve-unknown-fields: true
+ running:
+ description: Details about a running container
+ type: object
+ properties:
+ startedAt:
+ description: Time at which the container was last (re-)started
+ type: string
+ format: date-time
+ terminated:
+ description: Details about a terminated container
+ type: object
+ required:
+ - exitCode
+ properties:
+ containerID:
+ description: Container's ID in the format '<type>://<container_id>'
+ type: string
+ exitCode:
+ description: Exit status from the last termination of the container
+ type: integer
+ format: int32
+ finishedAt:
+ description: Time at which the container last terminated
+ type: string
+ format: date-time
+ message:
+ description: Message regarding the last termination of the container
+ type: string
+ reason:
+ description: (brief) reason from the last termination of the container
+ type: string
+ signal:
+ description: Signal from the last termination of the container
+ type: integer
+ format: int32
+ startedAt:
+ description: Time at which previous execution of the container started
+ type: string
+ format: date-time
+ waiting:
+ description: Details about a waiting container
+ type: object
+ properties:
+ message:
+ description: Message regarding why the container is not yet running.
+ type: string
+ reason:
+ description: (brief) reason the container is not yet running.
+ type: string
+ x-kubernetes-list-type: atomic
+ taskResults:
+ description: TaskRunResults are the list of results written out by the task's containers
+ type: array
+ items:
+ description: TaskRunResult used to describe the results of a task
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: Name the given name
+ type: string
+ type:
+ description: |-
+ Type is the user-specified type of the result. The possible type
+ is currently "string" and will support "array" in following work.
+ type: string
+ value:
+ description: Value the given value of the result
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ taskSpec:
+ description: |-
+ TaskSpec contains the Spec from the dereferenced Task definition used to instantiate this TaskRun.
+ See Task.spec (API version tekton.dev/v1beta1)
+ x-kubernetes-preserve-unknown-fields: true
+ whenExpressions:
+ description: WhenExpressions is the list of checks guarding the execution of the PipelineTask
+ type: array
+ items:
+ description: |-
+ WhenExpression allows a PipelineTask to declare expressions to be evaluated before the Task is run
+ to determine whether the Task should be executed or skipped
+ type: object
+ properties:
+ cel:
+ description: |-
+ CEL is a string of Common Language Expression, which can be used to conditionally execute
+ the task based on the result of the expression evaluation
+ More info about CEL syntax: https://github.com/google/cel-spec/blob/master/doc/langdef.md
+ type: string
+ input:
+ description: Input is the string for guard checking which can be a static input or an output from a parent Task
+ type: string
+ operator:
+ description: Operator that represents an Input's relationship to the values
+ type: string
+ values:
+ description: |-
+ Values is an array of strings, which is compared against the input, for guard checking
+ It must be non-empty
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ additionalPrinterColumns:
+ - name: Succeeded
+ type: string
+ jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].status"
+ - name: Reason
+ type: string
+ jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].reason"
+ - name: StartTime
+ type: date
+ jsonPath: .status.startTime
+ - name: CompletionTime
+ type: date
+ jsonPath: .status.completionTime
+ # Opt into the status subresource so metadata.generation
+ # starts to increment
+ subresources:
+ status: {}
+ - name: v1
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ description: |-
+ PipelineRun represents a single execution of a Pipeline. PipelineRuns are how
+ the graph of Tasks declared in a Pipeline are executed; they specify inputs
+ to Pipelines such as parameter values and capture operational aspects of the
+ Tasks execution such as service account and tolerations. Creating a
+ PipelineRun creates TaskRuns for Tasks in the referenced Pipeline.
+ type: object
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: PipelineRunSpec defines the desired state of PipelineRun
+ type: object
+ properties:
+ params:
+ description: Params is a list of parameter names and values.
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ pipelineRef:
+ description: PipelineRef can be used to refer to a specific instance of a Pipeline.
+ type: object
+ properties:
+ apiVersion:
+ description: API version of the referent
+ type: string
+ name:
+ description: 'Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names'
+ type: string
+ params:
+ description: |-
+ Params contains the parameters used to identify the
+ referenced Tekton resource. Example entries might include
+ "repo" or "path" but the set of params ultimately depends on
+ the chosen resolver.
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ resolver:
+ description: |-
+ Resolver is the name of the resolver that should perform
+ resolution of the referenced Tekton resource, such as "git".
+ type: string
+ pipelineSpec:
+ description: |-
+ Specifying PipelineSpec can be disabled by setting
+ `disable-inline-spec` feature flag.
+ See Pipeline.spec (API version: tekton.dev/v1)
+ x-kubernetes-preserve-unknown-fields: true
+ status:
+ description: Used for cancelling a pipelinerun (and maybe more later on)
+ type: string
+ taskRunSpecs:
+ description: TaskRunSpecs holds a set of runtime specs
+ type: array
+ items:
+ description: |-
+ PipelineTaskRunSpec can be used to configure specific
+ specs for a concrete Task
+ type: object
+ properties:
+ computeResources:
+ description: Compute resources to use for this TaskRun
+ type: object
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ type: array
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ requests:
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ metadata:
+ description: PipelineTaskMetadata contains the labels or annotations for an EmbeddedTask
+ type: object
+ properties:
+ annotations:
+ type: object
+ additionalProperties:
+ type: string
+ labels:
+ type: object
+ additionalProperties:
+ type: string
+ pipelineTaskName:
+ type: string
+ podTemplate:
+ description: PodTemplate holds pod specific configuration
+ type: object
+ properties:
+ affinity:
+ description: |-
+ If specified, the pod's scheduling constraints.
+ See Pod.spec.affinity (API version: v1)
+ x-kubernetes-preserve-unknown-fields: true
+ automountServiceAccountToken:
+ description: |-
+ AutomountServiceAccountToken indicates whether pods running as this
+ service account should have an API token automatically mounted.
+ type: boolean
+ dnsConfig:
+ description: |-
+ Specifies the DNS parameters of a pod.
+ Parameters specified here will be merged to the generated DNS
+ configuration based on DNSPolicy.
+ type: object
+ properties:
+ nameservers:
+ description: |-
+ A list of DNS name server IP addresses.
+ This will be appended to the base nameservers generated from DNSPolicy.
+ Duplicated nameservers will be removed.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ options:
+ description: |-
+ A list of DNS resolver options.
+ This will be merged with the base options generated from DNSPolicy.
+ Duplicated entries will be removed. Resolution options given in Options
+ will override those that appear in the base DNSPolicy.
+ type: array
+ items:
+ description: PodDNSConfigOption defines DNS resolver options of a pod.
+ type: object
+ properties:
+ name:
+ description: Required.
+ type: string
+ value:
+ type: string
+ x-kubernetes-list-type: atomic
+ searches:
+ description: |-
+ A list of DNS search domains for host-name lookup.
+ This will be appended to the base search paths generated from DNSPolicy.
+ Duplicated search paths will be removed.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ dnsPolicy:
+ description: |-
+ Set DNS policy for the pod. Defaults to "ClusterFirst". Valid values are
+ 'ClusterFirst', 'Default' or 'None'. DNS parameters given in DNSConfig
+ will be merged with the policy selected with DNSPolicy.
+ type: string
+ enableServiceLinks:
+ description: |-
+ EnableServiceLinks indicates whether information about services should be injected into pod's
+ environment variables, matching the syntax of Docker links.
+ Optional: Defaults to true.
+ type: boolean
+ env:
+ description: List of environment variables that can be provided to the containers belonging to the pod.
+ type: array
+ items:
+ description: EnvVar represents an environment variable present in a Container.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: Name of the environment variable. Must be a C_IDENTIFIER.
+ type: string
+ value:
+ description: |-
+ Variable references $(VAR_NAME) are expanded
+ using the previously defined environment variables in the container and
+ any service environment variables. If a variable cannot be resolved,
+ the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+ "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+ Escaped references will never be expanded, regardless of whether the variable
+ exists or not.
+ Defaults to "".
+ type: string
+ valueFrom:
+ description: Source for the environment variable's value. Cannot be used if value is not empty.
+ type: object
+ properties:
+ configMapKeyRef:
+ description: Selects a key of a ConfigMap.
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key to select.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the ConfigMap or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ fieldRef:
+ description: |-
+ Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
+ spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+ type: object
+ required:
+ - fieldPath
+ properties:
+ apiVersion:
+ description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
+ type: string
+ fieldPath:
+ description: Path of the field to select in the specified API version.
+ type: string
+ x-kubernetes-map-type: atomic
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+ type: object
+ required:
+ - resource
+ properties:
+ containerName:
+ description: 'Container name: required for volumes, optional for env vars'
+ type: string
+ divisor:
+ description: Specifies the output format of the exposed resources, defaults to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required: resource to select'
+ type: string
+ x-kubernetes-map-type: atomic
+ secretKeyRef:
+ description: Selects a key of a secret in the pod's namespace
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key of the secret to select from. Must be a valid secret key.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the Secret or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ hostAliases:
+ description: |-
+ HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts
+ file if specified. This is only valid for non-hostNetwork pods.
+ type: array
+ items:
+ description: |-
+ HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the
+ pod's hosts file.
+ type: object
+ required:
+ - ip
+ properties:
+ hostnames:
+ description: Hostnames for the above IP address.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ ip:
+ description: IP address of the host file entry.
+ type: string
+ x-kubernetes-list-type: atomic
+ hostNetwork:
+ description: HostNetwork specifies whether the pod may use the node network namespace
+ type: boolean
+ imagePullSecrets:
+ description: ImagePullSecrets gives the name of the secret used by the pod to pull the image if specified
+ type: array
+ items:
+ description: |-
+ LocalObjectReference contains enough information to let you locate the
+ referenced object inside the same namespace.
+ type: object
+ properties:
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ nodeSelector:
+ description: |-
+ NodeSelector is a selector which must be true for the pod to fit on a node.
+ Selector which must match a node's labels for the pod to be scheduled on that node.
+ More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+ type: object
+ additionalProperties:
+ type: string
+ priorityClassName:
+ description: |-
+ If specified, indicates the pod's priority. "system-node-critical" and
+ "system-cluster-critical" are two special keywords which indicate the
+ highest priorities with the former being the highest priority. Any other
+ name must be defined by creating a PriorityClass object with that name.
+ If not specified, the pod priority will be default or zero if there is no
+ default.
+ type: string
+ runtimeClassName:
+ description: |-
+ RuntimeClassName refers to a RuntimeClass object in the node.k8s.io
+ group, which should be used to run this pod. If no RuntimeClass resource
+ matches the named class, the pod will not be run. If unset or empty, the
+ "legacy" RuntimeClass will be used, which is an implicit class with an
+ empty definition that uses the default runtime handler.
+ More info: https://git.k8s.io/enhancements/keps/sig-node/runtime-class.md
+ This is a beta feature as of Kubernetes v1.14.
+ type: string
+ schedulerName:
+ description: SchedulerName specifies the scheduler to be used to dispatch the Pod
+ type: string
+ securityContext:
+ description: |-
+ SecurityContext holds pod-level security attributes and common container settings.
+ Optional: Defaults to empty. See type description for default values of each field.
+ type: object
+ properties:
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ fsGroup:
+ description: |-
+ A special supplemental group that applies to all containers in a pod.
+ Some volume types allow the Kubelet to change the ownership of that volume
+ to be owned by the pod:
+
+ 1. The owning GID will be the FSGroup
+ 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+ 3. The permission bits are OR'd with rw-rw----
+
+ If unset, the Kubelet will not modify the ownership and permissions of any volume.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ fsGroupChangePolicy:
+ description: |-
+ fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+ before being exposed inside Pod. This field will only apply to
+ volume types which support fsGroup based ownership(and permissions).
+ It will have no effect on ephemeral volume types such as: secret, configmaps
+ and emptydir.
+ Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ runAsGroup:
+ description: |-
+ The GID to run the entrypoint of the container process.
+ Uses runtime default if unset.
+ May also be set in SecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence
+ for that container.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ runAsNonRoot:
+ description: |-
+ Indicates that the container must run as a non-root user.
+ If true, the Kubelet will validate the image at runtime to ensure that it
+ does not run as UID 0 (root) and fail to start the container if it does.
+ If unset or false, no such validation will be performed.
+ May also be set in SecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: |-
+ The UID to run the entrypoint of the container process.
+ Defaults to user specified in image metadata if unspecified.
+ May also be set in SecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence
+ for that container.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ seLinuxOptions:
+ description: |-
+ The SELinux context to be applied to all containers.
+ If unspecified, the container runtime will allocate a random SELinux context for each
+ container. May also be set in SecurityContext. If set in
+ both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+ takes precedence for that container.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ properties:
+ level:
+ description: Level is SELinux level label that applies to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label that applies to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label that applies to the container.
+ type: string
+ user:
+ description: User is a SELinux user label that applies to the container.
+ type: string
+ seccompProfile:
+ description: |-
+ The seccomp options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile defined in a file on the node should be used.
+ The profile must be preconfigured on the node to work.
+ Must be a descending path, relative to the kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT be set for any other type.
+ type: string
+ type:
+ description: |-
+ type indicates which kind of seccomp profile will be applied.
+ Valid options are:
+
+ Localhost - a profile defined in a file on the node should be used.
+ RuntimeDefault - the container runtime default profile should be used.
+ Unconfined - no profile should be applied.
+ type: string
+ supplementalGroups:
+ description: |-
+ A list of groups applied to the first process run in each container, in
+ addition to the container's primary GID and fsGroup (if specified). If
+ the SupplementalGroupsPolicy feature is enabled, the
+ supplementalGroupsPolicy field determines whether these are in addition
+ to or instead of any group memberships defined in the container image.
+ If unspecified, no additional groups are added, though group memberships
+ defined in the container image may still be used, depending on the
+ supplementalGroupsPolicy field.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: array
+ items:
+ type: integer
+ format: int64
+ x-kubernetes-list-type: atomic
+ supplementalGroupsPolicy:
+ description: |-
+ Defines how supplemental groups of the first container processes are calculated.
+ Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
+ (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
+ and the container runtime must implement support for this feature.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ sysctls:
+ description: |-
+ Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+ sysctls (by the container runtime) might fail to launch.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: array
+ items:
+ description: Sysctl defines a kernel parameter to be set
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: Name of a property to set
+ type: string
+ value:
+ description: Value of a property to set
+ type: string
+ x-kubernetes-list-type: atomic
+ windowsOptions:
+ description: |-
+ The Windows specific settings applied to all containers.
+ If unspecified, the options within a container's SecurityContext will be used.
+ If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is linux.
+ type: object
+ properties:
+ gmsaCredentialSpec:
+ description: |-
+ GMSACredentialSpec is where the GMSA admission webhook
+ (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the name of the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: |-
+ HostProcess determines if a container should be run as a 'Host Process' container.
+ All of a Pod's containers must have the same effective HostProcess value
+ (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then HostNetwork must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: |-
+ The UserName in Windows to run the entrypoint of the container process.
+ Defaults to the user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: string
+ tolerations:
+ description: If specified, the pod's tolerations.
+ type: array
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple <key,value,effect> using the matching operator <operator>.
+ type: object
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ type: integer
+ format: int64
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ x-kubernetes-list-type: atomic
+ topologySpreadConstraints:
+ description: |-
+ TopologySpreadConstraints controls how Pods are spread across your cluster among
+ failure-domains such as regions, zones, nodes, and other user-defined topology domains.
+ type: array
+ items:
+ description: TopologySpreadConstraint specifies how to spread matching pods among the given topology.
+ type: object
+ required:
+ - maxSkew
+ - topologyKey
+ - whenUnsatisfiable
+ properties:
+ labelSelector:
+ description: |-
+ LabelSelector is used to find matching pods.
+ Pods that match this label selector are counted to determine the number of pods
+ in their corresponding topology domain.
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ type: array
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select the pods over which
+ spreading will be calculated. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are ANDed with labelSelector
+ to select the group of existing pods over which spreading will be calculated
+ for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ MatchLabelKeys cannot be set when LabelSelector isn't set.
+ Keys that don't exist in the incoming pod labels will
+ be ignored. A null or empty list means only match against labelSelector.
+
+ This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ maxSkew:
+ description: |-
+ MaxSkew describes the degree to which pods may be unevenly distributed.
+ When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+ between the number of matching pods in the target topology and the global minimum.
+ The global minimum is the minimum number of matching pods in an eligible domain
+ or zero if the number of eligible domains is less than MinDomains.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 2/2/1:
+ In this case, the global minimum is 1.
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P |
+ - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+ scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+ violate MaxSkew(1).
+ - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+ When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+ to topologies that satisfy it.
+ It's a required field. Default value is 1 and 0 is not allowed.
+ type: integer
+ format: int32
+ minDomains:
+ description: |-
+ MinDomains indicates a minimum number of eligible domains.
+ When the number of eligible domains with matching topology keys is less than minDomains,
+ Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+ And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+ this value has no effect on scheduling.
+ As a result, when the number of eligible domains is less than minDomains,
+ scheduler won't schedule more than maxSkew Pods to those domains.
+ If value is nil, the constraint behaves as if MinDomains is equal to 1.
+ Valid values are integers greater than 0.
+ When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+
+ For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+ labelSelector spread as 2/2/2:
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P P |
+ The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+ In this situation, new pod with the same labelSelector cannot be scheduled,
+ because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+ it will violate MaxSkew.
+ type: integer
+ format: int32
+ nodeAffinityPolicy:
+ description: |-
+ NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+ when calculating pod topology spread skew. Options are:
+ - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+ - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+
+ If this value is nil, the behavior is equivalent to the Honor policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ nodeTaintsPolicy:
+ description: |-
+ NodeTaintsPolicy indicates how we will treat node taints when calculating
+ pod topology spread skew. Options are:
+ - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+ has a toleration, are included.
+ - Ignore: node taints are ignored. All nodes are included.
+
+ If this value is nil, the behavior is equivalent to the Ignore policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ topologyKey:
+ description: |-
+ TopologyKey is the key of node labels. Nodes that have a label with this key
+ and identical values are considered to be in the same topology.
+ We consider each <key, value> as a "bucket", and try to put balanced number
+ of pods into each bucket.
+ We define a domain as a particular instance of a topology.
+ Also, we define an eligible domain as a domain whose nodes meet the requirements of
+ nodeAffinityPolicy and nodeTaintsPolicy.
+ e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+ And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+ It's a required field.
+ type: string
+ whenUnsatisfiable:
+ description: |-
+ WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+ the spread constraint.
+ - DoNotSchedule (default) tells the scheduler not to schedule it.
+ - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+ but giving higher precedence to topologies that would help reduce the
+ skew.
+ A constraint is considered "Unsatisfiable" for an incoming pod
+ if and only if every possible node assignment for that pod would violate
+ "MaxSkew" on some topology.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 3/1/1:
+ | zone1 | zone2 | zone3 |
+ | P P P | P | P |
+ If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+ to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+ MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+ won't make it *more* imbalanced.
+ It's a required field.
+ type: string
+ x-kubernetes-list-type: atomic
+ volumes:
+ description: |-
+ List of volumes that can be mounted by containers belonging to the pod.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes
+ See Pod.spec.volumes (API version: v1)
+ x-kubernetes-preserve-unknown-fields: true
+ serviceAccountName:
+ type: string
+ sidecarSpecs:
+ type: array
+ items:
+ description: TaskRunSidecarSpec is used to override the values of a Sidecar in the corresponding Task.
+ type: object
+ required:
+ - computeResources
+ - name
+ properties:
+ computeResources:
+ description: The resource requirements to apply to the Sidecar.
+ type: object
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ type: array
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ requests:
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ name:
+ description: The name of the Sidecar to override.
+ type: string
+ x-kubernetes-list-type: atomic
+ stepSpecs:
+ type: array
+ items:
+ description: TaskRunStepSpec is used to override the values of a Step in the corresponding Task.
+ type: object
+ required:
+ - computeResources
+ - name
+ properties:
+ computeResources:
+ description: The resource requirements to apply to the Step.
+ type: object
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ type: array
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ requests:
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ name:
+ description: The name of the Step to override.
+ type: string
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ taskRunTemplate:
+ description: TaskRunTemplate represent template of taskrun
+ type: object
+ properties:
+ podTemplate:
+ description: PodTemplate holds pod specific configuration
+ type: object
+ properties:
+ affinity:
+ description: |-
+ If specified, the pod's scheduling constraints.
+ See Pod.spec.affinity (API version: v1)
+ x-kubernetes-preserve-unknown-fields: true
+ automountServiceAccountToken:
+ description: |-
+ AutomountServiceAccountToken indicates whether pods running as this
+ service account should have an API token automatically mounted.
+ type: boolean
+ dnsConfig:
+ description: |-
+ Specifies the DNS parameters of a pod.
+ Parameters specified here will be merged to the generated DNS
+ configuration based on DNSPolicy.
+ type: object
+ properties:
+ nameservers:
+ description: |-
+ A list of DNS name server IP addresses.
+ This will be appended to the base nameservers generated from DNSPolicy.
+ Duplicated nameservers will be removed.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ options:
+ description: |-
+ A list of DNS resolver options.
+ This will be merged with the base options generated from DNSPolicy.
+ Duplicated entries will be removed. Resolution options given in Options
+ will override those that appear in the base DNSPolicy.
+ type: array
+ items:
+ description: PodDNSConfigOption defines DNS resolver options of a pod.
+ type: object
+ properties:
+ name:
+ description: Required.
+ type: string
+ value:
+ type: string
+ x-kubernetes-list-type: atomic
+ searches:
+ description: |-
+ A list of DNS search domains for host-name lookup.
+ This will be appended to the base search paths generated from DNSPolicy.
+ Duplicated search paths will be removed.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ dnsPolicy:
+ description: |-
+ Set DNS policy for the pod. Defaults to "ClusterFirst". Valid values are
+ 'ClusterFirst', 'Default' or 'None'. DNS parameters given in DNSConfig
+ will be merged with the policy selected with DNSPolicy.
+ type: string
+ enableServiceLinks:
+ description: |-
+ EnableServiceLinks indicates whether information about services should be injected into pod's
+ environment variables, matching the syntax of Docker links.
+ Optional: Defaults to true.
+ type: boolean
+ env:
+ description: List of environment variables that can be provided to the containers belonging to the pod.
+ type: array
+ items:
+ description: EnvVar represents an environment variable present in a Container.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: Name of the environment variable. Must be a C_IDENTIFIER.
+ type: string
+ value:
+ description: |-
+ Variable references $(VAR_NAME) are expanded
+ using the previously defined environment variables in the container and
+ any service environment variables. If a variable cannot be resolved,
+ the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+ "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+ Escaped references will never be expanded, regardless of whether the variable
+ exists or not.
+ Defaults to "".
+ type: string
+ valueFrom:
+ description: Source for the environment variable's value. Cannot be used if value is not empty.
+ type: object
+ properties:
+ configMapKeyRef:
+ description: Selects a key of a ConfigMap.
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key to select.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the ConfigMap or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ fieldRef:
+ description: |-
+ Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
+ spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+ type: object
+ required:
+ - fieldPath
+ properties:
+ apiVersion:
+ description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
+ type: string
+ fieldPath:
+ description: Path of the field to select in the specified API version.
+ type: string
+ x-kubernetes-map-type: atomic
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+ type: object
+ required:
+ - resource
+ properties:
+ containerName:
+ description: 'Container name: required for volumes, optional for env vars'
+ type: string
+ divisor:
+ description: Specifies the output format of the exposed resources, defaults to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required: resource to select'
+ type: string
+ x-kubernetes-map-type: atomic
+ secretKeyRef:
+ description: Selects a key of a secret in the pod's namespace
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key of the secret to select from. Must be a valid secret key.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the Secret or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ hostAliases:
+ description: |-
+ HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts
+ file if specified. This is only valid for non-hostNetwork pods.
+ type: array
+ items:
+ description: |-
+ HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the
+ pod's hosts file.
+ type: object
+ required:
+ - ip
+ properties:
+ hostnames:
+ description: Hostnames for the above IP address.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ ip:
+ description: IP address of the host file entry.
+ type: string
+ x-kubernetes-list-type: atomic
+ hostNetwork:
+ description: HostNetwork specifies whether the pod may use the node network namespace
+ type: boolean
+ imagePullSecrets:
+ description: ImagePullSecrets gives the name of the secret used by the pod to pull the image if specified
+ type: array
+ items:
+ description: |-
+ LocalObjectReference contains enough information to let you locate the
+ referenced object inside the same namespace.
+ type: object
+ properties:
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ nodeSelector:
+ description: |-
+ NodeSelector is a selector which must be true for the pod to fit on a node.
+ Selector which must match a node's labels for the pod to be scheduled on that node.
+ More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+ type: object
+ additionalProperties:
+ type: string
+ priorityClassName:
+ description: |-
+ If specified, indicates the pod's priority. "system-node-critical" and
+ "system-cluster-critical" are two special keywords which indicate the
+ highest priorities with the former being the highest priority. Any other
+ name must be defined by creating a PriorityClass object with that name.
+ If not specified, the pod priority will be default or zero if there is no
+ default.
+ type: string
+ runtimeClassName:
+ description: |-
+ RuntimeClassName refers to a RuntimeClass object in the node.k8s.io
+ group, which should be used to run this pod. If no RuntimeClass resource
+ matches the named class, the pod will not be run. If unset or empty, the
+ "legacy" RuntimeClass will be used, which is an implicit class with an
+ empty definition that uses the default runtime handler.
+ More info: https://git.k8s.io/enhancements/keps/sig-node/runtime-class.md
+ This is a beta feature as of Kubernetes v1.14.
+ type: string
+ schedulerName:
+ description: SchedulerName specifies the scheduler to be used to dispatch the Pod
+ type: string
+ securityContext:
+ description: |-
+ SecurityContext holds pod-level security attributes and common container settings.
+ Optional: Defaults to empty. See type description for default values of each field.
+ type: object
+ properties:
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ fsGroup:
+ description: |-
+ A special supplemental group that applies to all containers in a pod.
+ Some volume types allow the Kubelet to change the ownership of that volume
+ to be owned by the pod:
+
+ 1. The owning GID will be the FSGroup
+ 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+ 3. The permission bits are OR'd with rw-rw----
+
+ If unset, the Kubelet will not modify the ownership and permissions of any volume.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ fsGroupChangePolicy:
+ description: |-
+ fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+ before being exposed inside Pod. This field will only apply to
+ volume types which support fsGroup based ownership(and permissions).
+ It will have no effect on ephemeral volume types such as: secret, configmaps
+ and emptydir.
+ Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ runAsGroup:
+ description: |-
+ The GID to run the entrypoint of the container process.
+ Uses runtime default if unset.
+ May also be set in SecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence
+ for that container.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ runAsNonRoot:
+ description: |-
+ Indicates that the container must run as a non-root user.
+ If true, the Kubelet will validate the image at runtime to ensure that it
+ does not run as UID 0 (root) and fail to start the container if it does.
+ If unset or false, no such validation will be performed.
+ May also be set in SecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: |-
+ The UID to run the entrypoint of the container process.
+ Defaults to user specified in image metadata if unspecified.
+ May also be set in SecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence
+ for that container.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ seLinuxOptions:
+ description: |-
+ The SELinux context to be applied to all containers.
+ If unspecified, the container runtime will allocate a random SELinux context for each
+ container. May also be set in SecurityContext. If set in
+ both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+ takes precedence for that container.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ properties:
+ level:
+ description: Level is SELinux level label that applies to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label that applies to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label that applies to the container.
+ type: string
+ user:
+ description: User is a SELinux user label that applies to the container.
+ type: string
+ seccompProfile:
+ description: |-
+ The seccomp options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile defined in a file on the node should be used.
+ The profile must be preconfigured on the node to work.
+ Must be a descending path, relative to the kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT be set for any other type.
+ type: string
+ type:
+ description: |-
+ type indicates which kind of seccomp profile will be applied.
+ Valid options are:
+
+ Localhost - a profile defined in a file on the node should be used.
+ RuntimeDefault - the container runtime default profile should be used.
+ Unconfined - no profile should be applied.
+ type: string
+ supplementalGroups:
+ description: |-
+ A list of groups applied to the first process run in each container, in
+ addition to the container's primary GID and fsGroup (if specified). If
+ the SupplementalGroupsPolicy feature is enabled, the
+ supplementalGroupsPolicy field determines whether these are in addition
+ to or instead of any group memberships defined in the container image.
+ If unspecified, no additional groups are added, though group memberships
+ defined in the container image may still be used, depending on the
+ supplementalGroupsPolicy field.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: array
+ items:
+ type: integer
+ format: int64
+ x-kubernetes-list-type: atomic
+ supplementalGroupsPolicy:
+ description: |-
+ Defines how supplemental groups of the first container processes are calculated.
+ Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
+ (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
+ and the container runtime must implement support for this feature.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ sysctls:
+ description: |-
+ Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+ sysctls (by the container runtime) might fail to launch.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: array
+ items:
+ description: Sysctl defines a kernel parameter to be set
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: Name of a property to set
+ type: string
+ value:
+ description: Value of a property to set
+ type: string
+ x-kubernetes-list-type: atomic
+ windowsOptions:
+ description: |-
+ The Windows specific settings applied to all containers.
+ If unspecified, the options within a container's SecurityContext will be used.
+ If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is linux.
+ type: object
+ properties:
+ gmsaCredentialSpec:
+ description: |-
+ GMSACredentialSpec is where the GMSA admission webhook
+ (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the name of the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: |-
+ HostProcess determines if a container should be run as a 'Host Process' container.
+ All of a Pod's containers must have the same effective HostProcess value
+ (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then HostNetwork must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: |-
+ The UserName in Windows to run the entrypoint of the container process.
+ Defaults to the user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: string
+ tolerations:
+ description: If specified, the pod's tolerations.
+ type: array
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple <key,value,effect> using the matching operator <operator>.
+ type: object
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ type: integer
+ format: int64
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ x-kubernetes-list-type: atomic
+ topologySpreadConstraints:
+ description: |-
+ TopologySpreadConstraints controls how Pods are spread across your cluster among
+ failure-domains such as regions, zones, nodes, and other user-defined topology domains.
+ type: array
+ items:
+ description: TopologySpreadConstraint specifies how to spread matching pods among the given topology.
+ type: object
+ required:
+ - maxSkew
+ - topologyKey
+ - whenUnsatisfiable
+ properties:
+ labelSelector:
+ description: |-
+ LabelSelector is used to find matching pods.
+ Pods that match this label selector are counted to determine the number of pods
+ in their corresponding topology domain.
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ type: array
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select the pods over which
+ spreading will be calculated. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are ANDed with labelSelector
+ to select the group of existing pods over which spreading will be calculated
+ for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ MatchLabelKeys cannot be set when LabelSelector isn't set.
+ Keys that don't exist in the incoming pod labels will
+ be ignored. A null or empty list means only match against labelSelector.
+
+ This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ maxSkew:
+ description: |-
+ MaxSkew describes the degree to which pods may be unevenly distributed.
+ When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+ between the number of matching pods in the target topology and the global minimum.
+ The global minimum is the minimum number of matching pods in an eligible domain
+ or zero if the number of eligible domains is less than MinDomains.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 2/2/1:
+ In this case, the global minimum is 1.
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P |
+ - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+ scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+ violate MaxSkew(1).
+ - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+ When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+ to topologies that satisfy it.
+ It's a required field. Default value is 1 and 0 is not allowed.
+ type: integer
+ format: int32
+ minDomains:
+ description: |-
+ MinDomains indicates a minimum number of eligible domains.
+ When the number of eligible domains with matching topology keys is less than minDomains,
+ Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+ And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+ this value has no effect on scheduling.
+ As a result, when the number of eligible domains is less than minDomains,
+ scheduler won't schedule more than maxSkew Pods to those domains.
+ If value is nil, the constraint behaves as if MinDomains is equal to 1.
+ Valid values are integers greater than 0.
+ When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+
+ For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+ labelSelector spread as 2/2/2:
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P P |
+ The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+ In this situation, new pod with the same labelSelector cannot be scheduled,
+ because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+ it will violate MaxSkew.
+ type: integer
+ format: int32
+ nodeAffinityPolicy:
+ description: |-
+ NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+ when calculating pod topology spread skew. Options are:
+ - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+ - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+
+ If this value is nil, the behavior is equivalent to the Honor policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ nodeTaintsPolicy:
+ description: |-
+ NodeTaintsPolicy indicates how we will treat node taints when calculating
+ pod topology spread skew. Options are:
+ - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+ has a toleration, are included.
+ - Ignore: node taints are ignored. All nodes are included.
+
+ If this value is nil, the behavior is equivalent to the Ignore policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ topologyKey:
+ description: |-
+ TopologyKey is the key of node labels. Nodes that have a label with this key
+ and identical values are considered to be in the same topology.
+ We consider each <key, value> as a "bucket", and try to put balanced number
+ of pods into each bucket.
+ We define a domain as a particular instance of a topology.
+ Also, we define an eligible domain as a domain whose nodes meet the requirements of
+ nodeAffinityPolicy and nodeTaintsPolicy.
+ e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+ And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+ It's a required field.
+ type: string
+ whenUnsatisfiable:
+ description: |-
+ WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+ the spread constraint.
+ - DoNotSchedule (default) tells the scheduler not to schedule it.
+ - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+ but giving higher precedence to topologies that would help reduce the
+ skew.
+ A constraint is considered "Unsatisfiable" for an incoming pod
+ if and only if every possible node assignment for that pod would violate
+ "MaxSkew" on some topology.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 3/1/1:
+ | zone1 | zone2 | zone3 |
+ | P P P | P | P |
+ If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+ to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+ MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+ won't make it *more* imbalanced.
+ It's a required field.
+ type: string
+ x-kubernetes-list-type: atomic
+ volumes:
+ description: |-
+ List of volumes that can be mounted by containers belonging to the pod.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes
+ See Pod.spec.volumes (API version: v1)
+ x-kubernetes-preserve-unknown-fields: true
+ serviceAccountName:
+ type: string
+ timeouts:
+ description: |-
+ Time after which the Pipeline times out.
+ Currently three keys are accepted in the map
+ pipeline, tasks and finally
+ with Timeouts.pipeline >= Timeouts.tasks + Timeouts.finally
+ type: object
+ properties:
+ finally:
+ description: Finally sets the maximum allowed duration of this pipeline's finally
+ type: string
+ pipeline:
+ description: Pipeline sets the maximum allowed duration for execution of the entire pipeline. The sum of individual timeouts for tasks and finally must not exceed this value.
+ type: string
+ tasks:
+ description: Tasks sets the maximum allowed duration of this pipeline's tasks
+ type: string
+ workspaces:
+ description: |-
+ Workspaces holds a set of workspace bindings that must match names
+ with those declared in the pipeline.
+ type: array
+ items:
+ description: WorkspaceBinding maps a Task's declared workspace to a Volume.
+ type: object
+ required:
+ - name
+ properties:
+ configMap:
+ description: ConfigMap represents a configMap that should populate this workspace.
+ type: object
+ properties:
+ defaultMode:
+ description: |-
+ defaultMode is optional: mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ Defaults to 0644.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ items:
+ description: |-
+ items if unspecified, each key-value pair in the Data field of the referenced
+ ConfigMap will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the ConfigMap,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
+ type: array
+ items:
+ description: Maps a string key to a path within a volume.
+ type: object
+ required:
+ - key
+ - path
+ properties:
+ key:
+ description: key is the key to project.
+ type: string
+ mode:
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ path:
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
+ type: string
+ x-kubernetes-list-type: atomic
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: optional specify whether the ConfigMap or its keys must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ csi:
+ description: CSI (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers.
+ type: object
+ required:
+ - driver
+ properties:
+ driver:
+ description: |-
+ driver is the name of the CSI driver that handles this volume.
+ Consult with your admin for the correct name as registered in the cluster.
+ type: string
+ fsType:
+ description: |-
+ fsType to mount. Ex. "ext4", "xfs", "ntfs".
+ If not provided, the empty value is passed to the associated CSI driver
+ which will determine the default filesystem to apply.
+ type: string
+ nodePublishSecretRef:
+ description: |-
+ nodePublishSecretRef is a reference to the secret object containing
+ sensitive information to pass to the CSI driver to complete the CSI
+ NodePublishVolume and NodeUnpublishVolume calls.
+ This field is optional, and may be empty if no secret is required. If the
+ secret object contains more than one secret, all secret references are passed.
+ type: object
+ properties:
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ x-kubernetes-map-type: atomic
+ readOnly:
+ description: |-
+ readOnly specifies a read-only configuration for the volume.
+ Defaults to false (read/write).
+ type: boolean
+ volumeAttributes:
+ description: |-
+ volumeAttributes stores driver-specific properties that are passed to the CSI
+ driver. Consult your driver's documentation for supported values.
+ type: object
+ additionalProperties:
+ type: string
+ emptyDir:
+ description: |-
+ EmptyDir represents a temporary directory that shares a Task's lifetime.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+ Either this OR PersistentVolumeClaim can be used.
+ type: object
+ properties:
+ medium:
+ description: |-
+ medium represents what type of storage medium should back this directory.
+ The default is "" which means to use the node's default medium.
+ Must be an empty string (default) or Memory.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+ type: string
+ sizeLimit:
+ description: |-
+ sizeLimit is the total amount of local storage required for this EmptyDir volume.
+ The size limit is also applicable for memory medium.
+ The maximum usage on memory medium EmptyDir would be the minimum value between
+ the SizeLimit specified here and the sum of memory limits of all containers in a pod.
+ The default is nil which means that the limit is undefined.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ name:
+ description: Name is the name of the workspace populated by the volume.
+ type: string
+ persistentVolumeClaim:
+ description: |-
+ PersistentVolumeClaimVolumeSource represents a reference to a
+ PersistentVolumeClaim in the same namespace. Either this OR EmptyDir can be used.
+ type: object
+ required:
+ - claimName
+ properties:
+ claimName:
+ description: |-
+ claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.
+ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+ type: string
+ readOnly:
+ description: |-
+ readOnly Will force the ReadOnly setting in VolumeMounts.
+ Default false.
+ type: boolean
+ projected:
+ description: Projected represents a projected volume that should populate this workspace.
+ type: object
+ properties:
+ defaultMode:
+ description: |-
+ defaultMode are the mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ sources:
+ description: |-
+ sources is the list of volume projections. Each entry in this list
+ handles one source.
+ type: array
+ items:
+ description: |-
+ Projection that may be projected along with other supported volume types.
+ Exactly one of these fields must be set.
+ type: object
+ properties:
+ clusterTrustBundle:
+ description: |-
+ ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+ of ClusterTrustBundle objects in an auto-updating file.
+
+ Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+ ClusterTrustBundle objects can either be selected by name, or by the
+ combination of signer name and a label selector.
+
+ Kubelet performs aggressive normalization of the PEM contents written
+ into the pod filesystem. Esoteric PEM features such as inter-block
+ comments and block headers are stripped. Certificates are deduplicated.
+ The ordering of certificates within the file is arbitrary, and Kubelet
+ may change the order over time.
+ type: object
+ required:
+ - path
+ properties:
+ labelSelector:
+ description: |-
+ Select all ClusterTrustBundles that match this label selector. Only has
+ effect if signerName is set. Mutually-exclusive with name. If unset,
+ interpreted as "match nothing". If set but empty, interpreted as "match
+ everything".
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ type: array
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ x-kubernetes-map-type: atomic
+ name:
+ description: |-
+ Select a single ClusterTrustBundle by object name. Mutually-exclusive
+ with signerName and labelSelector.
+ type: string
+ optional:
+ description: |-
+ If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+ aren't available. If using name, then the named ClusterTrustBundle is
+ allowed not to exist. If using signerName, then the combination of
+ signerName and labelSelector is allowed to match zero
+ ClusterTrustBundles.
+ type: boolean
+ path:
+ description: Relative path from the volume root to write the bundle.
+ type: string
+ signerName:
+ description: |-
+ Select all ClusterTrustBundles that match this signer name.
+ Mutually-exclusive with name. The contents of all selected
+ ClusterTrustBundles will be unified and deduplicated.
+ type: string
+ configMap:
+ description: configMap information about the configMap data to project
+ type: object
+ properties:
+ items:
+ description: |-
+ items if unspecified, each key-value pair in the Data field of the referenced
+ ConfigMap will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the ConfigMap,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
+ type: array
+ items:
+ description: Maps a string key to a path within a volume.
+ type: object
+ required:
+ - key
+ - path
+ properties:
+ key:
+ description: key is the key to project.
+ type: string
+ mode:
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ path:
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
+ type: string
+ x-kubernetes-list-type: atomic
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: optional specify whether the ConfigMap or its keys must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ downwardAPI:
+ description: downwardAPI information about the downwardAPI data to project
+ type: object
+ properties:
+ items:
+ description: Items is a list of DownwardAPIVolume file
+ type: array
+ items:
+ description: DownwardAPIVolumeFile represents information to create the file containing the pod field
+ type: object
+ required:
+ - path
+ properties:
+ fieldRef:
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
+ type: object
+ required:
+ - fieldPath
+ properties:
+ apiVersion:
+ description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
+ type: string
+ fieldPath:
+ description: Path of the field to select in the specified API version.
+ type: string
+ x-kubernetes-map-type: atomic
+ mode:
+ description: |-
+ Optional: mode bits used to set permissions on this file, must be an octal value
+ between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ path:
+ description: 'Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ''..'' path. Must be utf-8 encoded. The first item of the relative path must not start with ''..'''
+ type: string
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+ type: object
+ required:
+ - resource
+ properties:
+ containerName:
+ description: 'Container name: required for volumes, optional for env vars'
+ type: string
+ divisor:
+ description: Specifies the output format of the exposed resources, defaults to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required: resource to select'
+ type: string
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ secret:
+ description: secret information about the secret data to project
+ type: object
+ properties:
+ items:
+ description: |-
+ items if unspecified, each key-value pair in the Data field of the referenced
+ Secret will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the Secret,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
+ type: array
+ items:
+ description: Maps a string key to a path within a volume.
+ type: object
+ required:
+ - key
+ - path
+ properties:
+ key:
+ description: key is the key to project.
+ type: string
+ mode:
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ path:
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
+ type: string
+ x-kubernetes-list-type: atomic
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: optional field specify whether the Secret or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ serviceAccountToken:
+ description: serviceAccountToken is information about the serviceAccountToken data to project
+ type: object
+ required:
+ - path
+ properties:
+ audience:
+ description: |-
+ audience is the intended audience of the token. A recipient of a token
+ must identify itself with an identifier specified in the audience of the
+ token, and otherwise should reject the token. The audience defaults to the
+ identifier of the apiserver.
+ type: string
+ expirationSeconds:
+ description: |-
+ expirationSeconds is the requested duration of validity of the service
+ account token. As the token approaches expiration, the kubelet volume
+ plugin will proactively rotate the service account token. The kubelet will
+ start trying to rotate the token if the token is older than 80 percent of
+ its time to live or if the token is older than 24 hours.Defaults to 1 hour
+ and must be at least 10 minutes.
+ type: integer
+ format: int64
+ path:
+ description: |-
+ path is the path relative to the mount point of the file to project the
+ token into.
+ type: string
+ x-kubernetes-list-type: atomic
+ secret:
+ description: Secret represents a secret that should populate this workspace.
+ type: object
+ properties:
+ defaultMode:
+ description: |-
+ defaultMode is Optional: mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values
+ for mode bits. Defaults to 0644.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ items:
+ description: |-
+ items If unspecified, each key-value pair in the Data field of the referenced
+ Secret will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the Secret,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
+ type: array
+ items:
+ description: Maps a string key to a path within a volume.
+ type: object
+ required:
+ - key
+ - path
+ properties:
+ key:
+ description: key is the key to project.
+ type: string
+ mode:
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ path:
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
+ type: string
+ x-kubernetes-list-type: atomic
+ optional:
+ description: optional field specify whether the Secret or its keys must be defined
+ type: boolean
+ secretName:
+ description: |-
+ secretName is the name of the secret in the pod's namespace to use.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+ type: string
+ subPath:
+ description: |-
+ SubPath is optionally a directory on the volume which should be used
+ for this binding (i.e. the volume will be mounted at this sub directory).
+ type: string
+ volumeClaimTemplate:
+ description: |-
+ VolumeClaimTemplate is a template for a claim that will be created in the same namespace.
+ The PipelineRun controller is responsible for creating a unique claim for each instance of PipelineRun.
+ See PersistentVolumeClaim (API version: v1)
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ status:
+ description: PipelineRunStatus defines the observed state of PipelineRun
+ type: object
+ properties:
+ annotations:
+ description: |-
+ Annotations is additional Status fields for the Resource to save some
+ additional State as well as convey more information to the user. This is
+ roughly akin to Annotations on any k8s resource, just the reconciler conveying
+ richer information outwards.
+ type: object
+ additionalProperties:
+ type: string
+ childReferences:
+ description: list of TaskRun and Run names, PipelineTask names, and API versions/kinds for children of this PipelineRun.
+ type: array
+ items:
+ description: ChildStatusReference is used to point to the statuses of individual TaskRuns and Runs within this PipelineRun.
+ type: object
+ properties:
+ apiVersion:
+ type: string
+ displayName:
+ description: |-
+ DisplayName is a user-facing name of the pipelineTask that may be
+ used to populate a UI.
+ type: string
+ kind:
+ type: string
+ name:
+ description: Name is the name of the TaskRun or Run this is referencing.
+ type: string
+ pipelineTaskName:
+ description: PipelineTaskName is the name of the PipelineTask this is referencing.
+ type: string
+ whenExpressions:
+ description: WhenExpressions is the list of checks guarding the execution of the PipelineTask
+ type: array
+ items:
+ description: |-
+ WhenExpression allows a PipelineTask to declare expressions to be evaluated before the Task is run
+ to determine whether the Task should be executed or skipped
+ type: object
+ properties:
+ cel:
+ description: |-
+ CEL is a string of Common Language Expression, which can be used to conditionally execute
+ the task based on the result of the expression evaluation
+ More info about CEL syntax: https://github.com/google/cel-spec/blob/master/doc/langdef.md
+ type: string
+ input:
+ description: Input is the string for guard checking which can be a static input or an output from a parent Task
+ type: string
+ operator:
+ description: Operator that represents an Input's relationship to the values
+ type: string
+ values:
+ description: |-
+ Values is an array of strings, which is compared against the input, for guard checking
+ It must be non-empty
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ completionTime:
+ description: CompletionTime is the time the PipelineRun completed.
+ type: string
+ format: date-time
+ conditions:
+ description: Conditions the latest available observations of a resource's current state.
+ type: array
+ items:
+ description: |-
+ Condition defines a readiness condition for a Knative resource.
+ See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
+ type: object
+ required:
+ - status
+ - type
+ properties:
+ lastTransitionTime:
+ description: |-
+ LastTransitionTime is the last time the condition transitioned from one status to another.
+ We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic
+ differences (all other things held constant).
+ type: string
+ message:
+ description: A human readable message indicating details about the transition.
+ type: string
+ reason:
+ description: The reason for the condition's last transition.
+ type: string
+ severity:
+ description: |-
+ Severity with which to treat failures of this type of condition.
+ When this is not specified, it defaults to Error.
+ type: string
+ status:
+ description: Status of the condition, one of True, False, Unknown.
+ type: string
+ type:
+ description: Type of condition.
+ type: string
+ finallyStartTime:
+ description: FinallyStartTime is when all non-finally tasks have been completed and only finally tasks are being executed.
+ type: string
+ format: date-time
+ observedGeneration:
+ description: |-
+ ObservedGeneration is the 'Generation' of the Service that
+ was last processed by the controller.
+ type: integer
+ format: int64
+ pipelineSpec:
+ description: |-
+ PipelineSpec contains the exact spec used to instantiate the run.
+ See Pipeline.spec (API version: tekton.dev/v1)
+ x-kubernetes-preserve-unknown-fields: true
+ provenance:
+ description: Provenance contains some key authenticated metadata about how a software artifact was built (what sources, what inputs/outputs, etc.).
+ type: object
+ properties:
+ featureFlags:
+ description: FeatureFlags identifies the feature flags that were used during the task/pipeline run
+ type: object
+ properties:
+ awaitSidecarReadiness:
+ type: boolean
+ coschedule:
+ type: string
+ disableAffinityAssistant:
+ type: boolean
+ disableCredsInit:
+ type: boolean
+ disableInlineSpec:
+ type: string
+ enableAPIFields:
+ type: string
+ enableArtifacts:
+ type: boolean
+ enableCELInWhenExpression:
+ type: boolean
+ enableConciseResolverSyntax:
+ type: boolean
+ enableKeepPodOnCancel:
+ type: boolean
+ enableKubernetesSidecar:
+ type: boolean
+ enableParamEnum:
+ type: boolean
+ enableProvenanceInStatus:
+ type: boolean
+ enableStepActions:
+ type: boolean
+ enforceNonfalsifiability:
+ type: string
+ maxResultSize:
+ type: integer
+ requireGitSSHSecretKnownHosts:
+ type: boolean
+ resultExtractionMethod:
+ type: string
+ runningInEnvWithInjectedSidecars:
+ type: boolean
+ sendCloudEventsForRuns:
+ type: boolean
+ setSecurityContext:
+ type: boolean
+ setSecurityContextReadOnlyRootFilesystem:
+ type: boolean
+ verificationNoMatchPolicy:
+ description: |-
+ VerificationNoMatchPolicy is the feature flag for "trusted-resources-verification-no-match-policy"
+ VerificationNoMatchPolicy can be set to "ignore", "warn" and "fail" values.
+ ignore: skip trusted resources verification when no matching verification policies found
+ warn: skip trusted resources verification when no matching verification policies found and log a warning
+ fail: fail the taskrun or pipelines run if no matching verification policies found
+ type: string
+ refSource:
+ description: RefSource identifies the source where a remote task/pipeline came from.
+ type: object
+ properties:
+ digest:
+ description: |-
+ Digest is a collection of cryptographic digests for the contents of the artifact specified by URI.
+ Example: {"sha1": "f99d13e554ffcb696dee719fa85b695cb5b0f428"}
+ type: object
+ additionalProperties:
+ type: string
+ entryPoint:
+ description: |-
+ EntryPoint identifies the entry point into the build. This is often a path to a
+ build definition file and/or a target label within that file.
+ Example: "task/git-clone/0.8/git-clone.yaml"
+ type: string
+ uri:
+ description: |-
+ URI indicates the identity of the source of the build definition.
+ Example: "https://github.com/tektoncd/catalog"
+ type: string
+ results:
+ description: Results are the list of results written out by the pipeline task's containers
+ type: array
+ items:
+ description: PipelineRunResult used to describe the results of a pipeline
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: Name is the result's name as declared by the Pipeline
+ type: string
+ value:
+ description: Value is the result returned from the execution of this PipelineRun
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ skippedTasks:
+ description: list of tasks that were skipped due to when expressions evaluating to false
+ type: array
+ items:
+ description: |-
+ SkippedTask is used to describe the Tasks that were skipped due to their When Expressions
+ evaluating to False. This is a struct because we are looking into including more details
+ about the When Expressions that caused this Task to be skipped.
+ type: object
+ required:
+ - name
+ - reason
+ properties:
+ name:
+ description: Name is the Pipeline Task name
+ type: string
+ reason:
+ description: Reason is the cause of the PipelineTask being skipped.
+ type: string
+ whenExpressions:
+ description: WhenExpressions is the list of checks guarding the execution of the PipelineTask
+ type: array
+ items:
+ description: |-
+ WhenExpression allows a PipelineTask to declare expressions to be evaluated before the Task is run
+ to determine whether the Task should be executed or skipped
+ type: object
+ properties:
+ cel:
+ description: |-
+ CEL is a string of Common Language Expression, which can be used to conditionally execute
+ the task based on the result of the expression evaluation
+ More info about CEL syntax: https://github.com/google/cel-spec/blob/master/doc/langdef.md
+ type: string
+ input:
+ description: Input is the string for guard checking which can be a static input or an output from a parent Task
+ type: string
+ operator:
+ description: Operator that represents an Input's relationship to the values
+ type: string
+ values:
+ description: |-
+ Values is an array of strings, which is compared against the input, for guard checking
+ It must be non-empty
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ spanContext:
+ description: SpanContext contains tracing span context fields
+ type: object
+ additionalProperties:
+ type: string
+ startTime:
+ description: StartTime is the time the PipelineRun is actually started.
+ type: string
+ format: date-time
+ additionalPrinterColumns:
+ - name: Succeeded
+ type: string
+ jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].status"
+ - name: Reason
+ type: string
+ jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].reason"
+ - name: StartTime
+ type: date
+ jsonPath: .status.startTime
+ - name: CompletionTime
+ type: date
+ jsonPath: .status.completionTime
+ # Opt into the status subresource so metadata.generation
+ # starts to increment
+ subresources:
+ status: {}
+ names:
+ kind: PipelineRun
+ plural: pipelineruns
+ singular: pipelinerun
+ categories:
+ - tekton
+ - tekton-pipelines
+ shortNames:
+ - pr
+ - prs
+ scope: Namespaced
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions: ["v1beta1", "v1"]
+ clientConfig:
+ service:
+ name: tekton-pipelines-webhook
+ namespace: tekton-pipelines
+
+---
+# Copyright 2022 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: resolutionrequests.resolution.tekton.dev
+ labels:
+ resolution.tekton.dev/release: devel
+spec:
+ group: resolution.tekton.dev
+ scope: Namespaced
+ names:
+ kind: ResolutionRequest
+ plural: resolutionrequests
+ singular: resolutionrequest
+ categories:
+ - tekton
+ - tekton-pipelines
+ shortNames:
+ - resolutionrequest
+ - resolutionrequests
+ versions:
+ - name: v1alpha1
+ served: true
+ deprecated: true
+ storage: false
+ subresources:
+ status: {}
+ schema:
+ openAPIV3Schema:
+ description: |-
+ ResolutionRequest is an object for requesting the content of
+ a Tekton resource like a pipeline.yaml.
+ type: object
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec holds the information for the request part of the resource request.
+ type: object
+ properties:
+ params:
+ description: |-
+ Parameters are the runtime attributes passed to
+ the resolver to help it figure out how to resolve the
+ resource being requested. For example: repo URL, commit SHA,
+ path to file, the kind of authentication to leverage, etc.
+ type: object
+ additionalProperties:
+ type: string
+ status:
+ description: |-
+ Status communicates the state of the request and, ultimately,
+ the content of the resolved resource.
+ type: object
+ required:
+ - data
+ - refSource
+ properties:
+ annotations:
+ description: |-
+ Annotations is additional Status fields for the Resource to save some
+ additional State as well as convey more information to the user. This is
+ roughly akin to Annotations on any k8s resource, just the reconciler conveying
+ richer information outwards.
+ type: object
+ additionalProperties:
+ type: string
+ conditions:
+ description: Conditions the latest available observations of a resource's current state.
+ type: array
+ items:
+ description: |-
+ Condition defines a readiness condition for a Knative resource.
+ See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
+ type: object
+ required:
+ - status
+ - type
+ properties:
+ lastTransitionTime:
+ description: |-
+ LastTransitionTime is the last time the condition transitioned from one status to another.
+ We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic
+ differences (all other things held constant).
+ type: string
+ message:
+ description: A human readable message indicating details about the transition.
+ type: string
+ reason:
+ description: The reason for the condition's last transition.
+ type: string
+ severity:
+ description: |-
+ Severity with which to treat failures of this type of condition.
+ When this is not specified, it defaults to Error.
+ type: string
+ status:
+ description: Status of the condition, one of True, False, Unknown.
+ type: string
+ type:
+ description: Type of condition.
+ type: string
+ data:
+ description: |-
+ Data is a string representation of the resolved content
+ of the requested resource in-lined into the ResolutionRequest
+ object.
+ type: string
+ observedGeneration:
+ description: |-
+ ObservedGeneration is the 'Generation' of the Service that
+ was last processed by the controller.
+ type: integer
+ format: int64
+ refSource:
+ description: |-
+ RefSource is the source reference of the remote data that records where the remote
+ file came from including the url, digest and the entrypoint.
+ x-kubernetes-preserve-unknown-fields: true
+ additionalPrinterColumns:
+ - name: Succeeded
+ type: string
+ jsonPath: ".status.conditions[?(@.type=='Succeeded')].status"
+ - name: Reason
+ type: string
+ jsonPath: ".status.conditions[?(@.type=='Succeeded')].reason"
+ - name: v1beta1
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ schema:
+ openAPIV3Schema:
+ description: |-
+ ResolutionRequest is an object for requesting the content of
+ a Tekton resource like a pipeline.yaml.
+ type: object
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec holds the information for the request part of the resource request.
+ type: object
+ properties:
+ params:
+ description: |-
+ Parameters are the runtime attributes passed to
+ the resolver to help it figure out how to resolve the
+ resource being requested. For example: repo URL, commit SHA,
+ path to file, the kind of authentication to leverage, etc.
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ url:
+ description: |-
+ URL is the runtime url passed to the resolver
+ to help it figure out how to resolver the resource being
+ requested.
+ This is currently at an ALPHA stability level and subject to
+ alpha API compatibility policies.
+ type: string
+ status:
+ description: |-
+ Status communicates the state of the request and, ultimately,
+ the content of the resolved resource.
+ type: object
+ required:
+ - data
+ - refSource
+ - source
+ properties:
+ annotations:
+ description: |-
+ Annotations is additional Status fields for the Resource to save some
+ additional State as well as convey more information to the user. This is
+ roughly akin to Annotations on any k8s resource, just the reconciler conveying
+ richer information outwards.
+ type: object
+ additionalProperties:
+ type: string
+ conditions:
+ description: Conditions the latest available observations of a resource's current state.
+ type: array
+ items:
+ description: |-
+ Condition defines a readiness condition for a Knative resource.
+ See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
+ type: object
+ required:
+ - status
+ - type
+ properties:
+ lastTransitionTime:
+ description: |-
+ LastTransitionTime is the last time the condition transitioned from one status to another.
+ We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic
+ differences (all other things held constant).
+ type: string
+ message:
+ description: A human readable message indicating details about the transition.
+ type: string
+ reason:
+ description: The reason for the condition's last transition.
+ type: string
+ severity:
+ description: |-
+ Severity with which to treat failures of this type of condition.
+ When this is not specified, it defaults to Error.
+ type: string
+ status:
+ description: Status of the condition, one of True, False, Unknown.
+ type: string
+ type:
+ description: Type of condition.
+ type: string
+ data:
+ description: |-
+ Data is a string representation of the resolved content
+ of the requested resource in-lined into the ResolutionRequest
+ object.
+ type: string
+ observedGeneration:
+ description: |-
+ ObservedGeneration is the 'Generation' of the Service that
+ was last processed by the controller.
+ type: integer
+ format: int64
+ refSource:
+ description: |-
+ RefSource is the source reference of the remote data that records the url, digest
+ and the entrypoint.
+ x-kubernetes-preserve-unknown-fields: true
+ source:
+ description: 'Deprecated: Use RefSource instead'
+ x-kubernetes-preserve-unknown-fields: true
+ additionalPrinterColumns:
+ - name: OwnerKind
+ type: string
+ jsonPath: ".metadata.ownerReferences[0].kind"
+ - name: Owner
+ type: string
+ jsonPath: ".metadata.ownerReferences[0].name"
+ - name: Succeeded
+ type: string
+ jsonPath: ".status.conditions[?(@.type=='Succeeded')].status"
+ - name: Reason
+ type: string
+ jsonPath: ".status.conditions[?(@.type=='Succeeded')].reason"
+ - name: StartTime
+ type: string
+ jsonPath: .metadata.creationTimestamp
+ - name: EndTime
+ type: string
+ jsonPath: .status.conditions[?(@.type=='Succeeded')].lastTransitionTime
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions: ["v1alpha1", "v1beta1"]
+ clientConfig:
+ service:
+ name: tekton-pipelines-webhook
+ namespace: tekton-pipelines
+
+---
+# Copyright 2023 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: stepactions.tekton.dev
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+ pipeline.tekton.dev/release: "v0.70.0"
+ version: "v0.70.0"
+spec:
+ group: tekton.dev
+ preserveUnknownFields: false
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: false
+ schema:
+ openAPIV3Schema:
+ description: |-
+ StepAction represents the actionable components of Step.
+ The Step can only reference it from the cluster or using remote resolution.
+ type: object
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec holds the desired state of the Step from the client
+ type: object
+ properties:
+ args:
+ description: |-
+ Arguments to the entrypoint.
+ The image's CMD is used if this is not provided.
+ Variable references $(VAR_NAME) are expanded using the container's environment. If a variable
+ cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+ produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+ of whether the variable exists or not. Cannot be updated.
+ More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ command:
+ description: |-
+ Entrypoint array. Not executed within a shell.
+ The image's ENTRYPOINT is used if this is not provided.
+ Variable references $(VAR_NAME) are expanded using the container's environment. If a variable
+ cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+ produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+ of whether the variable exists or not. Cannot be updated.
+ More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ description:
+ description: |-
+ Description is a user-facing description of the stepaction that may be
+ used to populate a UI.
+ type: string
+ env:
+ description: |-
+ List of environment variables to set in the container.
+ Cannot be updated.
+ type: array
+ items:
+ description: EnvVar represents an environment variable present in a Container.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: Name of the environment variable. Must be a C_IDENTIFIER.
+ type: string
+ value:
+ description: |-
+ Variable references $(VAR_NAME) are expanded
+ using the previously defined environment variables in the container and
+ any service environment variables. If a variable cannot be resolved,
+ the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+ "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+ Escaped references will never be expanded, regardless of whether the variable
+ exists or not.
+ Defaults to "".
+ type: string
+ valueFrom:
+ description: Source for the environment variable's value. Cannot be used if value is not empty.
+ type: object
+ properties:
+ configMapKeyRef:
+ description: Selects a key of a ConfigMap.
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key to select.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the ConfigMap or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ fieldRef:
+ description: |-
+ Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
+ spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+ type: object
+ required:
+ - fieldPath
+ properties:
+ apiVersion:
+ description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
+ type: string
+ fieldPath:
+ description: Path of the field to select in the specified API version.
+ type: string
+ x-kubernetes-map-type: atomic
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+ type: object
+ required:
+ - resource
+ properties:
+ containerName:
+ description: 'Container name: required for volumes, optional for env vars'
+ type: string
+ divisor:
+ description: Specifies the output format of the exposed resources, defaults to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required: resource to select'
+ type: string
+ x-kubernetes-map-type: atomic
+ secretKeyRef:
+ description: Selects a key of a secret in the pod's namespace
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key of the secret to select from. Must be a valid secret key.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the Secret or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ image:
+ description: |-
+ Image reference name to run for this StepAction.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ type: string
+ params:
+ description: |-
+ Params is a list of input parameters required to run the stepAction.
+ Params must be supplied as inputs in Steps unless they declare a defaultvalue.
+ type: array
+ items:
+ description: |-
+ ParamSpec defines arbitrary parameters needed beyond typed inputs (such as
+ resources). Parameter values are provided by users as inputs on a TaskRun
+ or PipelineRun.
+ type: object
+ required:
+ - name
+ properties:
+ default:
+ description: |-
+ Default is the value a parameter takes if no input value is supplied. If
+ default is set, a Task may be executed without a supplied value for the
+ parameter.
+ x-kubernetes-preserve-unknown-fields: true
+ description:
+ description: |-
+ Description is a user-facing description of the parameter that may be
+ used to populate a UI.
+ type: string
+ enum:
+ description: |-
+ Enum declares a set of allowed param input values for tasks/pipelines that can be validated.
+ If Enum is not set, no input validation is performed for the param.
+ type: array
+ items:
+ type: string
+ name:
+ description: Name declares the name by which a parameter is referenced.
+ type: string
+ properties:
+ description: Properties is the JSON Schema properties to support key-value pairs parameter.
+ type: object
+ additionalProperties:
+ description: PropertySpec defines the struct for object keys
+ type: object
+ properties:
+ type:
+ description: |-
+ ParamType indicates the type of an input parameter;
+ Used to distinguish between a single string and an array of strings.
+ type: string
+ type:
+ description: |-
+ Type is the user-specified type of the parameter. The possible types
+ are currently "string", "array" and "object", and "string" is the default.
+ type: string
+ x-kubernetes-list-type: atomic
+ results:
+ description: Results are values that this StepAction can output
+ type: array
+ items:
+ description: |-
+ StepResult used to describe the Results of a Step.
+
+ This is field is at an BETA stability level and gated by "enable-step-actions" feature flag.
+ type: object
+ required:
+ - name
+ properties:
+ description:
+ description: Description is a human-readable description of the result
+ type: string
+ name:
+ description: Name the given name
+ type: string
+ properties:
+ description: Properties is the JSON Schema properties to support key-value pairs results.
+ type: object
+ additionalProperties:
+ description: PropertySpec defines the struct for object keys
+ type: object
+ properties:
+ type:
+ description: |-
+ ParamType indicates the type of an input parameter;
+ Used to distinguish between a single string and an array of strings.
+ type: string
+ type:
+ description: The possible types are 'string', 'array', and 'object', with 'string' as the default.
+ type: string
+ x-kubernetes-list-type: atomic
+ script:
+ description: |-
+ Script is the contents of an executable file to execute.
+
+ If Script is not empty, the Step cannot have an Command and the Args will be passed to the Script.
+ type: string
+ securityContext:
+ description: |-
+ SecurityContext defines the security options the Step should be run with.
+ If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
+ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ The value set in StepAction will take precedence over the value from Task.
+ type: object
+ properties:
+ allowPrivilegeEscalation:
+ description: |-
+ AllowPrivilegeEscalation controls whether a process can gain more
+ privileges than its parent process. This bool directly controls if
+ the no_new_privs flag will be set on the container process.
+ AllowPrivilegeEscalation is true always when the container is:
+ 1) run as Privileged
+ 2) has CAP_SYS_ADMIN
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ capabilities:
+ description: |-
+ The capabilities to add/drop when running containers.
+ Defaults to the default set of capabilities granted by the container runtime.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ properties:
+ add:
+ description: Added capabilities
+ type: array
+ items:
+ description: Capability represent POSIX capabilities type
+ type: string
+ x-kubernetes-list-type: atomic
+ drop:
+ description: Removed capabilities
+ type: array
+ items:
+ description: Capability represent POSIX capabilities type
+ type: string
+ x-kubernetes-list-type: atomic
+ privileged:
+ description: |-
+ Run container in privileged mode.
+ Processes in privileged containers are essentially equivalent to root on the host.
+ Defaults to false.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ procMount:
+ description: |-
+ procMount denotes the type of proc mount to use for the containers.
+ The default value is Default which uses the container runtime defaults for
+ readonly paths and masked paths.
+ This requires the ProcMountType feature flag to be enabled.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ readOnlyRootFilesystem:
+ description: |-
+ Whether this container has a read-only root filesystem.
+ Default is false.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ runAsGroup:
+ description: |-
+ The GID to run the entrypoint of the container process.
+ Uses runtime default if unset.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ runAsNonRoot:
+ description: |-
+ Indicates that the container must run as a non-root user.
+ If true, the Kubelet will validate the image at runtime to ensure that it
+ does not run as UID 0 (root) and fail to start the container if it does.
+ If unset or false, no such validation will be performed.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: |-
+ The UID to run the entrypoint of the container process.
+ Defaults to user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ seLinuxOptions:
+ description: |-
+ The SELinux context to be applied to the container.
+ If unspecified, the container runtime will allocate a random SELinux context for each
+ container. May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ properties:
+ level:
+ description: Level is SELinux level label that applies to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label that applies to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label that applies to the container.
+ type: string
+ user:
+ description: User is a SELinux user label that applies to the container.
+ type: string
+ seccompProfile:
+ description: |-
+ The seccomp options to use by this container. If seccomp options are
+ provided at both the pod & container level, the container options
+ override the pod options.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile defined in a file on the node should be used.
+ The profile must be preconfigured on the node to work.
+ Must be a descending path, relative to the kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT be set for any other type.
+ type: string
+ type:
+ description: |-
+ type indicates which kind of seccomp profile will be applied.
+ Valid options are:
+
+ Localhost - a profile defined in a file on the node should be used.
+ RuntimeDefault - the container runtime default profile should be used.
+ Unconfined - no profile should be applied.
+ type: string
+ windowsOptions:
+ description: |-
+ The Windows specific settings applied to all containers.
+ If unspecified, the options from the PodSecurityContext will be used.
+ If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is linux.
+ type: object
+ properties:
+ gmsaCredentialSpec:
+ description: |-
+ GMSACredentialSpec is where the GMSA admission webhook
+ (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the name of the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: |-
+ HostProcess determines if a container should be run as a 'Host Process' container.
+ All of a Pod's containers must have the same effective HostProcess value
+ (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then HostNetwork must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: |-
+ The UserName in Windows to run the entrypoint of the container process.
+ Defaults to the user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: string
+ volumeMounts:
+ description: |-
+ Volumes to mount into the Step's filesystem.
+ Cannot be updated.
+ type: array
+ items:
+ description: VolumeMount describes a mounting of a Volume within a container.
+ type: object
+ required:
+ - mountPath
+ - name
+ properties:
+ mountPath:
+ description: |-
+ Path within the container at which the volume should be mounted. Must
+ not contain ':'.
+ type: string
+ mountPropagation:
+ description: |-
+ mountPropagation determines how mounts are propagated from the host
+ to container and the other way around.
+ When not set, MountPropagationNone is used.
+ This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
+ type: string
+ name:
+ description: This must match the Name of a Volume.
+ type: string
+ readOnly:
+ description: |-
+ Mounted read-only if true, read-write otherwise (false or unspecified).
+ Defaults to false.
+ type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
+ subPath:
+ description: |-
+ Path within the volume from which the container's volume should be mounted.
+ Defaults to "" (volume's root).
+ type: string
+ subPathExpr:
+ description: |-
+ Expanded path within the volume from which the container's volume should be mounted.
+ Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+ Defaults to "" (volume's root).
+ SubPathExpr and SubPath are mutually exclusive.
+ type: string
+ x-kubernetes-list-type: atomic
+ workingDir:
+ description: |-
+ Step's working directory.
+ If not specified, the container runtime's default will be used, which
+ might be configured in the container image.
+ Cannot be updated.
+ type: string
+ # Opt into the status subresource so metadata.generation
+ # starts to increment
+ subresources:
+ status: {}
+ - name: v1beta1
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ description: |-
+ StepAction represents the actionable components of Step.
+ The Step can only reference it from the cluster or using remote resolution.
+ type: object
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec holds the desired state of the Step from the client
+ type: object
+ properties:
+ args:
+ description: |-
+ Arguments to the entrypoint.
+ The image's CMD is used if this is not provided.
+ Variable references $(VAR_NAME) are expanded using the container's environment. If a variable
+ cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+ produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+ of whether the variable exists or not. Cannot be updated.
+ More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ command:
+ description: |-
+ Entrypoint array. Not executed within a shell.
+ The image's ENTRYPOINT is used if this is not provided.
+ Variable references $(VAR_NAME) are expanded using the container's environment. If a variable
+ cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+ produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+ of whether the variable exists or not. Cannot be updated.
+ More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ description:
+ description: |-
+ Description is a user-facing description of the stepaction that may be
+ used to populate a UI.
+ type: string
+ env:
+ description: |-
+ List of environment variables to set in the container.
+ Cannot be updated.
+ type: array
+ items:
+ description: EnvVar represents an environment variable present in a Container.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: Name of the environment variable. Must be a C_IDENTIFIER.
+ type: string
+ value:
+ description: |-
+ Variable references $(VAR_NAME) are expanded
+ using the previously defined environment variables in the container and
+ any service environment variables. If a variable cannot be resolved,
+ the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+ "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+ Escaped references will never be expanded, regardless of whether the variable
+ exists or not.
+ Defaults to "".
+ type: string
+ valueFrom:
+ description: Source for the environment variable's value. Cannot be used if value is not empty.
+ type: object
+ properties:
+ configMapKeyRef:
+ description: Selects a key of a ConfigMap.
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key to select.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the ConfigMap or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ fieldRef:
+ description: |-
+ Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
+ spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+ type: object
+ required:
+ - fieldPath
+ properties:
+ apiVersion:
+ description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
+ type: string
+ fieldPath:
+ description: Path of the field to select in the specified API version.
+ type: string
+ x-kubernetes-map-type: atomic
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+ type: object
+ required:
+ - resource
+ properties:
+ containerName:
+ description: 'Container name: required for volumes, optional for env vars'
+ type: string
+ divisor:
+ description: Specifies the output format of the exposed resources, defaults to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required: resource to select'
+ type: string
+ x-kubernetes-map-type: atomic
+ secretKeyRef:
+ description: Selects a key of a secret in the pod's namespace
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key of the secret to select from. Must be a valid secret key.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the Secret or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ image:
+ description: |-
+ Image reference name to run for this StepAction.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ type: string
+ params:
+ description: |-
+ Params is a list of input parameters required to run the stepAction.
+ Params must be supplied as inputs in Steps unless they declare a defaultvalue.
+ type: array
+ items:
+ description: |-
+ ParamSpec defines arbitrary parameters needed beyond typed inputs (such as
+ resources). Parameter values are provided by users as inputs on a TaskRun
+ or PipelineRun.
+ type: object
+ required:
+ - name
+ properties:
+ default:
+ description: |-
+ Default is the value a parameter takes if no input value is supplied. If
+ default is set, a Task may be executed without a supplied value for the
+ parameter.
+ x-kubernetes-preserve-unknown-fields: true
+ description:
+ description: |-
+ Description is a user-facing description of the parameter that may be
+ used to populate a UI.
+ type: string
+ enum:
+ description: |-
+ Enum declares a set of allowed param input values for tasks/pipelines that can be validated.
+ If Enum is not set, no input validation is performed for the param.
+ type: array
+ items:
+ type: string
+ name:
+ description: Name declares the name by which a parameter is referenced.
+ type: string
+ properties:
+ description: Properties is the JSON Schema properties to support key-value pairs parameter.
+ type: object
+ additionalProperties:
+ description: PropertySpec defines the struct for object keys
+ type: object
+ properties:
+ type:
+ description: |-
+ ParamType indicates the type of an input parameter;
+ Used to distinguish between a single string and an array of strings.
+ type: string
+ type:
+ description: |-
+ Type is the user-specified type of the parameter. The possible types
+ are currently "string", "array" and "object", and "string" is the default.
+ type: string
+ x-kubernetes-list-type: atomic
+ results:
+ description: Results are values that this StepAction can output
+ type: array
+ items:
+ description: |-
+ StepResult used to describe the Results of a Step.
+
+ This is field is at an BETA stability level and gated by "enable-step-actions" feature flag.
+ type: object
+ required:
+ - name
+ properties:
+ description:
+ description: Description is a human-readable description of the result
+ type: string
+ name:
+ description: Name the given name
+ type: string
+ properties:
+ description: Properties is the JSON Schema properties to support key-value pairs results.
+ type: object
+ additionalProperties:
+ description: PropertySpec defines the struct for object keys
+ type: object
+ properties:
+ type:
+ description: |-
+ ParamType indicates the type of an input parameter;
+ Used to distinguish between a single string and an array of strings.
+ type: string
+ type:
+ description: The possible types are 'string', 'array', and 'object', with 'string' as the default.
+ type: string
+ x-kubernetes-list-type: atomic
+ script:
+ description: |-
+ Script is the contents of an executable file to execute.
+
+ If Script is not empty, the Step cannot have an Command and the Args will be passed to the Script.
+ type: string
+ securityContext:
+ description: |-
+ SecurityContext defines the security options the Step should be run with.
+ If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
+ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ The value set in StepAction will take precedence over the value from Task.
+ type: object
+ properties:
+ allowPrivilegeEscalation:
+ description: |-
+ AllowPrivilegeEscalation controls whether a process can gain more
+ privileges than its parent process. This bool directly controls if
+ the no_new_privs flag will be set on the container process.
+ AllowPrivilegeEscalation is true always when the container is:
+ 1) run as Privileged
+ 2) has CAP_SYS_ADMIN
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ capabilities:
+ description: |-
+ The capabilities to add/drop when running containers.
+ Defaults to the default set of capabilities granted by the container runtime.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ properties:
+ add:
+ description: Added capabilities
+ type: array
+ items:
+ description: Capability represent POSIX capabilities type
+ type: string
+ x-kubernetes-list-type: atomic
+ drop:
+ description: Removed capabilities
+ type: array
+ items:
+ description: Capability represent POSIX capabilities type
+ type: string
+ x-kubernetes-list-type: atomic
+ privileged:
+ description: |-
+ Run container in privileged mode.
+ Processes in privileged containers are essentially equivalent to root on the host.
+ Defaults to false.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ procMount:
+ description: |-
+ procMount denotes the type of proc mount to use for the containers.
+ The default value is Default which uses the container runtime defaults for
+ readonly paths and masked paths.
+ This requires the ProcMountType feature flag to be enabled.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ readOnlyRootFilesystem:
+ description: |-
+ Whether this container has a read-only root filesystem.
+ Default is false.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ runAsGroup:
+ description: |-
+ The GID to run the entrypoint of the container process.
+ Uses runtime default if unset.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ runAsNonRoot:
+ description: |-
+ Indicates that the container must run as a non-root user.
+ If true, the Kubelet will validate the image at runtime to ensure that it
+ does not run as UID 0 (root) and fail to start the container if it does.
+ If unset or false, no such validation will be performed.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: |-
+ The UID to run the entrypoint of the container process.
+ Defaults to user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ seLinuxOptions:
+ description: |-
+ The SELinux context to be applied to the container.
+ If unspecified, the container runtime will allocate a random SELinux context for each
+ container. May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ properties:
+ level:
+ description: Level is SELinux level label that applies to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label that applies to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label that applies to the container.
+ type: string
+ user:
+ description: User is a SELinux user label that applies to the container.
+ type: string
+ seccompProfile:
+ description: |-
+ The seccomp options to use by this container. If seccomp options are
+ provided at both the pod & container level, the container options
+ override the pod options.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile defined in a file on the node should be used.
+ The profile must be preconfigured on the node to work.
+ Must be a descending path, relative to the kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT be set for any other type.
+ type: string
+ type:
+ description: |-
+ type indicates which kind of seccomp profile will be applied.
+ Valid options are:
+
+ Localhost - a profile defined in a file on the node should be used.
+ RuntimeDefault - the container runtime default profile should be used.
+ Unconfined - no profile should be applied.
+ type: string
+ windowsOptions:
+ description: |-
+ The Windows specific settings applied to all containers.
+ If unspecified, the options from the PodSecurityContext will be used.
+ If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is linux.
+ type: object
+ properties:
+ gmsaCredentialSpec:
+ description: |-
+ GMSACredentialSpec is where the GMSA admission webhook
+ (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the name of the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: |-
+ HostProcess determines if a container should be run as a 'Host Process' container.
+ All of a Pod's containers must have the same effective HostProcess value
+ (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then HostNetwork must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: |-
+ The UserName in Windows to run the entrypoint of the container process.
+ Defaults to the user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: string
+ volumeMounts:
+ description: |-
+ Volumes to mount into the Step's filesystem.
+ Cannot be updated.
+ type: array
+ items:
+ description: VolumeMount describes a mounting of a Volume within a container.
+ type: object
+ required:
+ - mountPath
+ - name
+ properties:
+ mountPath:
+ description: |-
+ Path within the container at which the volume should be mounted. Must
+ not contain ':'.
+ type: string
+ mountPropagation:
+ description: |-
+ mountPropagation determines how mounts are propagated from the host
+ to container and the other way around.
+ When not set, MountPropagationNone is used.
+ This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
+ type: string
+ name:
+ description: This must match the Name of a Volume.
+ type: string
+ readOnly:
+ description: |-
+ Mounted read-only if true, read-write otherwise (false or unspecified).
+ Defaults to false.
+ type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
+ subPath:
+ description: |-
+ Path within the volume from which the container's volume should be mounted.
+ Defaults to "" (volume's root).
+ type: string
+ subPathExpr:
+ description: |-
+ Expanded path within the volume from which the container's volume should be mounted.
+ Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+ Defaults to "" (volume's root).
+ SubPathExpr and SubPath are mutually exclusive.
+ type: string
+ x-kubernetes-list-type: atomic
+ workingDir:
+ description: |-
+ Step's working directory.
+ If not specified, the container runtime's default will be used, which
+ might be configured in the container image.
+ Cannot be updated.
+ type: string
+ # Opt into the status subresource so metadata.generation
+ # starts to increment
+ subresources:
+ status: {}
+ names:
+ kind: StepAction
+ plural: stepactions
+ singular: stepaction
+ categories:
+ - tekton
+ - tekton-pipelines
+ scope: Namespaced
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions: ["v1alpha1", "v1beta1"]
+ clientConfig:
+ service:
+ name: tekton-pipelines-webhook
+ namespace: tekton-pipelines
+
+---
+# Copyright 2019 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: tasks.tekton.dev
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+ pipeline.tekton.dev/release: "v0.70.0"
+ version: "v0.70.0"
+spec:
+ group: tekton.dev
+ preserveUnknownFields: false
+ versions:
+ - name: v1beta1
+ served: true
+ storage: false
+ schema:
+ openAPIV3Schema:
+ description: |-
+ Task represents a collection of sequential steps that are run as part of a
+ Pipeline using a set of inputs and producing a set of outputs. Tasks execute
+ when TaskRuns are created that provide the input parameters and resources and
+ output resources the Task requires.
+
+ Deprecated: Please use v1.Task instead.
+ type: object
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec holds the desired state of the Task from the client
+ type: object
+ properties:
+ description:
+ description: |-
+ Description is a user-facing description of the task that may be
+ used to populate a UI.
+ type: string
+ displayName:
+ description: |-
+ DisplayName is a user-facing name of the task that may be
+ used to populate a UI.
+ type: string
+ params:
+ description: |-
+ Params is a list of input parameters required to run the task. Params
+ must be supplied as inputs in TaskRuns unless they declare a default
+ value.
+ type: array
+ items:
+ description: |-
+ ParamSpec defines arbitrary parameters needed beyond typed inputs (such as
+ resources). Parameter values are provided by users as inputs on a TaskRun
+ or PipelineRun.
+ type: object
+ required:
+ - name
+ properties:
+ default:
+ description: |-
+ Default is the value a parameter takes if no input value is supplied. If
+ default is set, a Task may be executed without a supplied value for the
+ parameter.
+ x-kubernetes-preserve-unknown-fields: true
+ description:
+ description: |-
+ Description is a user-facing description of the parameter that may be
+ used to populate a UI.
+ type: string
+ enum:
+ description: |-
+ Enum declares a set of allowed param input values for tasks/pipelines that can be validated.
+ If Enum is not set, no input validation is performed for the param.
+ type: array
+ items:
+ type: string
+ name:
+ description: Name declares the name by which a parameter is referenced.
+ type: string
+ properties:
+ description: Properties is the JSON Schema properties to support key-value pairs parameter.
+ type: object
+ additionalProperties:
+ description: PropertySpec defines the struct for object keys
+ type: object
+ properties:
+ type:
+ description: |-
+ ParamType indicates the type of an input parameter;
+ Used to distinguish between a single string and an array of strings.
+ type: string
+ type:
+ description: |-
+ Type is the user-specified type of the parameter. The possible types
+ are currently "string", "array" and "object", and "string" is the default.
+ type: string
+ x-kubernetes-list-type: atomic
+ resources:
+ description: |-
+ Resources is a list input and output resource to run the task
+ Resources are represented in TaskRuns as bindings to instances of
+ PipelineResources.
+
+ Deprecated: Unused, preserved only for backwards compatibility
+ type: object
+ properties:
+ inputs:
+ description: |-
+ Inputs holds the mapping from the PipelineResources declared in
+ DeclaredPipelineResources to the input PipelineResources required by the Task.
+ type: array
+ items:
+ description: |-
+ TaskResource defines an input or output Resource declared as a requirement
+ by a Task. The Name field will be used to refer to these Resources within
+ the Task definition, and when provided as an Input, the Name will be the
+ path to the volume mounted containing this Resource as an input (e.g.
+ an input Resource named `workspace` will be mounted at `/workspace`).
+
+ Deprecated: Unused, preserved only for backwards compatibility
+ type: object
+ required:
+ - name
+ - type
+ properties:
+ description:
+ description: |-
+ Description is a user-facing description of the declared resource that may be
+ used to populate a UI.
+ type: string
+ name:
+ description: |-
+ Name declares the name by which a resource is referenced in the
+ definition. Resources may be referenced by name in the definition of a
+ Task's steps.
+ type: string
+ optional:
+ description: |-
+ Optional declares the resource as optional.
+ By default optional is set to false which makes a resource required.
+ optional: true - the resource is considered optional
+ optional: false - the resource is considered required (equivalent of not specifying it)
+ type: boolean
+ targetPath:
+ description: |-
+ TargetPath is the path in workspace directory where the resource
+ will be copied.
+ type: string
+ type:
+ description: Type is the type of this resource;
+ type: string
+ x-kubernetes-list-type: atomic
+ outputs:
+ description: |-
+ Outputs holds the mapping from the PipelineResources declared in
+ DeclaredPipelineResources to the input PipelineResources required by the Task.
+ type: array
+ items:
+ description: |-
+ TaskResource defines an input or output Resource declared as a requirement
+ by a Task. The Name field will be used to refer to these Resources within
+ the Task definition, and when provided as an Input, the Name will be the
+ path to the volume mounted containing this Resource as an input (e.g.
+ an input Resource named `workspace` will be mounted at `/workspace`).
+
+ Deprecated: Unused, preserved only for backwards compatibility
+ type: object
+ required:
+ - name
+ - type
+ properties:
+ description:
+ description: |-
+ Description is a user-facing description of the declared resource that may be
+ used to populate a UI.
+ type: string
+ name:
+ description: |-
+ Name declares the name by which a resource is referenced in the
+ definition. Resources may be referenced by name in the definition of a
+ Task's steps.
+ type: string
+ optional:
+ description: |-
+ Optional declares the resource as optional.
+ By default optional is set to false which makes a resource required.
+ optional: true - the resource is considered optional
+ optional: false - the resource is considered required (equivalent of not specifying it)
+ type: boolean
+ targetPath:
+ description: |-
+ TargetPath is the path in workspace directory where the resource
+ will be copied.
+ type: string
+ type:
+ description: Type is the type of this resource;
+ type: string
+ x-kubernetes-list-type: atomic
+ results:
+ description: Results are values that this Task can output
+ type: array
+ items:
+ description: TaskResult used to describe the results of a task
+ type: object
+ required:
+ - name
+ properties:
+ description:
+ description: Description is a human-readable description of the result
+ type: string
+ name:
+ description: Name the given name
+ type: string
+ properties:
+ description: Properties is the JSON Schema properties to support key-value pairs results.
+ type: object
+ additionalProperties:
+ description: PropertySpec defines the struct for object keys
+ type: object
+ properties:
+ type:
+ description: |-
+ ParamType indicates the type of an input parameter;
+ Used to distinguish between a single string and an array of strings.
+ type: string
+ type:
+ description: |-
+ Type is the user-specified type of the result. The possible type
+ is currently "string" and will support "array" in following work.
+ type: string
+ value:
+ description: Value the expression used to retrieve the value of the result from an underlying Step.
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ sidecars:
+ description: |-
+ Sidecars are run alongside the Task's step containers. They begin before
+ the steps start and end after the steps complete.
+ type: array
+ items:
+ description: Sidecar has nearly the same data structure as Step but does not have the ability to timeout.
+ type: object
+ required:
+ - name
+ properties:
+ args:
+ description: |-
+ Arguments to the entrypoint.
+ The image's CMD is used if this is not provided.
+ Variable references $(VAR_NAME) are expanded using the container's environment. If a variable
+ cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+ produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+ of whether the variable exists or not. Cannot be updated.
+ More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ command:
+ description: |-
+ Entrypoint array. Not executed within a shell.
+ The image's ENTRYPOINT is used if this is not provided.
+ Variable references $(VAR_NAME) are expanded using the Sidecar's environment. If a variable
+ cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+ produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+ of whether the variable exists or not. Cannot be updated.
+ More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ env:
+ description: |-
+ List of environment variables to set in the Sidecar.
+ Cannot be updated.
+ type: array
+ items:
+ description: EnvVar represents an environment variable present in a Container.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: Name of the environment variable. Must be a C_IDENTIFIER.
+ type: string
+ value:
+ description: |-
+ Variable references $(VAR_NAME) are expanded
+ using the previously defined environment variables in the container and
+ any service environment variables. If a variable cannot be resolved,
+ the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+ "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+ Escaped references will never be expanded, regardless of whether the variable
+ exists or not.
+ Defaults to "".
+ type: string
+ valueFrom:
+ description: Source for the environment variable's value. Cannot be used if value is not empty.
+ type: object
+ properties:
+ configMapKeyRef:
+ description: Selects a key of a ConfigMap.
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key to select.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the ConfigMap or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ fieldRef:
+ description: |-
+ Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
+ spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+ type: object
+ required:
+ - fieldPath
+ properties:
+ apiVersion:
+ description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
+ type: string
+ fieldPath:
+ description: Path of the field to select in the specified API version.
+ type: string
+ x-kubernetes-map-type: atomic
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+ type: object
+ required:
+ - resource
+ properties:
+ containerName:
+ description: 'Container name: required for volumes, optional for env vars'
+ type: string
+ divisor:
+ description: Specifies the output format of the exposed resources, defaults to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required: resource to select'
+ type: string
+ x-kubernetes-map-type: atomic
+ secretKeyRef:
+ description: Selects a key of a secret in the pod's namespace
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key of the secret to select from. Must be a valid secret key.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the Secret or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ envFrom:
+ description: |-
+ List of sources to populate environment variables in the Sidecar.
+ The keys defined within a source must be a C_IDENTIFIER. All invalid keys
+ will be reported as an event when the Sidecar is starting. When a key exists in multiple
+ sources, the value associated with the last source will take precedence.
+ Values defined by an Env with a duplicate key will take precedence.
+ Cannot be updated.
+ type: array
+ items:
+ description: EnvFromSource represents the source of a set of ConfigMaps
+ type: object
+ properties:
+ configMapRef:
+ description: The ConfigMap to select from
+ type: object
+ properties:
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the ConfigMap must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ prefix:
+ description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
+ type: string
+ secretRef:
+ description: The Secret to select from
+ type: object
+ properties:
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the Secret must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ image:
+ description: |-
+ Image name to be used by the Sidecar.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ type: string
+ imagePullPolicy:
+ description: |-
+ Image pull policy.
+ One of Always, Never, IfNotPresent.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
+ type: string
+ lifecycle:
+ description: |-
+ Actions that the management system should take in response to Sidecar lifecycle events.
+ Cannot be updated.
+ type: object
+ properties:
+ postStart:
+ description: |-
+ PostStart is called immediately after a container is created. If the handler fails,
+ the container is terminated and restarted according to its restart policy.
+ Other management of the container blocks until the hook completes.
+ More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ sleep:
+ description: Sleep represents the duration that the container should sleep before being terminated.
+ type: object
+ required:
+ - seconds
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ type: integer
+ format: int64
+ tcpSocket:
+ description: |-
+ Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
+ for the backward compatibility. There are no validation of this field and
+ lifecycle hooks will fail in runtime when tcp handler is specified.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ preStop:
+ description: |-
+ PreStop is called immediately before a container is terminated due to an
+ API request or management event such as liveness/startup probe failure,
+ preemption, resource contention, etc. The handler is not called if the
+ container crashes or exits. The Pod's termination grace period countdown begins before the
+ PreStop hook is executed. Regardless of the outcome of the handler, the
+ container will eventually terminate within the Pod's termination grace
+ period (unless delayed by finalizers). Other management of the container blocks until the hook completes
+ or until the termination grace period is reached.
+ More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ sleep:
+ description: Sleep represents the duration that the container should sleep before being terminated.
+ type: object
+ required:
+ - seconds
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ type: integer
+ format: int64
+ tcpSocket:
+ description: |-
+ Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
+ for the backward compatibility. There are no validation of this field and
+ lifecycle hooks will fail in runtime when tcp handler is specified.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ livenessProbe:
+ description: |-
+ Periodic probe of Sidecar liveness.
+ Container will be restarted if the probe fails.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ failureThreshold:
+ description: |-
+ Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ Defaults to 3. Minimum value is 1.
+ type: integer
+ format: int32
+ grpc:
+ description: GRPC specifies an action involving a GRPC port.
+ type: object
+ required:
+ - port
+ properties:
+ port:
+ description: Port number of the gRPC service. Number must be in the range 1 to 65535.
+ type: integer
+ format: int32
+ service:
+ description: |-
+ Service is the name of the service to place in the gRPC HealthCheckRequest
+ (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
+
+ If this is not specified, the default behavior is defined by gRPC.
+ type: string
+ default: ""
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ initialDelaySeconds:
+ description: |-
+ Number of seconds after the container has started before liveness probes are initiated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ periodSeconds:
+ description: |-
+ How often (in seconds) to perform the probe.
+ Default to 10 seconds. Minimum value is 1.
+ type: integer
+ format: int32
+ successThreshold:
+ description: |-
+ Minimum consecutive successes for the probe to be considered successful after having failed.
+ Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
+ type: integer
+ format: int32
+ tcpSocket:
+ description: TCPSocket specifies an action involving a TCP port.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ terminationGracePeriodSeconds:
+ description: |-
+ Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
+ The grace period is the duration in seconds after the processes running in the pod are sent
+ a termination signal and the time when the processes are forcibly halted with a kill signal.
+ Set this value longer than the expected cleanup time for your process.
+ If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
+ value overrides the value provided by the pod spec.
+ Value must be non-negative integer. The value zero indicates stop immediately via
+ the kill signal (no opportunity to shut down).
+ This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
+ Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
+ type: integer
+ format: int64
+ timeoutSeconds:
+ description: |-
+ Number of seconds after which the probe times out.
+ Defaults to 1 second. Minimum value is 1.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ name:
+ description: |-
+ Name of the Sidecar specified as a DNS_LABEL.
+ Each Sidecar in a Task must have a unique name (DNS_LABEL).
+ Cannot be updated.
+ type: string
+ ports:
+ description: |-
+ List of ports to expose from the Sidecar. Exposing a port here gives
+ the system additional information about the network connections a
+ container uses, but is primarily informational. Not specifying a port here
+ DOES NOT prevent that port from being exposed. Any port which is
+ listening on the default "0.0.0.0" address inside a container will be
+ accessible from the network.
+ Cannot be updated.
+ type: array
+ items:
+ description: ContainerPort represents a network port in a single container.
+ type: object
+ required:
+ - containerPort
+ properties:
+ containerPort:
+ description: |-
+ Number of port to expose on the pod's IP address.
+ This must be a valid port number, 0 < x < 65536.
+ type: integer
+ format: int32
+ hostIP:
+ description: What host IP to bind the external port to.
+ type: string
+ hostPort:
+ description: |-
+ Number of port to expose on the host.
+ If specified, this must be a valid port number, 0 < x < 65536.
+ If HostNetwork is specified, this must match ContainerPort.
+ Most containers do not need this.
+ type: integer
+ format: int32
+ name:
+ description: |-
+ If specified, this must be an IANA_SVC_NAME and unique within the pod. Each
+ named port in a pod must have a unique name. Name for the port that can be
+ referred to by services.
+ type: string
+ protocol:
+ description: |-
+ Protocol for port. Must be UDP, TCP, or SCTP.
+ Defaults to "TCP".
+ type: string
+ default: TCP
+ x-kubernetes-list-map-keys:
+ - containerPort
+ - protocol
+ x-kubernetes-list-type: map
+ readinessProbe:
+ description: |-
+ Periodic probe of Sidecar service readiness.
+ Container will be removed from service endpoints if the probe fails.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ failureThreshold:
+ description: |-
+ Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ Defaults to 3. Minimum value is 1.
+ type: integer
+ format: int32
+ grpc:
+ description: GRPC specifies an action involving a GRPC port.
+ type: object
+ required:
+ - port
+ properties:
+ port:
+ description: Port number of the gRPC service. Number must be in the range 1 to 65535.
+ type: integer
+ format: int32
+ service:
+ description: |-
+ Service is the name of the service to place in the gRPC HealthCheckRequest
+ (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
+
+ If this is not specified, the default behavior is defined by gRPC.
+ type: string
+ default: ""
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ initialDelaySeconds:
+ description: |-
+ Number of seconds after the container has started before liveness probes are initiated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ periodSeconds:
+ description: |-
+ How often (in seconds) to perform the probe.
+ Default to 10 seconds. Minimum value is 1.
+ type: integer
+ format: int32
+ successThreshold:
+ description: |-
+ Minimum consecutive successes for the probe to be considered successful after having failed.
+ Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
+ type: integer
+ format: int32
+ tcpSocket:
+ description: TCPSocket specifies an action involving a TCP port.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ terminationGracePeriodSeconds:
+ description: |-
+ Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
+ The grace period is the duration in seconds after the processes running in the pod are sent
+ a termination signal and the time when the processes are forcibly halted with a kill signal.
+ Set this value longer than the expected cleanup time for your process.
+ If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
+ value overrides the value provided by the pod spec.
+ Value must be non-negative integer. The value zero indicates stop immediately via
+ the kill signal (no opportunity to shut down).
+ This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
+ Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
+ type: integer
+ format: int64
+ timeoutSeconds:
+ description: |-
+ Number of seconds after which the probe times out.
+ Defaults to 1 second. Minimum value is 1.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ resources:
+ description: |-
+ Compute Resources required by this Sidecar.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ type: array
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ requests:
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ restartPolicy:
+ description: |-
+ RestartPolicy refers to kubernetes RestartPolicy. It can only be set for an
+ initContainer and must have it's policy set to "Always". It is currently
+ left optional to help support Kubernetes versions prior to 1.29 when this feature
+ was introduced.
+ type: string
+ script:
+ description: |-
+ Script is the contents of an executable file to execute.
+
+ If Script is not empty, the Step cannot have an Command or Args.
+ type: string
+ securityContext:
+ description: |-
+ SecurityContext defines the security options the Sidecar should be run with.
+ If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
+ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ type: object
+ properties:
+ allowPrivilegeEscalation:
+ description: |-
+ AllowPrivilegeEscalation controls whether a process can gain more
+ privileges than its parent process. This bool directly controls if
+ the no_new_privs flag will be set on the container process.
+ AllowPrivilegeEscalation is true always when the container is:
+ 1) run as Privileged
+ 2) has CAP_SYS_ADMIN
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ capabilities:
+ description: |-
+ The capabilities to add/drop when running containers.
+ Defaults to the default set of capabilities granted by the container runtime.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ properties:
+ add:
+ description: Added capabilities
+ type: array
+ items:
+ description: Capability represent POSIX capabilities type
+ type: string
+ x-kubernetes-list-type: atomic
+ drop:
+ description: Removed capabilities
+ type: array
+ items:
+ description: Capability represent POSIX capabilities type
+ type: string
+ x-kubernetes-list-type: atomic
+ privileged:
+ description: |-
+ Run container in privileged mode.
+ Processes in privileged containers are essentially equivalent to root on the host.
+ Defaults to false.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ procMount:
+ description: |-
+ procMount denotes the type of proc mount to use for the containers.
+ The default value is Default which uses the container runtime defaults for
+ readonly paths and masked paths.
+ This requires the ProcMountType feature flag to be enabled.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ readOnlyRootFilesystem:
+ description: |-
+ Whether this container has a read-only root filesystem.
+ Default is false.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ runAsGroup:
+ description: |-
+ The GID to run the entrypoint of the container process.
+ Uses runtime default if unset.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ runAsNonRoot:
+ description: |-
+ Indicates that the container must run as a non-root user.
+ If true, the Kubelet will validate the image at runtime to ensure that it
+ does not run as UID 0 (root) and fail to start the container if it does.
+ If unset or false, no such validation will be performed.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: |-
+ The UID to run the entrypoint of the container process.
+ Defaults to user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ seLinuxOptions:
+ description: |-
+ The SELinux context to be applied to the container.
+ If unspecified, the container runtime will allocate a random SELinux context for each
+ container. May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ properties:
+ level:
+ description: Level is SELinux level label that applies to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label that applies to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label that applies to the container.
+ type: string
+ user:
+ description: User is a SELinux user label that applies to the container.
+ type: string
+ seccompProfile:
+ description: |-
+ The seccomp options to use by this container. If seccomp options are
+ provided at both the pod & container level, the container options
+ override the pod options.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile defined in a file on the node should be used.
+ The profile must be preconfigured on the node to work.
+ Must be a descending path, relative to the kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT be set for any other type.
+ type: string
+ type:
+ description: |-
+ type indicates which kind of seccomp profile will be applied.
+ Valid options are:
+
+ Localhost - a profile defined in a file on the node should be used.
+ RuntimeDefault - the container runtime default profile should be used.
+ Unconfined - no profile should be applied.
+ type: string
+ windowsOptions:
+ description: |-
+ The Windows specific settings applied to all containers.
+ If unspecified, the options from the PodSecurityContext will be used.
+ If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is linux.
+ type: object
+ properties:
+ gmsaCredentialSpec:
+ description: |-
+ GMSACredentialSpec is where the GMSA admission webhook
+ (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the name of the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: |-
+ HostProcess determines if a container should be run as a 'Host Process' container.
+ All of a Pod's containers must have the same effective HostProcess value
+ (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then HostNetwork must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: |-
+ The UserName in Windows to run the entrypoint of the container process.
+ Defaults to the user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: string
+ startupProbe:
+ description: |-
+ StartupProbe indicates that the Pod the Sidecar is running in has successfully initialized.
+ If specified, no other probes are executed until this completes successfully.
+ If this probe fails, the Pod will be restarted, just as if the livenessProbe failed.
+ This can be used to provide different probe parameters at the beginning of a Pod's lifecycle,
+ when it might take a long time to load data or warm a cache, than during steady-state operation.
+ This cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ failureThreshold:
+ description: |-
+ Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ Defaults to 3. Minimum value is 1.
+ type: integer
+ format: int32
+ grpc:
+ description: GRPC specifies an action involving a GRPC port.
+ type: object
+ required:
+ - port
+ properties:
+ port:
+ description: Port number of the gRPC service. Number must be in the range 1 to 65535.
+ type: integer
+ format: int32
+ service:
+ description: |-
+ Service is the name of the service to place in the gRPC HealthCheckRequest
+ (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
+
+ If this is not specified, the default behavior is defined by gRPC.
+ type: string
+ default: ""
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ initialDelaySeconds:
+ description: |-
+ Number of seconds after the container has started before liveness probes are initiated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ periodSeconds:
+ description: |-
+ How often (in seconds) to perform the probe.
+ Default to 10 seconds. Minimum value is 1.
+ type: integer
+ format: int32
+ successThreshold:
+ description: |-
+ Minimum consecutive successes for the probe to be considered successful after having failed.
+ Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
+ type: integer
+ format: int32
+ tcpSocket:
+ description: TCPSocket specifies an action involving a TCP port.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ terminationGracePeriodSeconds:
+ description: |-
+ Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
+ The grace period is the duration in seconds after the processes running in the pod are sent
+ a termination signal and the time when the processes are forcibly halted with a kill signal.
+ Set this value longer than the expected cleanup time for your process.
+ If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
+ value overrides the value provided by the pod spec.
+ Value must be non-negative integer. The value zero indicates stop immediately via
+ the kill signal (no opportunity to shut down).
+ This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
+ Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
+ type: integer
+ format: int64
+ timeoutSeconds:
+ description: |-
+ Number of seconds after which the probe times out.
+ Defaults to 1 second. Minimum value is 1.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ stdin:
+ description: |-
+ Whether this Sidecar should allocate a buffer for stdin in the container runtime. If this
+ is not set, reads from stdin in the Sidecar will always result in EOF.
+ Default is false.
+ type: boolean
+ stdinOnce:
+ description: |-
+ Whether the container runtime should close the stdin channel after it has been opened by
+ a single attach. When stdin is true the stdin stream will remain open across multiple attach
+ sessions. If stdinOnce is set to true, stdin is opened on Sidecar start, is empty until the
+ first client attaches to stdin, and then remains open and accepts data until the client disconnects,
+ at which time stdin is closed and remains closed until the Sidecar is restarted. If this
+ flag is false, a container processes that reads from stdin will never receive an EOF.
+ Default is false
+ type: boolean
+ terminationMessagePath:
+ description: |-
+ Optional: Path at which the file to which the Sidecar's termination message
+ will be written is mounted into the Sidecar's filesystem.
+ Message written is intended to be brief final status, such as an assertion failure message.
+ Will be truncated by the node if greater than 4096 bytes. The total message length across
+ all containers will be limited to 12kb.
+ Defaults to /dev/termination-log.
+ Cannot be updated.
+ type: string
+ terminationMessagePolicy:
+ description: |-
+ Indicate how the termination message should be populated. File will use the contents of
+ terminationMessagePath to populate the Sidecar status message on both success and failure.
+ FallbackToLogsOnError will use the last chunk of Sidecar log output if the termination
+ message file is empty and the Sidecar exited with an error.
+ The log output is limited to 2048 bytes or 80 lines, whichever is smaller.
+ Defaults to File.
+ Cannot be updated.
+ type: string
+ tty:
+ description: |-
+ Whether this Sidecar should allocate a TTY for itself, also requires 'stdin' to be true.
+ Default is false.
+ type: boolean
+ volumeDevices:
+ description: volumeDevices is the list of block devices to be used by the Sidecar.
+ type: array
+ items:
+ description: volumeDevice describes a mapping of a raw block device within a container.
+ type: object
+ required:
+ - devicePath
+ - name
+ properties:
+ devicePath:
+ description: devicePath is the path inside of the container that the device will be mapped to.
+ type: string
+ name:
+ description: name must match the name of a persistentVolumeClaim in the pod
+ type: string
+ x-kubernetes-list-type: atomic
+ volumeMounts:
+ description: |-
+ Volumes to mount into the Sidecar's filesystem.
+ Cannot be updated.
+ type: array
+ items:
+ description: VolumeMount describes a mounting of a Volume within a container.
+ type: object
+ required:
+ - mountPath
+ - name
+ properties:
+ mountPath:
+ description: |-
+ Path within the container at which the volume should be mounted. Must
+ not contain ':'.
+ type: string
+ mountPropagation:
+ description: |-
+ mountPropagation determines how mounts are propagated from the host
+ to container and the other way around.
+ When not set, MountPropagationNone is used.
+ This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
+ type: string
+ name:
+ description: This must match the Name of a Volume.
+ type: string
+ readOnly:
+ description: |-
+ Mounted read-only if true, read-write otherwise (false or unspecified).
+ Defaults to false.
+ type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
+ subPath:
+ description: |-
+ Path within the volume from which the container's volume should be mounted.
+ Defaults to "" (volume's root).
+ type: string
+ subPathExpr:
+ description: |-
+ Expanded path within the volume from which the container's volume should be mounted.
+ Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+ Defaults to "" (volume's root).
+ SubPathExpr and SubPath are mutually exclusive.
+ type: string
+ x-kubernetes-list-type: atomic
+ workingDir:
+ description: |-
+ Sidecar's working directory.
+ If not specified, the container runtime's default will be used, which
+ might be configured in the container image.
+ Cannot be updated.
+ type: string
+ workspaces:
+ description: |-
+ This is an alpha field. You must set the "enable-api-fields" feature flag to "alpha"
+ for this field to be supported.
+
+ Workspaces is a list of workspaces from the Task that this Sidecar wants
+ exclusive access to. Adding a workspace to this list means that any
+ other Step or Sidecar that does not also request this Workspace will
+ not have access to it.
+ type: array
+ items:
+ description: |-
+ WorkspaceUsage is used by a Step or Sidecar to declare that it wants isolated access
+ to a Workspace defined in a Task.
+ type: object
+ required:
+ - mountPath
+ - name
+ properties:
+ mountPath:
+ description: |-
+ MountPath is the path that the workspace should be mounted to inside the Step or Sidecar,
+ overriding any MountPath specified in the Task's WorkspaceDeclaration.
+ type: string
+ name:
+ description: Name is the name of the workspace this Step or Sidecar wants access to.
+ type: string
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ stepTemplate:
+ description: |-
+ StepTemplate can be used as the basis for all step containers within the
+ Task, so that the steps inherit settings on the base container.
+ type: object
+ required:
+ - name
+ properties:
+ args:
+ description: |-
+ Arguments to the entrypoint.
+ The image's CMD is used if this is not provided.
+ Variable references $(VAR_NAME) are expanded using the Step's environment. If a variable
+ cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+ produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+ of whether the variable exists or not. Cannot be updated.
+ More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ command:
+ description: |-
+ Entrypoint array. Not executed within a shell.
+ The docker image's ENTRYPOINT is used if this is not provided.
+ Variable references $(VAR_NAME) are expanded using the Step's environment. If a variable
+ cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+ produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+ of whether the variable exists or not. Cannot be updated.
+ More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ env:
+ description: |-
+ List of environment variables to set in the container.
+ Cannot be updated.
+ type: array
+ items:
+ description: EnvVar represents an environment variable present in a Container.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: Name of the environment variable. Must be a C_IDENTIFIER.
+ type: string
+ value:
+ description: |-
+ Variable references $(VAR_NAME) are expanded
+ using the previously defined environment variables in the container and
+ any service environment variables. If a variable cannot be resolved,
+ the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+ "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+ Escaped references will never be expanded, regardless of whether the variable
+ exists or not.
+ Defaults to "".
+ type: string
+ valueFrom:
+ description: Source for the environment variable's value. Cannot be used if value is not empty.
+ type: object
+ properties:
+ configMapKeyRef:
+ description: Selects a key of a ConfigMap.
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key to select.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the ConfigMap or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ fieldRef:
+ description: |-
+ Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
+ spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+ type: object
+ required:
+ - fieldPath
+ properties:
+ apiVersion:
+ description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
+ type: string
+ fieldPath:
+ description: Path of the field to select in the specified API version.
+ type: string
+ x-kubernetes-map-type: atomic
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+ type: object
+ required:
+ - resource
+ properties:
+ containerName:
+ description: 'Container name: required for volumes, optional for env vars'
+ type: string
+ divisor:
+ description: Specifies the output format of the exposed resources, defaults to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required: resource to select'
+ type: string
+ x-kubernetes-map-type: atomic
+ secretKeyRef:
+ description: Selects a key of a secret in the pod's namespace
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key of the secret to select from. Must be a valid secret key.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the Secret or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ envFrom:
+ description: |-
+ List of sources to populate environment variables in the Step.
+ The keys defined within a source must be a C_IDENTIFIER. All invalid keys
+ will be reported as an event when the container is starting. When a key exists in multiple
+ sources, the value associated with the last source will take precedence.
+ Values defined by an Env with a duplicate key will take precedence.
+ Cannot be updated.
+ type: array
+ items:
+ description: EnvFromSource represents the source of a set of ConfigMaps
+ type: object
+ properties:
+ configMapRef:
+ description: The ConfigMap to select from
+ type: object
+ properties:
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the ConfigMap must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ prefix:
+ description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
+ type: string
+ secretRef:
+ description: The Secret to select from
+ type: object
+ properties:
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the Secret must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ image:
+ description: |-
+ Default image name to use for each Step.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ This field is optional to allow higher level config management to default or override
+ container images in workload controllers like Deployments and StatefulSets.
+ type: string
+ imagePullPolicy:
+ description: |-
+ Image pull policy.
+ One of Always, Never, IfNotPresent.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
+ type: string
+ lifecycle:
+ description: |-
+ Actions that the management system should take in response to container lifecycle events.
+ Cannot be updated.
+
+ Deprecated: This field will be removed in a future release.
+ type: object
+ properties:
+ postStart:
+ description: |-
+ PostStart is called immediately after a container is created. If the handler fails,
+ the container is terminated and restarted according to its restart policy.
+ Other management of the container blocks until the hook completes.
+ More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ sleep:
+ description: Sleep represents the duration that the container should sleep before being terminated.
+ type: object
+ required:
+ - seconds
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ type: integer
+ format: int64
+ tcpSocket:
+ description: |-
+ Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
+ for the backward compatibility. There are no validation of this field and
+ lifecycle hooks will fail in runtime when tcp handler is specified.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ preStop:
+ description: |-
+ PreStop is called immediately before a container is terminated due to an
+ API request or management event such as liveness/startup probe failure,
+ preemption, resource contention, etc. The handler is not called if the
+ container crashes or exits. The Pod's termination grace period countdown begins before the
+ PreStop hook is executed. Regardless of the outcome of the handler, the
+ container will eventually terminate within the Pod's termination grace
+ period (unless delayed by finalizers). Other management of the container blocks until the hook completes
+ or until the termination grace period is reached.
+ More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ sleep:
+ description: Sleep represents the duration that the container should sleep before being terminated.
+ type: object
+ required:
+ - seconds
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ type: integer
+ format: int64
+ tcpSocket:
+ description: |-
+ Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
+ for the backward compatibility. There are no validation of this field and
+ lifecycle hooks will fail in runtime when tcp handler is specified.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ livenessProbe:
+ description: |-
+ Periodic probe of container liveness.
+ Container will be restarted if the probe fails.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+
+ Deprecated: This field will be removed in a future release.
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ failureThreshold:
+ description: |-
+ Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ Defaults to 3. Minimum value is 1.
+ type: integer
+ format: int32
+ grpc:
+ description: GRPC specifies an action involving a GRPC port.
+ type: object
+ required:
+ - port
+ properties:
+ port:
+ description: Port number of the gRPC service. Number must be in the range 1 to 65535.
+ type: integer
+ format: int32
+ service:
+ description: |-
+ Service is the name of the service to place in the gRPC HealthCheckRequest
+ (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
+
+ If this is not specified, the default behavior is defined by gRPC.
+ type: string
+ default: ""
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ initialDelaySeconds:
+ description: |-
+ Number of seconds after the container has started before liveness probes are initiated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ periodSeconds:
+ description: |-
+ How often (in seconds) to perform the probe.
+ Default to 10 seconds. Minimum value is 1.
+ type: integer
+ format: int32
+ successThreshold:
+ description: |-
+ Minimum consecutive successes for the probe to be considered successful after having failed.
+ Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
+ type: integer
+ format: int32
+ tcpSocket:
+ description: TCPSocket specifies an action involving a TCP port.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ terminationGracePeriodSeconds:
+ description: |-
+ Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
+ The grace period is the duration in seconds after the processes running in the pod are sent
+ a termination signal and the time when the processes are forcibly halted with a kill signal.
+ Set this value longer than the expected cleanup time for your process.
+ If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
+ value overrides the value provided by the pod spec.
+ Value must be non-negative integer. The value zero indicates stop immediately via
+ the kill signal (no opportunity to shut down).
+ This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
+ Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
+ type: integer
+ format: int64
+ timeoutSeconds:
+ description: |-
+ Number of seconds after which the probe times out.
+ Defaults to 1 second. Minimum value is 1.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ name:
+ description: |-
+ Default name for each Step specified as a DNS_LABEL.
+ Each Step in a Task must have a unique name.
+ Cannot be updated.
+
+ Deprecated: This field will be removed in a future release.
+ type: string
+ ports:
+ description: |-
+ List of ports to expose from the Step's container. Exposing a port here gives
+ the system additional information about the network connections a
+ container uses, but is primarily informational. Not specifying a port here
+ DOES NOT prevent that port from being exposed. Any port which is
+ listening on the default "0.0.0.0" address inside a container will be
+ accessible from the network.
+ Cannot be updated.
+
+ Deprecated: This field will be removed in a future release.
+ type: array
+ items:
+ description: ContainerPort represents a network port in a single container.
+ type: object
+ required:
+ - containerPort
+ properties:
+ containerPort:
+ description: |-
+ Number of port to expose on the pod's IP address.
+ This must be a valid port number, 0 < x < 65536.
+ type: integer
+ format: int32
+ hostIP:
+ description: What host IP to bind the external port to.
+ type: string
+ hostPort:
+ description: |-
+ Number of port to expose on the host.
+ If specified, this must be a valid port number, 0 < x < 65536.
+ If HostNetwork is specified, this must match ContainerPort.
+ Most containers do not need this.
+ type: integer
+ format: int32
+ name:
+ description: |-
+ If specified, this must be an IANA_SVC_NAME and unique within the pod. Each
+ named port in a pod must have a unique name. Name for the port that can be
+ referred to by services.
+ type: string
+ protocol:
+ description: |-
+ Protocol for port. Must be UDP, TCP, or SCTP.
+ Defaults to "TCP".
+ type: string
+ default: TCP
+ x-kubernetes-list-map-keys:
+ - containerPort
+ - protocol
+ x-kubernetes-list-type: map
+ readinessProbe:
+ description: |-
+ Periodic probe of container service readiness.
+ Container will be removed from service endpoints if the probe fails.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+
+ Deprecated: This field will be removed in a future release.
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ failureThreshold:
+ description: |-
+ Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ Defaults to 3. Minimum value is 1.
+ type: integer
+ format: int32
+ grpc:
+ description: GRPC specifies an action involving a GRPC port.
+ type: object
+ required:
+ - port
+ properties:
+ port:
+ description: Port number of the gRPC service. Number must be in the range 1 to 65535.
+ type: integer
+ format: int32
+ service:
+ description: |-
+ Service is the name of the service to place in the gRPC HealthCheckRequest
+ (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
+
+ If this is not specified, the default behavior is defined by gRPC.
+ type: string
+ default: ""
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ initialDelaySeconds:
+ description: |-
+ Number of seconds after the container has started before liveness probes are initiated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ periodSeconds:
+ description: |-
+ How often (in seconds) to perform the probe.
+ Default to 10 seconds. Minimum value is 1.
+ type: integer
+ format: int32
+ successThreshold:
+ description: |-
+ Minimum consecutive successes for the probe to be considered successful after having failed.
+ Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
+ type: integer
+ format: int32
+ tcpSocket:
+ description: TCPSocket specifies an action involving a TCP port.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ terminationGracePeriodSeconds:
+ description: |-
+ Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
+ The grace period is the duration in seconds after the processes running in the pod are sent
+ a termination signal and the time when the processes are forcibly halted with a kill signal.
+ Set this value longer than the expected cleanup time for your process.
+ If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
+ value overrides the value provided by the pod spec.
+ Value must be non-negative integer. The value zero indicates stop immediately via
+ the kill signal (no opportunity to shut down).
+ This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
+ Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
+ type: integer
+ format: int64
+ timeoutSeconds:
+ description: |-
+ Number of seconds after which the probe times out.
+ Defaults to 1 second. Minimum value is 1.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ resources:
+ description: |-
+ Compute Resources required by this Step.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ type: array
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ requests:
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ securityContext:
+ description: |-
+ SecurityContext defines the security options the Step should be run with.
+ If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
+ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ type: object
+ properties:
+ allowPrivilegeEscalation:
+ description: |-
+ AllowPrivilegeEscalation controls whether a process can gain more
+ privileges than its parent process. This bool directly controls if
+ the no_new_privs flag will be set on the container process.
+ AllowPrivilegeEscalation is true always when the container is:
+ 1) run as Privileged
+ 2) has CAP_SYS_ADMIN
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ capabilities:
+ description: |-
+ The capabilities to add/drop when running containers.
+ Defaults to the default set of capabilities granted by the container runtime.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ properties:
+ add:
+ description: Added capabilities
+ type: array
+ items:
+ description: Capability represent POSIX capabilities type
+ type: string
+ x-kubernetes-list-type: atomic
+ drop:
+ description: Removed capabilities
+ type: array
+ items:
+ description: Capability represent POSIX capabilities type
+ type: string
+ x-kubernetes-list-type: atomic
+ privileged:
+ description: |-
+ Run container in privileged mode.
+ Processes in privileged containers are essentially equivalent to root on the host.
+ Defaults to false.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ procMount:
+ description: |-
+ procMount denotes the type of proc mount to use for the containers.
+ The default value is Default which uses the container runtime defaults for
+ readonly paths and masked paths.
+ This requires the ProcMountType feature flag to be enabled.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ readOnlyRootFilesystem:
+ description: |-
+ Whether this container has a read-only root filesystem.
+ Default is false.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ runAsGroup:
+ description: |-
+ The GID to run the entrypoint of the container process.
+ Uses runtime default if unset.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ runAsNonRoot:
+ description: |-
+ Indicates that the container must run as a non-root user.
+ If true, the Kubelet will validate the image at runtime to ensure that it
+ does not run as UID 0 (root) and fail to start the container if it does.
+ If unset or false, no such validation will be performed.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: |-
+ The UID to run the entrypoint of the container process.
+ Defaults to user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ seLinuxOptions:
+ description: |-
+ The SELinux context to be applied to the container.
+ If unspecified, the container runtime will allocate a random SELinux context for each
+ container. May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ properties:
+ level:
+ description: Level is SELinux level label that applies to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label that applies to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label that applies to the container.
+ type: string
+ user:
+ description: User is a SELinux user label that applies to the container.
+ type: string
+ seccompProfile:
+ description: |-
+ The seccomp options to use by this container. If seccomp options are
+ provided at both the pod & container level, the container options
+ override the pod options.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile defined in a file on the node should be used.
+ The profile must be preconfigured on the node to work.
+ Must be a descending path, relative to the kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT be set for any other type.
+ type: string
+ type:
+ description: |-
+ type indicates which kind of seccomp profile will be applied.
+ Valid options are:
+
+ Localhost - a profile defined in a file on the node should be used.
+ RuntimeDefault - the container runtime default profile should be used.
+ Unconfined - no profile should be applied.
+ type: string
+ windowsOptions:
+ description: |-
+ The Windows specific settings applied to all containers.
+ If unspecified, the options from the PodSecurityContext will be used.
+ If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is linux.
+ type: object
+ properties:
+ gmsaCredentialSpec:
+ description: |-
+ GMSACredentialSpec is where the GMSA admission webhook
+ (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the name of the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: |-
+ HostProcess determines if a container should be run as a 'Host Process' container.
+ All of a Pod's containers must have the same effective HostProcess value
+ (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then HostNetwork must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: |-
+ The UserName in Windows to run the entrypoint of the container process.
+ Defaults to the user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: string
+ startupProbe:
+ description: |-
+ DeprecatedStartupProbe indicates that the Pod has successfully initialized.
+ If specified, no other probes are executed until this completes successfully.
+ If this probe fails, the Pod will be restarted, just as if the livenessProbe failed.
+ This can be used to provide different probe parameters at the beginning of a Pod's lifecycle,
+ when it might take a long time to load data or warm a cache, than during steady-state operation.
+ This cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+
+ Deprecated: This field will be removed in a future release.
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ failureThreshold:
+ description: |-
+ Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ Defaults to 3. Minimum value is 1.
+ type: integer
+ format: int32
+ grpc:
+ description: GRPC specifies an action involving a GRPC port.
+ type: object
+ required:
+ - port
+ properties:
+ port:
+ description: Port number of the gRPC service. Number must be in the range 1 to 65535.
+ type: integer
+ format: int32
+ service:
+ description: |-
+ Service is the name of the service to place in the gRPC HealthCheckRequest
+ (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
+
+ If this is not specified, the default behavior is defined by gRPC.
+ type: string
+ default: ""
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ initialDelaySeconds:
+ description: |-
+ Number of seconds after the container has started before liveness probes are initiated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ periodSeconds:
+ description: |-
+ How often (in seconds) to perform the probe.
+ Default to 10 seconds. Minimum value is 1.
+ type: integer
+ format: int32
+ successThreshold:
+ description: |-
+ Minimum consecutive successes for the probe to be considered successful after having failed.
+ Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
+ type: integer
+ format: int32
+ tcpSocket:
+ description: TCPSocket specifies an action involving a TCP port.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ terminationGracePeriodSeconds:
+ description: |-
+ Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
+ The grace period is the duration in seconds after the processes running in the pod are sent
+ a termination signal and the time when the processes are forcibly halted with a kill signal.
+ Set this value longer than the expected cleanup time for your process.
+ If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
+ value overrides the value provided by the pod spec.
+ Value must be non-negative integer. The value zero indicates stop immediately via
+ the kill signal (no opportunity to shut down).
+ This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
+ Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
+ type: integer
+ format: int64
+ timeoutSeconds:
+ description: |-
+ Number of seconds after which the probe times out.
+ Defaults to 1 second. Minimum value is 1.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ stdin:
+ description: |-
+ Whether this Step should allocate a buffer for stdin in the container runtime. If this
+ is not set, reads from stdin in the Step will always result in EOF.
+ Default is false.
+
+ Deprecated: This field will be removed in a future release.
+ type: boolean
+ stdinOnce:
+ description: |-
+ Whether the container runtime should close the stdin channel after it has been opened by
+ a single attach. When stdin is true the stdin stream will remain open across multiple attach
+ sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the
+ first client attaches to stdin, and then remains open and accepts data until the client disconnects,
+ at which time stdin is closed and remains closed until the container is restarted. If this
+ flag is false, a container processes that reads from stdin will never receive an EOF.
+ Default is false
+
+ Deprecated: This field will be removed in a future release.
+ type: boolean
+ terminationMessagePath:
+ description: 'Deprecated: This field will be removed in a future release and cannot be meaningfully used.'
+ type: string
+ terminationMessagePolicy:
+ description: 'Deprecated: This field will be removed in a future release and cannot be meaningfully used.'
+ type: string
+ tty:
+ description: |-
+ Whether this Step should allocate a DeprecatedTTY for itself, also requires 'stdin' to be true.
+ Default is false.
+
+ Deprecated: This field will be removed in a future release.
+ type: boolean
+ volumeDevices:
+ description: volumeDevices is the list of block devices to be used by the Step.
+ type: array
+ items:
+ description: volumeDevice describes a mapping of a raw block device within a container.
+ type: object
+ required:
+ - devicePath
+ - name
+ properties:
+ devicePath:
+ description: devicePath is the path inside of the container that the device will be mapped to.
+ type: string
+ name:
+ description: name must match the name of a persistentVolumeClaim in the pod
+ type: string
+ x-kubernetes-list-type: atomic
+ volumeMounts:
+ description: |-
+ Volumes to mount into the Step's filesystem.
+ Cannot be updated.
+ type: array
+ items:
+ description: VolumeMount describes a mounting of a Volume within a container.
+ type: object
+ required:
+ - mountPath
+ - name
+ properties:
+ mountPath:
+ description: |-
+ Path within the container at which the volume should be mounted. Must
+ not contain ':'.
+ type: string
+ mountPropagation:
+ description: |-
+ mountPropagation determines how mounts are propagated from the host
+ to container and the other way around.
+ When not set, MountPropagationNone is used.
+ This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
+ type: string
+ name:
+ description: This must match the Name of a Volume.
+ type: string
+ readOnly:
+ description: |-
+ Mounted read-only if true, read-write otherwise (false or unspecified).
+ Defaults to false.
+ type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
+ subPath:
+ description: |-
+ Path within the volume from which the container's volume should be mounted.
+ Defaults to "" (volume's root).
+ type: string
+ subPathExpr:
+ description: |-
+ Expanded path within the volume from which the container's volume should be mounted.
+ Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+ Defaults to "" (volume's root).
+ SubPathExpr and SubPath are mutually exclusive.
+ type: string
+ x-kubernetes-list-type: atomic
+ workingDir:
+ description: |-
+ Step's working directory.
+ If not specified, the container runtime's default will be used, which
+ might be configured in the container image.
+ Cannot be updated.
+ type: string
+ steps:
+ description: |-
+ Steps are the steps of the build; each step is run sequentially with the
+ source mounted into /workspace.
+ type: array
+ items:
+ description: Step runs a subcomponent of a Task
+ type: object
+ required:
+ - name
+ properties:
+ args:
+ description: |-
+ Arguments to the entrypoint.
+ The image's CMD is used if this is not provided.
+ Variable references $(VAR_NAME) are expanded using the container's environment. If a variable
+ cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+ produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+ of whether the variable exists or not. Cannot be updated.
+ More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ command:
+ description: |-
+ Entrypoint array. Not executed within a shell.
+ The image's ENTRYPOINT is used if this is not provided.
+ Variable references $(VAR_NAME) are expanded using the container's environment. If a variable
+ cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+ produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+ of whether the variable exists or not. Cannot be updated.
+ More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ env:
+ description: |-
+ List of environment variables to set in the container.
+ Cannot be updated.
+ type: array
+ items:
+ description: EnvVar represents an environment variable present in a Container.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: Name of the environment variable. Must be a C_IDENTIFIER.
+ type: string
+ value:
+ description: |-
+ Variable references $(VAR_NAME) are expanded
+ using the previously defined environment variables in the container and
+ any service environment variables. If a variable cannot be resolved,
+ the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+ "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+ Escaped references will never be expanded, regardless of whether the variable
+ exists or not.
+ Defaults to "".
+ type: string
+ valueFrom:
+ description: Source for the environment variable's value. Cannot be used if value is not empty.
+ type: object
+ properties:
+ configMapKeyRef:
+ description: Selects a key of a ConfigMap.
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key to select.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the ConfigMap or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ fieldRef:
+ description: |-
+ Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
+ spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+ type: object
+ required:
+ - fieldPath
+ properties:
+ apiVersion:
+ description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
+ type: string
+ fieldPath:
+ description: Path of the field to select in the specified API version.
+ type: string
+ x-kubernetes-map-type: atomic
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+ type: object
+ required:
+ - resource
+ properties:
+ containerName:
+ description: 'Container name: required for volumes, optional for env vars'
+ type: string
+ divisor:
+ description: Specifies the output format of the exposed resources, defaults to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required: resource to select'
+ type: string
+ x-kubernetes-map-type: atomic
+ secretKeyRef:
+ description: Selects a key of a secret in the pod's namespace
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key of the secret to select from. Must be a valid secret key.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the Secret or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ envFrom:
+ description: |-
+ List of sources to populate environment variables in the container.
+ The keys defined within a source must be a C_IDENTIFIER. All invalid keys
+ will be reported as an event when the container is starting. When a key exists in multiple
+ sources, the value associated with the last source will take precedence.
+ Values defined by an Env with a duplicate key will take precedence.
+ Cannot be updated.
+ type: array
+ items:
+ description: EnvFromSource represents the source of a set of ConfigMaps
+ type: object
+ properties:
+ configMapRef:
+ description: The ConfigMap to select from
+ type: object
+ properties:
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the ConfigMap must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ prefix:
+ description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
+ type: string
+ secretRef:
+ description: The Secret to select from
+ type: object
+ properties:
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the Secret must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ image:
+ description: |-
+ Image reference name to run for this Step.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ type: string
+ imagePullPolicy:
+ description: |-
+ Image pull policy.
+ One of Always, Never, IfNotPresent.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
+ type: string
+ lifecycle:
+ description: |-
+ Actions that the management system should take in response to container lifecycle events.
+ Cannot be updated.
+
+ Deprecated: This field will be removed in a future release.
+ type: object
+ properties:
+ postStart:
+ description: |-
+ PostStart is called immediately after a container is created. If the handler fails,
+ the container is terminated and restarted according to its restart policy.
+ Other management of the container blocks until the hook completes.
+ More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ sleep:
+ description: Sleep represents the duration that the container should sleep before being terminated.
+ type: object
+ required:
+ - seconds
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ type: integer
+ format: int64
+ tcpSocket:
+ description: |-
+ Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
+ for the backward compatibility. There are no validation of this field and
+ lifecycle hooks will fail in runtime when tcp handler is specified.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ preStop:
+ description: |-
+ PreStop is called immediately before a container is terminated due to an
+ API request or management event such as liveness/startup probe failure,
+ preemption, resource contention, etc. The handler is not called if the
+ container crashes or exits. The Pod's termination grace period countdown begins before the
+ PreStop hook is executed. Regardless of the outcome of the handler, the
+ container will eventually terminate within the Pod's termination grace
+ period (unless delayed by finalizers). Other management of the container blocks until the hook completes
+ or until the termination grace period is reached.
+ More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ sleep:
+ description: Sleep represents the duration that the container should sleep before being terminated.
+ type: object
+ required:
+ - seconds
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ type: integer
+ format: int64
+ tcpSocket:
+ description: |-
+ Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
+ for the backward compatibility. There are no validation of this field and
+ lifecycle hooks will fail in runtime when tcp handler is specified.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ livenessProbe:
+ description: |-
+ Periodic probe of container liveness.
+ Step will be restarted if the probe fails.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+
+ Deprecated: This field will be removed in a future release.
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ failureThreshold:
+ description: |-
+ Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ Defaults to 3. Minimum value is 1.
+ type: integer
+ format: int32
+ grpc:
+ description: GRPC specifies an action involving a GRPC port.
+ type: object
+ required:
+ - port
+ properties:
+ port:
+ description: Port number of the gRPC service. Number must be in the range 1 to 65535.
+ type: integer
+ format: int32
+ service:
+ description: |-
+ Service is the name of the service to place in the gRPC HealthCheckRequest
+ (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
+
+ If this is not specified, the default behavior is defined by gRPC.
+ type: string
+ default: ""
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ initialDelaySeconds:
+ description: |-
+ Number of seconds after the container has started before liveness probes are initiated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ periodSeconds:
+ description: |-
+ How often (in seconds) to perform the probe.
+ Default to 10 seconds. Minimum value is 1.
+ type: integer
+ format: int32
+ successThreshold:
+ description: |-
+ Minimum consecutive successes for the probe to be considered successful after having failed.
+ Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
+ type: integer
+ format: int32
+ tcpSocket:
+ description: TCPSocket specifies an action involving a TCP port.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ terminationGracePeriodSeconds:
+ description: |-
+ Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
+ The grace period is the duration in seconds after the processes running in the pod are sent
+ a termination signal and the time when the processes are forcibly halted with a kill signal.
+ Set this value longer than the expected cleanup time for your process.
+ If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
+ value overrides the value provided by the pod spec.
+ Value must be non-negative integer. The value zero indicates stop immediately via
+ the kill signal (no opportunity to shut down).
+ This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
+ Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
+ type: integer
+ format: int64
+ timeoutSeconds:
+ description: |-
+ Number of seconds after which the probe times out.
+ Defaults to 1 second. Minimum value is 1.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ name:
+ description: |-
+ Name of the Step specified as a DNS_LABEL.
+ Each Step in a Task must have a unique name.
+ type: string
+ onError:
+ description: |-
+ OnError defines the exiting behavior of a container on error
+ can be set to [ continue | stopAndFail ]
+ type: string
+ params:
+ description: Params declares parameters passed to this step action.
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ ports:
+ description: |-
+ List of ports to expose from the Step's container. Exposing a port here gives
+ the system additional information about the network connections a
+ container uses, but is primarily informational. Not specifying a port here
+ DOES NOT prevent that port from being exposed. Any port which is
+ listening on the default "0.0.0.0" address inside a container will be
+ accessible from the network.
+ Cannot be updated.
+
+ Deprecated: This field will be removed in a future release.
+ type: array
+ items:
+ description: ContainerPort represents a network port in a single container.
+ type: object
+ required:
+ - containerPort
+ properties:
+ containerPort:
+ description: |-
+ Number of port to expose on the pod's IP address.
+ This must be a valid port number, 0 < x < 65536.
+ type: integer
+ format: int32
+ hostIP:
+ description: What host IP to bind the external port to.
+ type: string
+ hostPort:
+ description: |-
+ Number of port to expose on the host.
+ If specified, this must be a valid port number, 0 < x < 65536.
+ If HostNetwork is specified, this must match ContainerPort.
+ Most containers do not need this.
+ type: integer
+ format: int32
+ name:
+ description: |-
+ If specified, this must be an IANA_SVC_NAME and unique within the pod. Each
+ named port in a pod must have a unique name. Name for the port that can be
+ referred to by services.
+ type: string
+ protocol:
+ description: |-
+ Protocol for port. Must be UDP, TCP, or SCTP.
+ Defaults to "TCP".
+ type: string
+ default: TCP
+ x-kubernetes-list-map-keys:
+ - containerPort
+ - protocol
+ x-kubernetes-list-type: map
+ readinessProbe:
+ description: |-
+ Periodic probe of container service readiness.
+ Step will be removed from service endpoints if the probe fails.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+
+ Deprecated: This field will be removed in a future release.
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ failureThreshold:
+ description: |-
+ Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ Defaults to 3. Minimum value is 1.
+ type: integer
+ format: int32
+ grpc:
+ description: GRPC specifies an action involving a GRPC port.
+ type: object
+ required:
+ - port
+ properties:
+ port:
+ description: Port number of the gRPC service. Number must be in the range 1 to 65535.
+ type: integer
+ format: int32
+ service:
+ description: |-
+ Service is the name of the service to place in the gRPC HealthCheckRequest
+ (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
+
+ If this is not specified, the default behavior is defined by gRPC.
+ type: string
+ default: ""
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ initialDelaySeconds:
+ description: |-
+ Number of seconds after the container has started before liveness probes are initiated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ periodSeconds:
+ description: |-
+ How often (in seconds) to perform the probe.
+ Default to 10 seconds. Minimum value is 1.
+ type: integer
+ format: int32
+ successThreshold:
+ description: |-
+ Minimum consecutive successes for the probe to be considered successful after having failed.
+ Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
+ type: integer
+ format: int32
+ tcpSocket:
+ description: TCPSocket specifies an action involving a TCP port.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ terminationGracePeriodSeconds:
+ description: |-
+ Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
+ The grace period is the duration in seconds after the processes running in the pod are sent
+ a termination signal and the time when the processes are forcibly halted with a kill signal.
+ Set this value longer than the expected cleanup time for your process.
+ If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
+ value overrides the value provided by the pod spec.
+ Value must be non-negative integer. The value zero indicates stop immediately via
+ the kill signal (no opportunity to shut down).
+ This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
+ Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
+ type: integer
+ format: int64
+ timeoutSeconds:
+ description: |-
+ Number of seconds after which the probe times out.
+ Defaults to 1 second. Minimum value is 1.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ ref:
+ description: Contains the reference to an existing StepAction.
+ type: object
+ properties:
+ name:
+ description: Name of the referenced step
+ type: string
+ params:
+ description: |-
+ Params contains the parameters used to identify the
+ referenced Tekton resource. Example entries might include
+ "repo" or "path" but the set of params ultimately depends on
+ the chosen resolver.
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ resolver:
+ description: |-
+ Resolver is the name of the resolver that should perform
+ resolution of the referenced Tekton resource, such as "git".
+ type: string
+ resources:
+ description: |-
+ Compute Resources required by this Step.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ type: array
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ requests:
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ results:
+ description: |-
+ Results declares StepResults produced by the Step.
+
+ This is field is at an ALPHA stability level and gated by "enable-step-actions" feature flag.
+
+ It can be used in an inlined Step when used to store Results to $(step.results.resultName.path).
+ It cannot be used when referencing StepActions using [v1beta1.Step.Ref].
+ The Results declared by the StepActions will be stored here instead.
+ type: array
+ items:
+ description: |-
+ StepResult used to describe the Results of a Step.
+
+ This is field is at an BETA stability level and gated by "enable-step-actions" feature flag.
+ type: object
+ required:
+ - name
+ properties:
+ description:
+ description: Description is a human-readable description of the result
+ type: string
+ name:
+ description: Name the given name
+ type: string
+ properties:
+ description: Properties is the JSON Schema properties to support key-value pairs results.
+ type: object
+ additionalProperties:
+ description: PropertySpec defines the struct for object keys
+ type: object
+ properties:
+ type:
+ description: |-
+ ParamType indicates the type of an input parameter;
+ Used to distinguish between a single string and an array of strings.
+ type: string
+ type:
+ description: The possible types are 'string', 'array', and 'object', with 'string' as the default.
+ type: string
+ x-kubernetes-list-type: atomic
+ script:
+ description: |-
+ Script is the contents of an executable file to execute.
+
+ If Script is not empty, the Step cannot have an Command and the Args will be passed to the Script.
+ type: string
+ securityContext:
+ description: |-
+ SecurityContext defines the security options the Step should be run with.
+ If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
+ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ type: object
+ properties:
+ allowPrivilegeEscalation:
+ description: |-
+ AllowPrivilegeEscalation controls whether a process can gain more
+ privileges than its parent process. This bool directly controls if
+ the no_new_privs flag will be set on the container process.
+ AllowPrivilegeEscalation is true always when the container is:
+ 1) run as Privileged
+ 2) has CAP_SYS_ADMIN
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ capabilities:
+ description: |-
+ The capabilities to add/drop when running containers.
+ Defaults to the default set of capabilities granted by the container runtime.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ properties:
+ add:
+ description: Added capabilities
+ type: array
+ items:
+ description: Capability represent POSIX capabilities type
+ type: string
+ x-kubernetes-list-type: atomic
+ drop:
+ description: Removed capabilities
+ type: array
+ items:
+ description: Capability represent POSIX capabilities type
+ type: string
+ x-kubernetes-list-type: atomic
+ privileged:
+ description: |-
+ Run container in privileged mode.
+ Processes in privileged containers are essentially equivalent to root on the host.
+ Defaults to false.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ procMount:
+ description: |-
+ procMount denotes the type of proc mount to use for the containers.
+ The default value is Default which uses the container runtime defaults for
+ readonly paths and masked paths.
+ This requires the ProcMountType feature flag to be enabled.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ readOnlyRootFilesystem:
+ description: |-
+ Whether this container has a read-only root filesystem.
+ Default is false.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ runAsGroup:
+ description: |-
+ The GID to run the entrypoint of the container process.
+ Uses runtime default if unset.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ runAsNonRoot:
+ description: |-
+ Indicates that the container must run as a non-root user.
+ If true, the Kubelet will validate the image at runtime to ensure that it
+ does not run as UID 0 (root) and fail to start the container if it does.
+ If unset or false, no such validation will be performed.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: |-
+ The UID to run the entrypoint of the container process.
+ Defaults to user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ seLinuxOptions:
+ description: |-
+ The SELinux context to be applied to the container.
+ If unspecified, the container runtime will allocate a random SELinux context for each
+ container. May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ properties:
+ level:
+ description: Level is SELinux level label that applies to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label that applies to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label that applies to the container.
+ type: string
+ user:
+ description: User is a SELinux user label that applies to the container.
+ type: string
+ seccompProfile:
+ description: |-
+ The seccomp options to use by this container. If seccomp options are
+ provided at both the pod & container level, the container options
+ override the pod options.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile defined in a file on the node should be used.
+ The profile must be preconfigured on the node to work.
+ Must be a descending path, relative to the kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT be set for any other type.
+ type: string
+ type:
+ description: |-
+ type indicates which kind of seccomp profile will be applied.
+ Valid options are:
+
+ Localhost - a profile defined in a file on the node should be used.
+ RuntimeDefault - the container runtime default profile should be used.
+ Unconfined - no profile should be applied.
+ type: string
+ windowsOptions:
+ description: |-
+ The Windows specific settings applied to all containers.
+ If unspecified, the options from the PodSecurityContext will be used.
+ If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is linux.
+ type: object
+ properties:
+ gmsaCredentialSpec:
+ description: |-
+ GMSACredentialSpec is where the GMSA admission webhook
+ (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the name of the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: |-
+ HostProcess determines if a container should be run as a 'Host Process' container.
+ All of a Pod's containers must have the same effective HostProcess value
+ (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then HostNetwork must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: |-
+ The UserName in Windows to run the entrypoint of the container process.
+ Defaults to the user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: string
+ startupProbe:
+ description: |-
+ DeprecatedStartupProbe indicates that the Pod this Step runs in has successfully initialized.
+ If specified, no other probes are executed until this completes successfully.
+ If this probe fails, the Pod will be restarted, just as if the livenessProbe failed.
+ This can be used to provide different probe parameters at the beginning of a Pod's lifecycle,
+ when it might take a long time to load data or warm a cache, than during steady-state operation.
+ This cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+
+ Deprecated: This field will be removed in a future release.
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ failureThreshold:
+ description: |-
+ Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ Defaults to 3. Minimum value is 1.
+ type: integer
+ format: int32
+ grpc:
+ description: GRPC specifies an action involving a GRPC port.
+ type: object
+ required:
+ - port
+ properties:
+ port:
+ description: Port number of the gRPC service. Number must be in the range 1 to 65535.
+ type: integer
+ format: int32
+ service:
+ description: |-
+ Service is the name of the service to place in the gRPC HealthCheckRequest
+ (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
+
+ If this is not specified, the default behavior is defined by gRPC.
+ type: string
+ default: ""
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ initialDelaySeconds:
+ description: |-
+ Number of seconds after the container has started before liveness probes are initiated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ periodSeconds:
+ description: |-
+ How often (in seconds) to perform the probe.
+ Default to 10 seconds. Minimum value is 1.
+ type: integer
+ format: int32
+ successThreshold:
+ description: |-
+ Minimum consecutive successes for the probe to be considered successful after having failed.
+ Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
+ type: integer
+ format: int32
+ tcpSocket:
+ description: TCPSocket specifies an action involving a TCP port.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ terminationGracePeriodSeconds:
+ description: |-
+ Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
+ The grace period is the duration in seconds after the processes running in the pod are sent
+ a termination signal and the time when the processes are forcibly halted with a kill signal.
+ Set this value longer than the expected cleanup time for your process.
+ If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
+ value overrides the value provided by the pod spec.
+ Value must be non-negative integer. The value zero indicates stop immediately via
+ the kill signal (no opportunity to shut down).
+ This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
+ Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
+ type: integer
+ format: int64
+ timeoutSeconds:
+ description: |-
+ Number of seconds after which the probe times out.
+ Defaults to 1 second. Minimum value is 1.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ stderrConfig:
+ description: Stores configuration for the stderr stream of the step.
+ type: object
+ properties:
+ path:
+ description: Path to duplicate stdout stream to on container's local filesystem.
+ type: string
+ stdin:
+ description: |-
+ Whether this container should allocate a buffer for stdin in the container runtime. If this
+ is not set, reads from stdin in the container will always result in EOF.
+ Default is false.
+
+ Deprecated: This field will be removed in a future release.
+ type: boolean
+ stdinOnce:
+ description: |-
+ Whether the container runtime should close the stdin channel after it has been opened by
+ a single attach. When stdin is true the stdin stream will remain open across multiple attach
+ sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the
+ first client attaches to stdin, and then remains open and accepts data until the client disconnects,
+ at which time stdin is closed and remains closed until the container is restarted. If this
+ flag is false, a container processes that reads from stdin will never receive an EOF.
+ Default is false
+
+ Deprecated: This field will be removed in a future release.
+ type: boolean
+ stdoutConfig:
+ description: Stores configuration for the stdout stream of the step.
+ type: object
+ properties:
+ path:
+ description: Path to duplicate stdout stream to on container's local filesystem.
+ type: string
+ terminationMessagePath:
+ description: 'Deprecated: This field will be removed in a future release and can''t be meaningfully used.'
+ type: string
+ terminationMessagePolicy:
+ description: 'Deprecated: This field will be removed in a future release and can''t be meaningfully used.'
+ type: string
+ timeout:
+ description: |-
+ Timeout is the time after which the step times out. Defaults to never.
+ Refer to Go's ParseDuration documentation for expected format: https://golang.org/pkg/time/#ParseDuration
+ type: string
+ tty:
+ description: |-
+ Whether this container should allocate a DeprecatedTTY for itself, also requires 'stdin' to be true.
+ Default is false.
+
+ Deprecated: This field will be removed in a future release.
+ type: boolean
+ volumeDevices:
+ description: volumeDevices is the list of block devices to be used by the Step.
+ type: array
+ items:
+ description: volumeDevice describes a mapping of a raw block device within a container.
+ type: object
+ required:
+ - devicePath
+ - name
+ properties:
+ devicePath:
+ description: devicePath is the path inside of the container that the device will be mapped to.
+ type: string
+ name:
+ description: name must match the name of a persistentVolumeClaim in the pod
+ type: string
+ x-kubernetes-list-type: atomic
+ volumeMounts:
+ description: |-
+ Volumes to mount into the Step's filesystem.
+ Cannot be updated.
+ type: array
+ items:
+ description: VolumeMount describes a mounting of a Volume within a container.
+ type: object
+ required:
+ - mountPath
+ - name
+ properties:
+ mountPath:
+ description: |-
+ Path within the container at which the volume should be mounted. Must
+ not contain ':'.
+ type: string
+ mountPropagation:
+ description: |-
+ mountPropagation determines how mounts are propagated from the host
+ to container and the other way around.
+ When not set, MountPropagationNone is used.
+ This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
+ type: string
+ name:
+ description: This must match the Name of a Volume.
+ type: string
+ readOnly:
+ description: |-
+ Mounted read-only if true, read-write otherwise (false or unspecified).
+ Defaults to false.
+ type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
+ subPath:
+ description: |-
+ Path within the volume from which the container's volume should be mounted.
+ Defaults to "" (volume's root).
+ type: string
+ subPathExpr:
+ description: |-
+ Expanded path within the volume from which the container's volume should be mounted.
+ Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+ Defaults to "" (volume's root).
+ SubPathExpr and SubPath are mutually exclusive.
+ type: string
+ x-kubernetes-list-type: atomic
+ when:
+ description: |-
+ WhenExpressions are used to specify whether a Task should be executed or skipped
+ All of them need to evaluate to True for a guarded Task to be executed.
+ type: array
+ items:
+ description: |-
+ WhenExpression allows a PipelineTask to declare expressions to be evaluated before the Task is run
+ to determine whether the Task should be executed or skipped
+ type: object
+ properties:
+ cel:
+ description: |-
+ CEL is a string of Common Language Expression, which can be used to conditionally execute
+ the task based on the result of the expression evaluation
+ More info about CEL syntax: https://github.com/google/cel-spec/blob/master/doc/langdef.md
+ type: string
+ input:
+ description: Input is the string for guard checking which can be a static input or an output from a parent Task
+ type: string
+ operator:
+ description: Operator that represents an Input's relationship to the values
+ type: string
+ values:
+ description: |-
+ Values is an array of strings, which is compared against the input, for guard checking
+ It must be non-empty
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ workingDir:
+ description: |-
+ Step's working directory.
+ If not specified, the container runtime's default will be used, which
+ might be configured in the container image.
+ Cannot be updated.
+ type: string
+ workspaces:
+ description: |-
+ This is an alpha field. You must set the "enable-api-fields" feature flag to "alpha"
+ for this field to be supported.
+
+ Workspaces is a list of workspaces from the Task that this Step wants
+ exclusive access to. Adding a workspace to this list means that any
+ other Step or Sidecar that does not also request this Workspace will
+ not have access to it.
+ type: array
+ items:
+ description: |-
+ WorkspaceUsage is used by a Step or Sidecar to declare that it wants isolated access
+ to a Workspace defined in a Task.
+ type: object
+ required:
+ - mountPath
+ - name
+ properties:
+ mountPath:
+ description: |-
+ MountPath is the path that the workspace should be mounted to inside the Step or Sidecar,
+ overriding any MountPath specified in the Task's WorkspaceDeclaration.
+ type: string
+ name:
+ description: Name is the name of the workspace this Step or Sidecar wants access to.
+ type: string
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ volumes:
+ description: |-
+ Volumes is a collection of volumes that are available to mount into the
+ steps of the build.
+ See Pod.spec.volumes (API version: v1)
+ x-kubernetes-preserve-unknown-fields: true
+ workspaces:
+ description: Workspaces are the volumes that this Task requires.
+ type: array
+ items:
+ description: WorkspaceDeclaration is a declaration of a volume that a Task requires.
+ type: object
+ required:
+ - name
+ properties:
+ description:
+ description: Description is an optional human readable description of this volume.
+ type: string
+ mountPath:
+ description: MountPath overrides the directory that the volume will be made available at.
+ type: string
+ name:
+ description: Name is the name by which you can bind the volume at runtime.
+ type: string
+ optional:
+ description: |-
+ Optional marks a Workspace as not being required in TaskRuns. By default
+ this field is false and so declared workspaces are required.
+ type: boolean
+ readOnly:
+ description: |-
+ ReadOnly dictates whether a mounted volume is writable. By default this
+ field is false and so mounted volumes are writable.
+ type: boolean
+ x-kubernetes-list-type: atomic
+ # Opt into the status subresource so metadata.generation
+ # starts to increment
+ subresources:
+ status: {}
+ - name: v1
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ description: |-
+ Task represents a collection of sequential steps that are run as part of a
+ Pipeline using a set of inputs and producing a set of outputs. Tasks execute
+ when TaskRuns are created that provide the input parameters and resources and
+ output resources the Task requires.
+ type: object
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec holds the desired state of the Task from the client
+ type: object
+ properties:
+ description:
+ description: |-
+ Description is a user-facing description of the task that may be
+ used to populate a UI.
+ type: string
+ displayName:
+ description: |-
+ DisplayName is a user-facing name of the task that may be
+ used to populate a UI.
+ type: string
+ params:
+ description: |-
+ Params is a list of input parameters required to run the task. Params
+ must be supplied as inputs in TaskRuns unless they declare a default
+ value.
+ type: array
+ items:
+ description: |-
+ ParamSpec defines arbitrary parameters needed beyond typed inputs (such as
+ resources). Parameter values are provided by users as inputs on a TaskRun
+ or PipelineRun.
+ type: object
+ required:
+ - name
+ properties:
+ default:
+ description: |-
+ Default is the value a parameter takes if no input value is supplied. If
+ default is set, a Task may be executed without a supplied value for the
+ parameter.
+ x-kubernetes-preserve-unknown-fields: true
+ description:
+ description: |-
+ Description is a user-facing description of the parameter that may be
+ used to populate a UI.
+ type: string
+ enum:
+ description: |-
+ Enum declares a set of allowed param input values for tasks/pipelines that can be validated.
+ If Enum is not set, no input validation is performed for the param.
+ type: array
+ items:
+ type: string
+ name:
+ description: Name declares the name by which a parameter is referenced.
+ type: string
+ properties:
+ description: Properties is the JSON Schema properties to support key-value pairs parameter.
+ type: object
+ additionalProperties:
+ description: PropertySpec defines the struct for object keys
+ type: object
+ properties:
+ type:
+ description: |-
+ ParamType indicates the type of an input parameter;
+ Used to distinguish between a single string and an array of strings.
+ type: string
+ type:
+ description: |-
+ Type is the user-specified type of the parameter. The possible types
+ are currently "string", "array" and "object", and "string" is the default.
+ type: string
+ x-kubernetes-list-type: atomic
+ results:
+ description: Results are values that this Task can output
+ type: array
+ items:
+ description: TaskResult used to describe the results of a task
+ type: object
+ required:
+ - name
+ properties:
+ description:
+ description: Description is a human-readable description of the result
+ type: string
+ name:
+ description: Name the given name
+ type: string
+ properties:
+ description: Properties is the JSON Schema properties to support key-value pairs results.
+ type: object
+ additionalProperties:
+ description: PropertySpec defines the struct for object keys
+ type: object
+ properties:
+ type:
+ description: |-
+ ParamType indicates the type of an input parameter;
+ Used to distinguish between a single string and an array of strings.
+ type: string
+ type:
+ description: |-
+ Type is the user-specified type of the result. The possible type
+ is currently "string" and will support "array" in following work.
+ type: string
+ value:
+ description: Value the expression used to retrieve the value of the result from an underlying Step.
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ sidecars:
+ description: |-
+ Sidecars are run alongside the Task's step containers. They begin before
+ the steps start and end after the steps complete.
+ type: array
+ items:
+ description: Sidecar has nearly the same data structure as Step but does not have the ability to timeout.
+ type: object
+ required:
+ - name
+ properties:
+ args:
+ description: |-
+ Arguments to the entrypoint.
+ The image's CMD is used if this is not provided.
+ Variable references $(VAR_NAME) are expanded using the Sidecar's environment. If a variable
+ cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+ produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+ of whether the variable exists or not. Cannot be updated.
+ More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ command:
+ description: |-
+ Entrypoint array. Not executed within a shell.
+ The image's ENTRYPOINT is used if this is not provided.
+ Variable references $(VAR_NAME) are expanded using the Sidecar's environment. If a variable
+ cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+ produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+ of whether the variable exists or not. Cannot be updated.
+ More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ computeResources:
+ description: |-
+ ComputeResources required by this Sidecar.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ type: array
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ requests:
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ env:
+ description: |-
+ List of environment variables to set in the Sidecar.
+ Cannot be updated.
+ type: array
+ items:
+ description: EnvVar represents an environment variable present in a Container.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: Name of the environment variable. Must be a C_IDENTIFIER.
+ type: string
+ value:
+ description: |-
+ Variable references $(VAR_NAME) are expanded
+ using the previously defined environment variables in the container and
+ any service environment variables. If a variable cannot be resolved,
+ the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+ "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+ Escaped references will never be expanded, regardless of whether the variable
+ exists or not.
+ Defaults to "".
+ type: string
+ valueFrom:
+ description: Source for the environment variable's value. Cannot be used if value is not empty.
+ type: object
+ properties:
+ configMapKeyRef:
+ description: Selects a key of a ConfigMap.
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key to select.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the ConfigMap or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ fieldRef:
+ description: |-
+ Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
+ spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+ type: object
+ required:
+ - fieldPath
+ properties:
+ apiVersion:
+ description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
+ type: string
+ fieldPath:
+ description: Path of the field to select in the specified API version.
+ type: string
+ x-kubernetes-map-type: atomic
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+ type: object
+ required:
+ - resource
+ properties:
+ containerName:
+ description: 'Container name: required for volumes, optional for env vars'
+ type: string
+ divisor:
+ description: Specifies the output format of the exposed resources, defaults to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required: resource to select'
+ type: string
+ x-kubernetes-map-type: atomic
+ secretKeyRef:
+ description: Selects a key of a secret in the pod's namespace
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key of the secret to select from. Must be a valid secret key.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the Secret or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ envFrom:
+ description: |-
+ List of sources to populate environment variables in the Sidecar.
+ The keys defined within a source must be a C_IDENTIFIER. All invalid keys
+ will be reported as an event when the container is starting. When a key exists in multiple
+ sources, the value associated with the last source will take precedence.
+ Values defined by an Env with a duplicate key will take precedence.
+ Cannot be updated.
+ type: array
+ items:
+ description: EnvFromSource represents the source of a set of ConfigMaps
+ type: object
+ properties:
+ configMapRef:
+ description: The ConfigMap to select from
+ type: object
+ properties:
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the ConfigMap must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ prefix:
+ description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
+ type: string
+ secretRef:
+ description: The Secret to select from
+ type: object
+ properties:
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the Secret must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ image:
+ description: |-
+ Image reference name.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ type: string
+ imagePullPolicy:
+ description: |-
+ Image pull policy.
+ One of Always, Never, IfNotPresent.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
+ type: string
+ lifecycle:
+ description: |-
+ Actions that the management system should take in response to Sidecar lifecycle events.
+ Cannot be updated.
+ type: object
+ properties:
+ postStart:
+ description: |-
+ PostStart is called immediately after a container is created. If the handler fails,
+ the container is terminated and restarted according to its restart policy.
+ Other management of the container blocks until the hook completes.
+ More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ sleep:
+ description: Sleep represents the duration that the container should sleep before being terminated.
+ type: object
+ required:
+ - seconds
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ type: integer
+ format: int64
+ tcpSocket:
+ description: |-
+ Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
+ for the backward compatibility. There are no validation of this field and
+ lifecycle hooks will fail in runtime when tcp handler is specified.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ preStop:
+ description: |-
+ PreStop is called immediately before a container is terminated due to an
+ API request or management event such as liveness/startup probe failure,
+ preemption, resource contention, etc. The handler is not called if the
+ container crashes or exits. The Pod's termination grace period countdown begins before the
+ PreStop hook is executed. Regardless of the outcome of the handler, the
+ container will eventually terminate within the Pod's termination grace
+ period (unless delayed by finalizers). Other management of the container blocks until the hook completes
+ or until the termination grace period is reached.
+ More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ sleep:
+ description: Sleep represents the duration that the container should sleep before being terminated.
+ type: object
+ required:
+ - seconds
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ type: integer
+ format: int64
+ tcpSocket:
+ description: |-
+ Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
+ for the backward compatibility. There are no validation of this field and
+ lifecycle hooks will fail in runtime when tcp handler is specified.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ livenessProbe:
+ description: |-
+ Periodic probe of Sidecar liveness.
+ Container will be restarted if the probe fails.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ failureThreshold:
+ description: |-
+ Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ Defaults to 3. Minimum value is 1.
+ type: integer
+ format: int32
+ grpc:
+ description: GRPC specifies an action involving a GRPC port.
+ type: object
+ required:
+ - port
+ properties:
+ port:
+ description: Port number of the gRPC service. Number must be in the range 1 to 65535.
+ type: integer
+ format: int32
+ service:
+ description: |-
+ Service is the name of the service to place in the gRPC HealthCheckRequest
+ (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
+
+ If this is not specified, the default behavior is defined by gRPC.
+ type: string
+ default: ""
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ initialDelaySeconds:
+ description: |-
+ Number of seconds after the container has started before liveness probes are initiated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ periodSeconds:
+ description: |-
+ How often (in seconds) to perform the probe.
+ Default to 10 seconds. Minimum value is 1.
+ type: integer
+ format: int32
+ successThreshold:
+ description: |-
+ Minimum consecutive successes for the probe to be considered successful after having failed.
+ Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
+ type: integer
+ format: int32
+ tcpSocket:
+ description: TCPSocket specifies an action involving a TCP port.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ terminationGracePeriodSeconds:
+ description: |-
+ Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
+ The grace period is the duration in seconds after the processes running in the pod are sent
+ a termination signal and the time when the processes are forcibly halted with a kill signal.
+ Set this value longer than the expected cleanup time for your process.
+ If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
+ value overrides the value provided by the pod spec.
+ Value must be non-negative integer. The value zero indicates stop immediately via
+ the kill signal (no opportunity to shut down).
+ This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
+ Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
+ type: integer
+ format: int64
+ timeoutSeconds:
+ description: |-
+ Number of seconds after which the probe times out.
+ Defaults to 1 second. Minimum value is 1.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ name:
+ description: |-
+ Name of the Sidecar specified as a DNS_LABEL.
+ Each Sidecar in a Task must have a unique name (DNS_LABEL).
+ Cannot be updated.
+ type: string
+ ports:
+ description: |-
+ List of ports to expose from the Sidecar. Exposing a port here gives
+ the system additional information about the network connections a
+ container uses, but is primarily informational. Not specifying a port here
+ DOES NOT prevent that port from being exposed. Any port which is
+ listening on the default "0.0.0.0" address inside a container will be
+ accessible from the network.
+ Cannot be updated.
+ type: array
+ items:
+ description: ContainerPort represents a network port in a single container.
+ type: object
+ required:
+ - containerPort
+ properties:
+ containerPort:
+ description: |-
+ Number of port to expose on the pod's IP address.
+ This must be a valid port number, 0 < x < 65536.
+ type: integer
+ format: int32
+ hostIP:
+ description: What host IP to bind the external port to.
+ type: string
+ hostPort:
+ description: |-
+ Number of port to expose on the host.
+ If specified, this must be a valid port number, 0 < x < 65536.
+ If HostNetwork is specified, this must match ContainerPort.
+ Most containers do not need this.
+ type: integer
+ format: int32
+ name:
+ description: |-
+ If specified, this must be an IANA_SVC_NAME and unique within the pod. Each
+ named port in a pod must have a unique name. Name for the port that can be
+ referred to by services.
+ type: string
+ protocol:
+ description: |-
+ Protocol for port. Must be UDP, TCP, or SCTP.
+ Defaults to "TCP".
+ type: string
+ default: TCP
+ x-kubernetes-list-map-keys:
+ - containerPort
+ - protocol
+ x-kubernetes-list-type: map
+ readinessProbe:
+ description: |-
+ Periodic probe of Sidecar service readiness.
+ Container will be removed from service endpoints if the probe fails.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ failureThreshold:
+ description: |-
+ Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ Defaults to 3. Minimum value is 1.
+ type: integer
+ format: int32
+ grpc:
+ description: GRPC specifies an action involving a GRPC port.
+ type: object
+ required:
+ - port
+ properties:
+ port:
+ description: Port number of the gRPC service. Number must be in the range 1 to 65535.
+ type: integer
+ format: int32
+ service:
+ description: |-
+ Service is the name of the service to place in the gRPC HealthCheckRequest
+ (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
+
+ If this is not specified, the default behavior is defined by gRPC.
+ type: string
+ default: ""
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ initialDelaySeconds:
+ description: |-
+ Number of seconds after the container has started before liveness probes are initiated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ periodSeconds:
+ description: |-
+ How often (in seconds) to perform the probe.
+ Default to 10 seconds. Minimum value is 1.
+ type: integer
+ format: int32
+ successThreshold:
+ description: |-
+ Minimum consecutive successes for the probe to be considered successful after having failed.
+ Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
+ type: integer
+ format: int32
+ tcpSocket:
+ description: TCPSocket specifies an action involving a TCP port.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ terminationGracePeriodSeconds:
+ description: |-
+ Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
+ The grace period is the duration in seconds after the processes running in the pod are sent
+ a termination signal and the time when the processes are forcibly halted with a kill signal.
+ Set this value longer than the expected cleanup time for your process.
+ If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
+ value overrides the value provided by the pod spec.
+ Value must be non-negative integer. The value zero indicates stop immediately via
+ the kill signal (no opportunity to shut down).
+ This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
+ Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
+ type: integer
+ format: int64
+ timeoutSeconds:
+ description: |-
+ Number of seconds after which the probe times out.
+ Defaults to 1 second. Minimum value is 1.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ restartPolicy:
+ description: |-
+ RestartPolicy refers to kubernetes RestartPolicy. It can only be set for an
+ initContainer and must have it's policy set to "Always". It is currently
+ left optional to help support Kubernetes versions prior to 1.29 when this feature
+ was introduced.
+ type: string
+ script:
+ description: |-
+ Script is the contents of an executable file to execute.
+
+ If Script is not empty, the Step cannot have an Command or Args.
+ type: string
+ securityContext:
+ description: |-
+ SecurityContext defines the security options the Sidecar should be run with.
+ If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
+ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ type: object
+ properties:
+ allowPrivilegeEscalation:
+ description: |-
+ AllowPrivilegeEscalation controls whether a process can gain more
+ privileges than its parent process. This bool directly controls if
+ the no_new_privs flag will be set on the container process.
+ AllowPrivilegeEscalation is true always when the container is:
+ 1) run as Privileged
+ 2) has CAP_SYS_ADMIN
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ capabilities:
+ description: |-
+ The capabilities to add/drop when running containers.
+ Defaults to the default set of capabilities granted by the container runtime.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ properties:
+ add:
+ description: Added capabilities
+ type: array
+ items:
+ description: Capability represent POSIX capabilities type
+ type: string
+ x-kubernetes-list-type: atomic
+ drop:
+ description: Removed capabilities
+ type: array
+ items:
+ description: Capability represent POSIX capabilities type
+ type: string
+ x-kubernetes-list-type: atomic
+ privileged:
+ description: |-
+ Run container in privileged mode.
+ Processes in privileged containers are essentially equivalent to root on the host.
+ Defaults to false.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ procMount:
+ description: |-
+ procMount denotes the type of proc mount to use for the containers.
+ The default value is Default which uses the container runtime defaults for
+ readonly paths and masked paths.
+ This requires the ProcMountType feature flag to be enabled.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ readOnlyRootFilesystem:
+ description: |-
+ Whether this container has a read-only root filesystem.
+ Default is false.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ runAsGroup:
+ description: |-
+ The GID to run the entrypoint of the container process.
+ Uses runtime default if unset.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ runAsNonRoot:
+ description: |-
+ Indicates that the container must run as a non-root user.
+ If true, the Kubelet will validate the image at runtime to ensure that it
+ does not run as UID 0 (root) and fail to start the container if it does.
+ If unset or false, no such validation will be performed.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: |-
+ The UID to run the entrypoint of the container process.
+ Defaults to user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ seLinuxOptions:
+ description: |-
+ The SELinux context to be applied to the container.
+ If unspecified, the container runtime will allocate a random SELinux context for each
+ container. May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ properties:
+ level:
+ description: Level is SELinux level label that applies to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label that applies to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label that applies to the container.
+ type: string
+ user:
+ description: User is a SELinux user label that applies to the container.
+ type: string
+ seccompProfile:
+ description: |-
+ The seccomp options to use by this container. If seccomp options are
+ provided at both the pod & container level, the container options
+ override the pod options.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile defined in a file on the node should be used.
+ The profile must be preconfigured on the node to work.
+ Must be a descending path, relative to the kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT be set for any other type.
+ type: string
+ type:
+ description: |-
+ type indicates which kind of seccomp profile will be applied.
+ Valid options are:
+
+ Localhost - a profile defined in a file on the node should be used.
+ RuntimeDefault - the container runtime default profile should be used.
+ Unconfined - no profile should be applied.
+ type: string
+ windowsOptions:
+ description: |-
+ The Windows specific settings applied to all containers.
+ If unspecified, the options from the PodSecurityContext will be used.
+ If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is linux.
+ type: object
+ properties:
+ gmsaCredentialSpec:
+ description: |-
+ GMSACredentialSpec is where the GMSA admission webhook
+ (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the name of the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: |-
+ HostProcess determines if a container should be run as a 'Host Process' container.
+ All of a Pod's containers must have the same effective HostProcess value
+ (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then HostNetwork must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: |-
+ The UserName in Windows to run the entrypoint of the container process.
+ Defaults to the user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: string
+ startupProbe:
+ description: |-
+ StartupProbe indicates that the Pod the Sidecar is running in has successfully initialized.
+ If specified, no other probes are executed until this completes successfully.
+ If this probe fails, the Pod will be restarted, just as if the livenessProbe failed.
+ This can be used to provide different probe parameters at the beginning of a Pod's lifecycle,
+ when it might take a long time to load data or warm a cache, than during steady-state operation.
+ This cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ failureThreshold:
+ description: |-
+ Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ Defaults to 3. Minimum value is 1.
+ type: integer
+ format: int32
+ grpc:
+ description: GRPC specifies an action involving a GRPC port.
+ type: object
+ required:
+ - port
+ properties:
+ port:
+ description: Port number of the gRPC service. Number must be in the range 1 to 65535.
+ type: integer
+ format: int32
+ service:
+ description: |-
+ Service is the name of the service to place in the gRPC HealthCheckRequest
+ (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
+
+ If this is not specified, the default behavior is defined by gRPC.
+ type: string
+ default: ""
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ initialDelaySeconds:
+ description: |-
+ Number of seconds after the container has started before liveness probes are initiated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ periodSeconds:
+ description: |-
+ How often (in seconds) to perform the probe.
+ Default to 10 seconds. Minimum value is 1.
+ type: integer
+ format: int32
+ successThreshold:
+ description: |-
+ Minimum consecutive successes for the probe to be considered successful after having failed.
+ Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
+ type: integer
+ format: int32
+ tcpSocket:
+ description: TCPSocket specifies an action involving a TCP port.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ terminationGracePeriodSeconds:
+ description: |-
+ Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
+ The grace period is the duration in seconds after the processes running in the pod are sent
+ a termination signal and the time when the processes are forcibly halted with a kill signal.
+ Set this value longer than the expected cleanup time for your process.
+ If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
+ value overrides the value provided by the pod spec.
+ Value must be non-negative integer. The value zero indicates stop immediately via
+ the kill signal (no opportunity to shut down).
+ This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
+ Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
+ type: integer
+ format: int64
+ timeoutSeconds:
+ description: |-
+ Number of seconds after which the probe times out.
+ Defaults to 1 second. Minimum value is 1.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ stdin:
+ description: |-
+ Whether this Sidecar should allocate a buffer for stdin in the container runtime. If this
+ is not set, reads from stdin in the Sidecar will always result in EOF.
+ Default is false.
+ type: boolean
+ stdinOnce:
+ description: |-
+ Whether the container runtime should close the stdin channel after it has been opened by
+ a single attach. When stdin is true the stdin stream will remain open across multiple attach
+ sessions. If stdinOnce is set to true, stdin is opened on Sidecar start, is empty until the
+ first client attaches to stdin, and then remains open and accepts data until the client disconnects,
+ at which time stdin is closed and remains closed until the Sidecar is restarted. If this
+ flag is false, a container processes that reads from stdin will never receive an EOF.
+ Default is false
+ type: boolean
+ terminationMessagePath:
+ description: |-
+ Optional: Path at which the file to which the Sidecar's termination message
+ will be written is mounted into the Sidecar's filesystem.
+ Message written is intended to be brief final status, such as an assertion failure message.
+ Will be truncated by the node if greater than 4096 bytes. The total message length across
+ all containers will be limited to 12kb.
+ Defaults to /dev/termination-log.
+ Cannot be updated.
+ type: string
+ terminationMessagePolicy:
+ description: |-
+ Indicate how the termination message should be populated. File will use the contents of
+ terminationMessagePath to populate the Sidecar status message on both success and failure.
+ FallbackToLogsOnError will use the last chunk of Sidecar log output if the termination
+ message file is empty and the Sidecar exited with an error.
+ The log output is limited to 2048 bytes or 80 lines, whichever is smaller.
+ Defaults to File.
+ Cannot be updated.
+ type: string
+ tty:
+ description: |-
+ Whether this Sidecar should allocate a TTY for itself, also requires 'stdin' to be true.
+ Default is false.
+ type: boolean
+ volumeDevices:
+ description: volumeDevices is the list of block devices to be used by the Sidecar.
+ type: array
+ items:
+ description: volumeDevice describes a mapping of a raw block device within a container.
+ type: object
+ required:
+ - devicePath
+ - name
+ properties:
+ devicePath:
+ description: devicePath is the path inside of the container that the device will be mapped to.
+ type: string
+ name:
+ description: name must match the name of a persistentVolumeClaim in the pod
+ type: string
+ x-kubernetes-list-type: atomic
+ volumeMounts:
+ description: |-
+ Volumes to mount into the Sidecar's filesystem.
+ Cannot be updated.
+ type: array
+ items:
+ description: VolumeMount describes a mounting of a Volume within a container.
+ type: object
+ required:
+ - mountPath
+ - name
+ properties:
+ mountPath:
+ description: |-
+ Path within the container at which the volume should be mounted. Must
+ not contain ':'.
+ type: string
+ mountPropagation:
+ description: |-
+ mountPropagation determines how mounts are propagated from the host
+ to container and the other way around.
+ When not set, MountPropagationNone is used.
+ This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
+ type: string
+ name:
+ description: This must match the Name of a Volume.
+ type: string
+ readOnly:
+ description: |-
+ Mounted read-only if true, read-write otherwise (false or unspecified).
+ Defaults to false.
+ type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
+ subPath:
+ description: |-
+ Path within the volume from which the container's volume should be mounted.
+ Defaults to "" (volume's root).
+ type: string
+ subPathExpr:
+ description: |-
+ Expanded path within the volume from which the container's volume should be mounted.
+ Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+ Defaults to "" (volume's root).
+ SubPathExpr and SubPath are mutually exclusive.
+ type: string
+ x-kubernetes-list-type: atomic
+ workingDir:
+ description: |-
+ Sidecar's working directory.
+ If not specified, the container runtime's default will be used, which
+ might be configured in the container image.
+ Cannot be updated.
+ type: string
+ workspaces:
+ description: |-
+ This is an alpha field. You must set the "enable-api-fields" feature flag to "alpha"
+ for this field to be supported.
+
+ Workspaces is a list of workspaces from the Task that this Sidecar wants
+ exclusive access to. Adding a workspace to this list means that any
+ other Step or Sidecar that does not also request this Workspace will
+ not have access to it.
+ type: array
+ items:
+ description: |-
+ WorkspaceUsage is used by a Step or Sidecar to declare that it wants isolated access
+ to a Workspace defined in a Task.
+ type: object
+ required:
+ - mountPath
+ - name
+ properties:
+ mountPath:
+ description: |-
+ MountPath is the path that the workspace should be mounted to inside the Step or Sidecar,
+ overriding any MountPath specified in the Task's WorkspaceDeclaration.
+ type: string
+ name:
+ description: Name is the name of the workspace this Step or Sidecar wants access to.
+ type: string
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ stepTemplate:
+ description: |-
+ StepTemplate can be used as the basis for all step containers within the
+ Task, so that the steps inherit settings on the base container.
+ type: object
+ properties:
+ args:
+ description: |-
+ Arguments to the entrypoint.
+ The image's CMD is used if this is not provided.
+ Variable references $(VAR_NAME) are expanded using the Step's environment. If a variable
+ cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+ produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+ of whether the variable exists or not. Cannot be updated.
+ More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ command:
+ description: |-
+ Entrypoint array. Not executed within a shell.
+ The image's ENTRYPOINT is used if this is not provided.
+ Variable references $(VAR_NAME) are expanded using the Step's environment. If a variable
+ cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+ produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+ of whether the variable exists or not. Cannot be updated.
+ More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ computeResources:
+ description: |-
+ ComputeResources required by this Step.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ type: array
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ requests:
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ env:
+ description: |-
+ List of environment variables to set in the Step.
+ Cannot be updated.
+ type: array
+ items:
+ description: EnvVar represents an environment variable present in a Container.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: Name of the environment variable. Must be a C_IDENTIFIER.
+ type: string
+ value:
+ description: |-
+ Variable references $(VAR_NAME) are expanded
+ using the previously defined environment variables in the container and
+ any service environment variables. If a variable cannot be resolved,
+ the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+ "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+ Escaped references will never be expanded, regardless of whether the variable
+ exists or not.
+ Defaults to "".
+ type: string
+ valueFrom:
+ description: Source for the environment variable's value. Cannot be used if value is not empty.
+ type: object
+ properties:
+ configMapKeyRef:
+ description: Selects a key of a ConfigMap.
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key to select.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the ConfigMap or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ fieldRef:
+ description: |-
+ Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
+ spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+ type: object
+ required:
+ - fieldPath
+ properties:
+ apiVersion:
+ description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
+ type: string
+ fieldPath:
+ description: Path of the field to select in the specified API version.
+ type: string
+ x-kubernetes-map-type: atomic
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+ type: object
+ required:
+ - resource
+ properties:
+ containerName:
+ description: 'Container name: required for volumes, optional for env vars'
+ type: string
+ divisor:
+ description: Specifies the output format of the exposed resources, defaults to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required: resource to select'
+ type: string
+ x-kubernetes-map-type: atomic
+ secretKeyRef:
+ description: Selects a key of a secret in the pod's namespace
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key of the secret to select from. Must be a valid secret key.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the Secret or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ envFrom:
+ description: |-
+ List of sources to populate environment variables in the Step.
+ The keys defined within a source must be a C_IDENTIFIER. All invalid keys
+ will be reported as an event when the Step is starting. When a key exists in multiple
+ sources, the value associated with the last source will take precedence.
+ Values defined by an Env with a duplicate key will take precedence.
+ Cannot be updated.
+ type: array
+ items:
+ description: EnvFromSource represents the source of a set of ConfigMaps
+ type: object
+ properties:
+ configMapRef:
+ description: The ConfigMap to select from
+ type: object
+ properties:
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the ConfigMap must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ prefix:
+ description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
+ type: string
+ secretRef:
+ description: The Secret to select from
+ type: object
+ properties:
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the Secret must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ image:
+ description: |-
+ Image reference name.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ type: string
+ imagePullPolicy:
+ description: |-
+ Image pull policy.
+ One of Always, Never, IfNotPresent.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
+ type: string
+ securityContext:
+ description: |-
+ SecurityContext defines the security options the Step should be run with.
+ If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
+ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ type: object
+ properties:
+ allowPrivilegeEscalation:
+ description: |-
+ AllowPrivilegeEscalation controls whether a process can gain more
+ privileges than its parent process. This bool directly controls if
+ the no_new_privs flag will be set on the container process.
+ AllowPrivilegeEscalation is true always when the container is:
+ 1) run as Privileged
+ 2) has CAP_SYS_ADMIN
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ capabilities:
+ description: |-
+ The capabilities to add/drop when running containers.
+ Defaults to the default set of capabilities granted by the container runtime.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ properties:
+ add:
+ description: Added capabilities
+ type: array
+ items:
+ description: Capability represent POSIX capabilities type
+ type: string
+ x-kubernetes-list-type: atomic
+ drop:
+ description: Removed capabilities
+ type: array
+ items:
+ description: Capability represent POSIX capabilities type
+ type: string
+ x-kubernetes-list-type: atomic
+ privileged:
+ description: |-
+ Run container in privileged mode.
+ Processes in privileged containers are essentially equivalent to root on the host.
+ Defaults to false.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ procMount:
+ description: |-
+ procMount denotes the type of proc mount to use for the containers.
+ The default value is Default which uses the container runtime defaults for
+ readonly paths and masked paths.
+ This requires the ProcMountType feature flag to be enabled.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ readOnlyRootFilesystem:
+ description: |-
+ Whether this container has a read-only root filesystem.
+ Default is false.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ runAsGroup:
+ description: |-
+ The GID to run the entrypoint of the container process.
+ Uses runtime default if unset.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ runAsNonRoot:
+ description: |-
+ Indicates that the container must run as a non-root user.
+ If true, the Kubelet will validate the image at runtime to ensure that it
+ does not run as UID 0 (root) and fail to start the container if it does.
+ If unset or false, no such validation will be performed.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: |-
+ The UID to run the entrypoint of the container process.
+ Defaults to user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ seLinuxOptions:
+ description: |-
+ The SELinux context to be applied to the container.
+ If unspecified, the container runtime will allocate a random SELinux context for each
+ container. May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ properties:
+ level:
+ description: Level is SELinux level label that applies to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label that applies to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label that applies to the container.
+ type: string
+ user:
+ description: User is a SELinux user label that applies to the container.
+ type: string
+ seccompProfile:
+ description: |-
+ The seccomp options to use by this container. If seccomp options are
+ provided at both the pod & container level, the container options
+ override the pod options.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile defined in a file on the node should be used.
+ The profile must be preconfigured on the node to work.
+ Must be a descending path, relative to the kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT be set for any other type.
+ type: string
+ type:
+ description: |-
+ type indicates which kind of seccomp profile will be applied.
+ Valid options are:
+
+ Localhost - a profile defined in a file on the node should be used.
+ RuntimeDefault - the container runtime default profile should be used.
+ Unconfined - no profile should be applied.
+ type: string
+ windowsOptions:
+ description: |-
+ The Windows specific settings applied to all containers.
+ If unspecified, the options from the PodSecurityContext will be used.
+ If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is linux.
+ type: object
+ properties:
+ gmsaCredentialSpec:
+ description: |-
+ GMSACredentialSpec is where the GMSA admission webhook
+ (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the name of the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: |-
+ HostProcess determines if a container should be run as a 'Host Process' container.
+ All of a Pod's containers must have the same effective HostProcess value
+ (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then HostNetwork must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: |-
+ The UserName in Windows to run the entrypoint of the container process.
+ Defaults to the user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: string
+ volumeDevices:
+ description: volumeDevices is the list of block devices to be used by the Step.
+ type: array
+ items:
+ description: volumeDevice describes a mapping of a raw block device within a container.
+ type: object
+ required:
+ - devicePath
+ - name
+ properties:
+ devicePath:
+ description: devicePath is the path inside of the container that the device will be mapped to.
+ type: string
+ name:
+ description: name must match the name of a persistentVolumeClaim in the pod
+ type: string
+ x-kubernetes-list-type: atomic
+ volumeMounts:
+ description: |-
+ Volumes to mount into the Step's filesystem.
+ Cannot be updated.
+ type: array
+ items:
+ description: VolumeMount describes a mounting of a Volume within a container.
+ type: object
+ required:
+ - mountPath
+ - name
+ properties:
+ mountPath:
+ description: |-
+ Path within the container at which the volume should be mounted. Must
+ not contain ':'.
+ type: string
+ mountPropagation:
+ description: |-
+ mountPropagation determines how mounts are propagated from the host
+ to container and the other way around.
+ When not set, MountPropagationNone is used.
+ This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
+ type: string
+ name:
+ description: This must match the Name of a Volume.
+ type: string
+ readOnly:
+ description: |-
+ Mounted read-only if true, read-write otherwise (false or unspecified).
+ Defaults to false.
+ type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
+ subPath:
+ description: |-
+ Path within the volume from which the container's volume should be mounted.
+ Defaults to "" (volume's root).
+ type: string
+ subPathExpr:
+ description: |-
+ Expanded path within the volume from which the container's volume should be mounted.
+ Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+ Defaults to "" (volume's root).
+ SubPathExpr and SubPath are mutually exclusive.
+ type: string
+ x-kubernetes-list-type: atomic
+ workingDir:
+ description: |-
+ Step's working directory.
+ If not specified, the container runtime's default will be used, which
+ might be configured in the container image.
+ Cannot be updated.
+ type: string
+ steps:
+ description: |-
+ Steps are the steps of the build; each step is run sequentially with the
+ source mounted into /workspace.
+ type: array
+ items:
+ description: Step runs a subcomponent of a Task
+ type: object
+ required:
+ - name
+ properties:
+ args:
+ description: |-
+ Arguments to the entrypoint.
+ The image's CMD is used if this is not provided.
+ Variable references $(VAR_NAME) are expanded using the container's environment. If a variable
+ cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+ produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+ of whether the variable exists or not. Cannot be updated.
+ More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ command:
+ description: |-
+ Entrypoint array. Not executed within a shell.
+ The image's ENTRYPOINT is used if this is not provided.
+ Variable references $(VAR_NAME) are expanded using the container's environment. If a variable
+ cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+ produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+ of whether the variable exists or not. Cannot be updated.
+ More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ computeResources:
+ description: |-
+ ComputeResources required by this Step.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ type: array
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ requests:
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ env:
+ description: |-
+ List of environment variables to set in the Step.
+ Cannot be updated.
+ type: array
+ items:
+ description: EnvVar represents an environment variable present in a Container.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: Name of the environment variable. Must be a C_IDENTIFIER.
+ type: string
+ value:
+ description: |-
+ Variable references $(VAR_NAME) are expanded
+ using the previously defined environment variables in the container and
+ any service environment variables. If a variable cannot be resolved,
+ the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+ "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+ Escaped references will never be expanded, regardless of whether the variable
+ exists or not.
+ Defaults to "".
+ type: string
+ valueFrom:
+ description: Source for the environment variable's value. Cannot be used if value is not empty.
+ type: object
+ properties:
+ configMapKeyRef:
+ description: Selects a key of a ConfigMap.
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key to select.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the ConfigMap or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ fieldRef:
+ description: |-
+ Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
+ spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+ type: object
+ required:
+ - fieldPath
+ properties:
+ apiVersion:
+ description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
+ type: string
+ fieldPath:
+ description: Path of the field to select in the specified API version.
+ type: string
+ x-kubernetes-map-type: atomic
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+ type: object
+ required:
+ - resource
+ properties:
+ containerName:
+ description: 'Container name: required for volumes, optional for env vars'
+ type: string
+ divisor:
+ description: Specifies the output format of the exposed resources, defaults to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required: resource to select'
+ type: string
+ x-kubernetes-map-type: atomic
+ secretKeyRef:
+ description: Selects a key of a secret in the pod's namespace
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key of the secret to select from. Must be a valid secret key.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the Secret or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ envFrom:
+ description: |-
+ List of sources to populate environment variables in the Step.
+ The keys defined within a source must be a C_IDENTIFIER. All invalid keys
+ will be reported as an event when the Step is starting. When a key exists in multiple
+ sources, the value associated with the last source will take precedence.
+ Values defined by an Env with a duplicate key will take precedence.
+ Cannot be updated.
+ type: array
+ items:
+ description: EnvFromSource represents the source of a set of ConfigMaps
+ type: object
+ properties:
+ configMapRef:
+ description: The ConfigMap to select from
+ type: object
+ properties:
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the ConfigMap must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ prefix:
+ description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
+ type: string
+ secretRef:
+ description: The Secret to select from
+ type: object
+ properties:
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the Secret must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ image:
+ description: |-
+ Docker image name.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ type: string
+ imagePullPolicy:
+ description: |-
+ Image pull policy.
+ One of Always, Never, IfNotPresent.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
+ type: string
+ name:
+ description: |-
+ Name of the Step specified as a DNS_LABEL.
+ Each Step in a Task must have a unique name.
+ type: string
+ onError:
+ description: |-
+ OnError defines the exiting behavior of a container on error
+ can be set to [ continue | stopAndFail ]
+ type: string
+ params:
+ description: Params declares parameters passed to this step action.
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ ref:
+ description: Contains the reference to an existing StepAction.
+ type: object
+ properties:
+ name:
+ description: Name of the referenced step
+ type: string
+ params:
+ description: |-
+ Params contains the parameters used to identify the
+ referenced Tekton resource. Example entries might include
+ "repo" or "path" but the set of params ultimately depends on
+ the chosen resolver.
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ resolver:
+ description: |-
+ Resolver is the name of the resolver that should perform
+ resolution of the referenced Tekton resource, such as "git".
+ type: string
+ results:
+ description: |-
+ Results declares StepResults produced by the Step.
+
+ This is field is at an ALPHA stability level and gated by "enable-step-actions" feature flag.
+
+ It can be used in an inlined Step when used to store Results to $(step.results.resultName.path).
+ It cannot be used when referencing StepActions using [v1.Step.Ref].
+ The Results declared by the StepActions will be stored here instead.
+ type: array
+ items:
+ description: |-
+ StepResult used to describe the Results of a Step.
+
+ This is field is at an BETA stability level and gated by "enable-step-actions" feature flag.
+ type: object
+ required:
+ - name
+ properties:
+ description:
+ description: Description is a human-readable description of the result
+ type: string
+ name:
+ description: Name the given name
+ type: string
+ properties:
+ description: Properties is the JSON Schema properties to support key-value pairs results.
+ type: object
+ additionalProperties:
+ description: PropertySpec defines the struct for object keys
+ type: object
+ properties:
+ type:
+ description: |-
+ ParamType indicates the type of an input parameter;
+ Used to distinguish between a single string and an array of strings.
+ type: string
+ type:
+ description: The possible types are 'string', 'array', and 'object', with 'string' as the default.
+ type: string
+ x-kubernetes-list-type: atomic
+ script:
+ description: |-
+ Script is the contents of an executable file to execute.
+
+ If Script is not empty, the Step cannot have an Command and the Args will be passed to the Script.
+ type: string
+ securityContext:
+ description: |-
+ SecurityContext defines the security options the Step should be run with.
+ If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
+ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ type: object
+ properties:
+ allowPrivilegeEscalation:
+ description: |-
+ AllowPrivilegeEscalation controls whether a process can gain more
+ privileges than its parent process. This bool directly controls if
+ the no_new_privs flag will be set on the container process.
+ AllowPrivilegeEscalation is true always when the container is:
+ 1) run as Privileged
+ 2) has CAP_SYS_ADMIN
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ capabilities:
+ description: |-
+ The capabilities to add/drop when running containers.
+ Defaults to the default set of capabilities granted by the container runtime.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ properties:
+ add:
+ description: Added capabilities
+ type: array
+ items:
+ description: Capability represent POSIX capabilities type
+ type: string
+ x-kubernetes-list-type: atomic
+ drop:
+ description: Removed capabilities
+ type: array
+ items:
+ description: Capability represent POSIX capabilities type
+ type: string
+ x-kubernetes-list-type: atomic
+ privileged:
+ description: |-
+ Run container in privileged mode.
+ Processes in privileged containers are essentially equivalent to root on the host.
+ Defaults to false.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ procMount:
+ description: |-
+ procMount denotes the type of proc mount to use for the containers.
+ The default value is Default which uses the container runtime defaults for
+ readonly paths and masked paths.
+ This requires the ProcMountType feature flag to be enabled.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ readOnlyRootFilesystem:
+ description: |-
+ Whether this container has a read-only root filesystem.
+ Default is false.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ runAsGroup:
+ description: |-
+ The GID to run the entrypoint of the container process.
+ Uses runtime default if unset.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ runAsNonRoot:
+ description: |-
+ Indicates that the container must run as a non-root user.
+ If true, the Kubelet will validate the image at runtime to ensure that it
+ does not run as UID 0 (root) and fail to start the container if it does.
+ If unset or false, no such validation will be performed.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: |-
+ The UID to run the entrypoint of the container process.
+ Defaults to user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ seLinuxOptions:
+ description: |-
+ The SELinux context to be applied to the container.
+ If unspecified, the container runtime will allocate a random SELinux context for each
+ container. May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ properties:
+ level:
+ description: Level is SELinux level label that applies to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label that applies to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label that applies to the container.
+ type: string
+ user:
+ description: User is a SELinux user label that applies to the container.
+ type: string
+ seccompProfile:
+ description: |-
+ The seccomp options to use by this container. If seccomp options are
+ provided at both the pod & container level, the container options
+ override the pod options.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile defined in a file on the node should be used.
+ The profile must be preconfigured on the node to work.
+ Must be a descending path, relative to the kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT be set for any other type.
+ type: string
+ type:
+ description: |-
+ type indicates which kind of seccomp profile will be applied.
+ Valid options are:
+
+ Localhost - a profile defined in a file on the node should be used.
+ RuntimeDefault - the container runtime default profile should be used.
+ Unconfined - no profile should be applied.
+ type: string
+ windowsOptions:
+ description: |-
+ The Windows specific settings applied to all containers.
+ If unspecified, the options from the PodSecurityContext will be used.
+ If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is linux.
+ type: object
+ properties:
+ gmsaCredentialSpec:
+ description: |-
+ GMSACredentialSpec is where the GMSA admission webhook
+ (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the name of the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: |-
+ HostProcess determines if a container should be run as a 'Host Process' container.
+ All of a Pod's containers must have the same effective HostProcess value
+ (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then HostNetwork must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: |-
+ The UserName in Windows to run the entrypoint of the container process.
+ Defaults to the user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: string
+ stderrConfig:
+ description: Stores configuration for the stderr stream of the step.
+ type: object
+ properties:
+ path:
+ description: Path to duplicate stdout stream to on container's local filesystem.
+ type: string
+ stdoutConfig:
+ description: Stores configuration for the stdout stream of the step.
+ type: object
+ properties:
+ path:
+ description: Path to duplicate stdout stream to on container's local filesystem.
+ type: string
+ timeout:
+ description: |-
+ Timeout is the time after which the step times out. Defaults to never.
+ Refer to Go's ParseDuration documentation for expected format: https://golang.org/pkg/time/#ParseDuration
+ type: string
+ volumeDevices:
+ description: volumeDevices is the list of block devices to be used by the Step.
+ type: array
+ items:
+ description: volumeDevice describes a mapping of a raw block device within a container.
+ type: object
+ required:
+ - devicePath
+ - name
+ properties:
+ devicePath:
+ description: devicePath is the path inside of the container that the device will be mapped to.
+ type: string
+ name:
+ description: name must match the name of a persistentVolumeClaim in the pod
+ type: string
+ x-kubernetes-list-type: atomic
+ volumeMounts:
+ description: |-
+ Volumes to mount into the Step's filesystem.
+ Cannot be updated.
+ type: array
+ items:
+ description: VolumeMount describes a mounting of a Volume within a container.
+ type: object
+ required:
+ - mountPath
+ - name
+ properties:
+ mountPath:
+ description: |-
+ Path within the container at which the volume should be mounted. Must
+ not contain ':'.
+ type: string
+ mountPropagation:
+ description: |-
+ mountPropagation determines how mounts are propagated from the host
+ to container and the other way around.
+ When not set, MountPropagationNone is used.
+ This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
+ type: string
+ name:
+ description: This must match the Name of a Volume.
+ type: string
+ readOnly:
+ description: |-
+ Mounted read-only if true, read-write otherwise (false or unspecified).
+ Defaults to false.
+ type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
+ subPath:
+ description: |-
+ Path within the volume from which the container's volume should be mounted.
+ Defaults to "" (volume's root).
+ type: string
+ subPathExpr:
+ description: |-
+ Expanded path within the volume from which the container's volume should be mounted.
+ Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+ Defaults to "" (volume's root).
+ SubPathExpr and SubPath are mutually exclusive.
+ type: string
+ x-kubernetes-list-type: atomic
+ when:
+ description: When is a list of when expressions that need to be true for the task to run
+ type: array
+ items:
+ description: |-
+ WhenExpression allows a PipelineTask to declare expressions to be evaluated before the Task is run
+ to determine whether the Task should be executed or skipped
+ type: object
+ properties:
+ cel:
+ description: |-
+ CEL is a string of Common Language Expression, which can be used to conditionally execute
+ the task based on the result of the expression evaluation
+ More info about CEL syntax: https://github.com/google/cel-spec/blob/master/doc/langdef.md
+ type: string
+ input:
+ description: Input is the string for guard checking which can be a static input or an output from a parent Task
+ type: string
+ operator:
+ description: Operator that represents an Input's relationship to the values
+ type: string
+ values:
+ description: |-
+ Values is an array of strings, which is compared against the input, for guard checking
+ It must be non-empty
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ workingDir:
+ description: |-
+ Step's working directory.
+ If not specified, the container runtime's default will be used, which
+ might be configured in the container image.
+ Cannot be updated.
+ type: string
+ workspaces:
+ description: |-
+ This is an alpha field. You must set the "enable-api-fields" feature flag to "alpha"
+ for this field to be supported.
+
+ Workspaces is a list of workspaces from the Task that this Step wants
+ exclusive access to. Adding a workspace to this list means that any
+ other Step or Sidecar that does not also request this Workspace will
+ not have access to it.
+ type: array
+ items:
+ description: |-
+ WorkspaceUsage is used by a Step or Sidecar to declare that it wants isolated access
+ to a Workspace defined in a Task.
+ type: object
+ required:
+ - mountPath
+ - name
+ properties:
+ mountPath:
+ description: |-
+ MountPath is the path that the workspace should be mounted to inside the Step or Sidecar,
+ overriding any MountPath specified in the Task's WorkspaceDeclaration.
+ type: string
+ name:
+ description: Name is the name of the workspace this Step or Sidecar wants access to.
+ type: string
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ volumes:
+ description: |-
+ Volumes is a collection of volumes that are available to mount into the
+ steps of the build.
+ See Pod.spec.volumes (API version: v1)
+ x-kubernetes-preserve-unknown-fields: true
+ workspaces:
+ description: Workspaces are the volumes that this Task requires.
+ type: array
+ items:
+ description: WorkspaceDeclaration is a declaration of a volume that a Task requires.
+ type: object
+ required:
+ - name
+ properties:
+ description:
+ description: Description is an optional human readable description of this volume.
+ type: string
+ mountPath:
+ description: MountPath overrides the directory that the volume will be made available at.
+ type: string
+ name:
+ description: Name is the name by which you can bind the volume at runtime.
+ type: string
+ optional:
+ description: |-
+ Optional marks a Workspace as not being required in TaskRuns. By default
+ this field is false and so declared workspaces are required.
+ type: boolean
+ readOnly:
+ description: |-
+ ReadOnly dictates whether a mounted volume is writable. By default this
+ field is false and so mounted volumes are writable.
+ type: boolean
+ x-kubernetes-list-type: atomic
+ # Opt into the status subresource so metadata.generation
+ # starts to increment
+ subresources:
+ status: {}
+ names:
+ kind: Task
+ plural: tasks
+ singular: task
+ categories:
+ - tekton
+ - tekton-pipelines
+ scope: Namespaced
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions: ["v1beta1", "v1"]
+ clientConfig:
+ service:
+ name: tekton-pipelines-webhook
+ namespace: tekton-pipelines
+
+---
+# Copyright 2019 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: taskruns.tekton.dev
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+ pipeline.tekton.dev/release: "v0.70.0"
+ version: "v0.70.0"
+spec:
+ group: tekton.dev
+ preserveUnknownFields: false
+ versions:
+ - name: v1beta1
+ served: true
+ storage: false
+ schema:
+ openAPIV3Schema:
+ description: |-
+ TaskRun represents a single execution of a Task. TaskRuns are how the steps
+ specified in a Task are executed; they specify the parameters and resources
+ used to run the steps in a Task.
+
+ Deprecated: Please use v1.TaskRun instead.
+ type: object
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: TaskRunSpec defines the desired state of TaskRun
+ type: object
+ properties:
+ computeResources:
+ description: Compute resources to use for this TaskRun
+ type: object
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ type: array
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ requests:
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ debug:
+ description: TaskRunDebug defines the breakpoint config for a particular TaskRun
+ type: object
+ properties:
+ breakpoints:
+ description: TaskBreakpoints defines the breakpoint config for a particular Task
+ type: object
+ properties:
+ beforeSteps:
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ onFailure:
+ description: |-
+ if enabled, pause TaskRun on failure of a step
+ failed step will not exit
+ type: string
+ params:
+ description: Params is a list of Param
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ podTemplate:
+ description: PodTemplate holds pod specific configuration
+ type: object
+ properties:
+ affinity:
+ description: |-
+ If specified, the pod's scheduling constraints.
+ See Pod.spec.affinity (API version: v1)
+ x-kubernetes-preserve-unknown-fields: true
+ automountServiceAccountToken:
+ description: |-
+ AutomountServiceAccountToken indicates whether pods running as this
+ service account should have an API token automatically mounted.
+ type: boolean
+ dnsConfig:
+ description: |-
+ Specifies the DNS parameters of a pod.
+ Parameters specified here will be merged to the generated DNS
+ configuration based on DNSPolicy.
+ type: object
+ properties:
+ nameservers:
+ description: |-
+ A list of DNS name server IP addresses.
+ This will be appended to the base nameservers generated from DNSPolicy.
+ Duplicated nameservers will be removed.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ options:
+ description: |-
+ A list of DNS resolver options.
+ This will be merged with the base options generated from DNSPolicy.
+ Duplicated entries will be removed. Resolution options given in Options
+ will override those that appear in the base DNSPolicy.
+ type: array
+ items:
+ description: PodDNSConfigOption defines DNS resolver options of a pod.
+ type: object
+ properties:
+ name:
+ description: Required.
+ type: string
+ value:
+ type: string
+ x-kubernetes-list-type: atomic
+ searches:
+ description: |-
+ A list of DNS search domains for host-name lookup.
+ This will be appended to the base search paths generated from DNSPolicy.
+ Duplicated search paths will be removed.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ dnsPolicy:
+ description: |-
+ Set DNS policy for the pod. Defaults to "ClusterFirst". Valid values are
+ 'ClusterFirst', 'Default' or 'None'. DNS parameters given in DNSConfig
+ will be merged with the policy selected with DNSPolicy.
+ type: string
+ enableServiceLinks:
+ description: |-
+ EnableServiceLinks indicates whether information about services should be injected into pod's
+ environment variables, matching the syntax of Docker links.
+ Optional: Defaults to true.
+ type: boolean
+ env:
+ description: List of environment variables that can be provided to the containers belonging to the pod.
+ type: array
+ items:
+ description: EnvVar represents an environment variable present in a Container.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: Name of the environment variable. Must be a C_IDENTIFIER.
+ type: string
+ value:
+ description: |-
+ Variable references $(VAR_NAME) are expanded
+ using the previously defined environment variables in the container and
+ any service environment variables. If a variable cannot be resolved,
+ the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+ "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+ Escaped references will never be expanded, regardless of whether the variable
+ exists or not.
+ Defaults to "".
+ type: string
+ valueFrom:
+ description: Source for the environment variable's value. Cannot be used if value is not empty.
+ type: object
+ properties:
+ configMapKeyRef:
+ description: Selects a key of a ConfigMap.
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key to select.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the ConfigMap or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ fieldRef:
+ description: |-
+ Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
+ spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+ type: object
+ required:
+ - fieldPath
+ properties:
+ apiVersion:
+ description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
+ type: string
+ fieldPath:
+ description: Path of the field to select in the specified API version.
+ type: string
+ x-kubernetes-map-type: atomic
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+ type: object
+ required:
+ - resource
+ properties:
+ containerName:
+ description: 'Container name: required for volumes, optional for env vars'
+ type: string
+ divisor:
+ description: Specifies the output format of the exposed resources, defaults to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required: resource to select'
+ type: string
+ x-kubernetes-map-type: atomic
+ secretKeyRef:
+ description: Selects a key of a secret in the pod's namespace
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key of the secret to select from. Must be a valid secret key.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the Secret or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ hostAliases:
+ description: |-
+ HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts
+ file if specified. This is only valid for non-hostNetwork pods.
+ type: array
+ items:
+ description: |-
+ HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the
+ pod's hosts file.
+ type: object
+ required:
+ - ip
+ properties:
+ hostnames:
+ description: Hostnames for the above IP address.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ ip:
+ description: IP address of the host file entry.
+ type: string
+ x-kubernetes-list-type: atomic
+ hostNetwork:
+ description: HostNetwork specifies whether the pod may use the node network namespace
+ type: boolean
+ imagePullSecrets:
+ description: ImagePullSecrets gives the name of the secret used by the pod to pull the image if specified
+ type: array
+ items:
+ description: |-
+ LocalObjectReference contains enough information to let you locate the
+ referenced object inside the same namespace.
+ type: object
+ properties:
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ nodeSelector:
+ description: |-
+ NodeSelector is a selector which must be true for the pod to fit on a node.
+ Selector which must match a node's labels for the pod to be scheduled on that node.
+ More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+ type: object
+ additionalProperties:
+ type: string
+ priorityClassName:
+ description: |-
+ If specified, indicates the pod's priority. "system-node-critical" and
+ "system-cluster-critical" are two special keywords which indicate the
+ highest priorities with the former being the highest priority. Any other
+ name must be defined by creating a PriorityClass object with that name.
+ If not specified, the pod priority will be default or zero if there is no
+ default.
+ type: string
+ runtimeClassName:
+ description: |-
+ RuntimeClassName refers to a RuntimeClass object in the node.k8s.io
+ group, which should be used to run this pod. If no RuntimeClass resource
+ matches the named class, the pod will not be run. If unset or empty, the
+ "legacy" RuntimeClass will be used, which is an implicit class with an
+ empty definition that uses the default runtime handler.
+ More info: https://git.k8s.io/enhancements/keps/sig-node/runtime-class.md
+ This is a beta feature as of Kubernetes v1.14.
+ type: string
+ schedulerName:
+ description: SchedulerName specifies the scheduler to be used to dispatch the Pod
+ type: string
+ securityContext:
+ description: |-
+ SecurityContext holds pod-level security attributes and common container settings.
+ Optional: Defaults to empty. See type description for default values of each field.
+ type: object
+ properties:
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ fsGroup:
+ description: |-
+ A special supplemental group that applies to all containers in a pod.
+ Some volume types allow the Kubelet to change the ownership of that volume
+ to be owned by the pod:
+
+ 1. The owning GID will be the FSGroup
+ 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+ 3. The permission bits are OR'd with rw-rw----
+
+ If unset, the Kubelet will not modify the ownership and permissions of any volume.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ fsGroupChangePolicy:
+ description: |-
+ fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+ before being exposed inside Pod. This field will only apply to
+ volume types which support fsGroup based ownership(and permissions).
+ It will have no effect on ephemeral volume types such as: secret, configmaps
+ and emptydir.
+ Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ runAsGroup:
+ description: |-
+ The GID to run the entrypoint of the container process.
+ Uses runtime default if unset.
+ May also be set in SecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence
+ for that container.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ runAsNonRoot:
+ description: |-
+ Indicates that the container must run as a non-root user.
+ If true, the Kubelet will validate the image at runtime to ensure that it
+ does not run as UID 0 (root) and fail to start the container if it does.
+ If unset or false, no such validation will be performed.
+ May also be set in SecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: |-
+ The UID to run the entrypoint of the container process.
+ Defaults to user specified in image metadata if unspecified.
+ May also be set in SecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence
+ for that container.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ seLinuxOptions:
+ description: |-
+ The SELinux context to be applied to all containers.
+ If unspecified, the container runtime will allocate a random SELinux context for each
+ container. May also be set in SecurityContext. If set in
+ both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+ takes precedence for that container.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ properties:
+ level:
+ description: Level is SELinux level label that applies to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label that applies to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label that applies to the container.
+ type: string
+ user:
+ description: User is a SELinux user label that applies to the container.
+ type: string
+ seccompProfile:
+ description: |-
+ The seccomp options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile defined in a file on the node should be used.
+ The profile must be preconfigured on the node to work.
+ Must be a descending path, relative to the kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT be set for any other type.
+ type: string
+ type:
+ description: |-
+ type indicates which kind of seccomp profile will be applied.
+ Valid options are:
+
+ Localhost - a profile defined in a file on the node should be used.
+ RuntimeDefault - the container runtime default profile should be used.
+ Unconfined - no profile should be applied.
+ type: string
+ supplementalGroups:
+ description: |-
+ A list of groups applied to the first process run in each container, in
+ addition to the container's primary GID and fsGroup (if specified). If
+ the SupplementalGroupsPolicy feature is enabled, the
+ supplementalGroupsPolicy field determines whether these are in addition
+ to or instead of any group memberships defined in the container image.
+ If unspecified, no additional groups are added, though group memberships
+ defined in the container image may still be used, depending on the
+ supplementalGroupsPolicy field.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: array
+ items:
+ type: integer
+ format: int64
+ x-kubernetes-list-type: atomic
+ supplementalGroupsPolicy:
+ description: |-
+ Defines how supplemental groups of the first container processes are calculated.
+ Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
+ (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
+ and the container runtime must implement support for this feature.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ sysctls:
+ description: |-
+ Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+ sysctls (by the container runtime) might fail to launch.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: array
+ items:
+ description: Sysctl defines a kernel parameter to be set
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: Name of a property to set
+ type: string
+ value:
+ description: Value of a property to set
+ type: string
+ x-kubernetes-list-type: atomic
+ windowsOptions:
+ description: |-
+ The Windows specific settings applied to all containers.
+ If unspecified, the options within a container's SecurityContext will be used.
+ If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is linux.
+ type: object
+ properties:
+ gmsaCredentialSpec:
+ description: |-
+ GMSACredentialSpec is where the GMSA admission webhook
+ (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the name of the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: |-
+ HostProcess determines if a container should be run as a 'Host Process' container.
+ All of a Pod's containers must have the same effective HostProcess value
+ (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then HostNetwork must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: |-
+ The UserName in Windows to run the entrypoint of the container process.
+ Defaults to the user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: string
+ tolerations:
+ description: If specified, the pod's tolerations.
+ type: array
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple <key,value,effect> using the matching operator <operator>.
+ type: object
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ type: integer
+ format: int64
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ x-kubernetes-list-type: atomic
+ topologySpreadConstraints:
+ description: |-
+ TopologySpreadConstraints controls how Pods are spread across your cluster among
+ failure-domains such as regions, zones, nodes, and other user-defined topology domains.
+ type: array
+ items:
+ description: TopologySpreadConstraint specifies how to spread matching pods among the given topology.
+ type: object
+ required:
+ - maxSkew
+ - topologyKey
+ - whenUnsatisfiable
+ properties:
+ labelSelector:
+ description: |-
+ LabelSelector is used to find matching pods.
+ Pods that match this label selector are counted to determine the number of pods
+ in their corresponding topology domain.
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ type: array
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select the pods over which
+ spreading will be calculated. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are ANDed with labelSelector
+ to select the group of existing pods over which spreading will be calculated
+ for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ MatchLabelKeys cannot be set when LabelSelector isn't set.
+ Keys that don't exist in the incoming pod labels will
+ be ignored. A null or empty list means only match against labelSelector.
+
+ This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ maxSkew:
+ description: |-
+ MaxSkew describes the degree to which pods may be unevenly distributed.
+ When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+ between the number of matching pods in the target topology and the global minimum.
+ The global minimum is the minimum number of matching pods in an eligible domain
+ or zero if the number of eligible domains is less than MinDomains.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 2/2/1:
+ In this case, the global minimum is 1.
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P |
+ - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+ scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+ violate MaxSkew(1).
+ - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+ When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+ to topologies that satisfy it.
+ It's a required field. Default value is 1 and 0 is not allowed.
+ type: integer
+ format: int32
+ minDomains:
+ description: |-
+ MinDomains indicates a minimum number of eligible domains.
+ When the number of eligible domains with matching topology keys is less than minDomains,
+ Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+ And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+ this value has no effect on scheduling.
+ As a result, when the number of eligible domains is less than minDomains,
+ scheduler won't schedule more than maxSkew Pods to those domains.
+ If value is nil, the constraint behaves as if MinDomains is equal to 1.
+ Valid values are integers greater than 0.
+ When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+
+ For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+ labelSelector spread as 2/2/2:
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P P |
+ The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+ In this situation, new pod with the same labelSelector cannot be scheduled,
+ because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+ it will violate MaxSkew.
+ type: integer
+ format: int32
+ nodeAffinityPolicy:
+ description: |-
+ NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+ when calculating pod topology spread skew. Options are:
+ - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+ - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+
+ If this value is nil, the behavior is equivalent to the Honor policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ nodeTaintsPolicy:
+ description: |-
+ NodeTaintsPolicy indicates how we will treat node taints when calculating
+ pod topology spread skew. Options are:
+ - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+ has a toleration, are included.
+ - Ignore: node taints are ignored. All nodes are included.
+
+ If this value is nil, the behavior is equivalent to the Ignore policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ topologyKey:
+ description: |-
+ TopologyKey is the key of node labels. Nodes that have a label with this key
+ and identical values are considered to be in the same topology.
+ We consider each <key, value> as a "bucket", and try to put balanced number
+ of pods into each bucket.
+ We define a domain as a particular instance of a topology.
+ Also, we define an eligible domain as a domain whose nodes meet the requirements of
+ nodeAffinityPolicy and nodeTaintsPolicy.
+ e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+ And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+ It's a required field.
+ type: string
+ whenUnsatisfiable:
+ description: |-
+ WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+ the spread constraint.
+ - DoNotSchedule (default) tells the scheduler not to schedule it.
+ - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+ but giving higher precedence to topologies that would help reduce the
+ skew.
+ A constraint is considered "Unsatisfiable" for an incoming pod
+ if and only if every possible node assignment for that pod would violate
+ "MaxSkew" on some topology.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 3/1/1:
+ | zone1 | zone2 | zone3 |
+ | P P P | P | P |
+ If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+ to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+ MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+ won't make it *more* imbalanced.
+ It's a required field.
+ type: string
+ x-kubernetes-list-type: atomic
+ volumes:
+ description: |-
+ List of volumes that can be mounted by containers belonging to the pod.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes
+ See Pod.spec.volumes (API version: v1)
+ x-kubernetes-preserve-unknown-fields: true
+ resources:
+ description: 'Deprecated: Unused, preserved only for backwards compatibility'
+ type: object
+ properties:
+ inputs:
+ description: Inputs holds the inputs resources this task was invoked with
+ type: array
+ items:
+ description: |-
+ TaskResourceBinding points to the PipelineResource that
+ will be used for the Task input or output called Name.
+
+ Deprecated: Unused, preserved only for backwards compatibility
+ type: object
+ properties:
+ name:
+ description: Name is the name of the PipelineResource in the Pipeline's declaration
+ type: string
+ paths:
+ description: |-
+ Paths will probably be removed in #1284, and then PipelineResourceBinding can be used instead.
+ The optional Path field corresponds to a path on disk at which the Resource can be found
+ (used when providing the resource via mounted volume, overriding the default logic to fetch the Resource).
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ resourceRef:
+ description: |-
+ ResourceRef is a reference to the instance of the actual PipelineResource
+ that should be used
+ type: object
+ properties:
+ apiVersion:
+ description: API version of the referent
+ type: string
+ name:
+ description: 'Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names'
+ type: string
+ resourceSpec:
+ description: |-
+ ResourceSpec is specification of a resource that should be created and
+ consumed by the task
+ type: object
+ required:
+ - params
+ - type
+ properties:
+ description:
+ description: |-
+ Description is a user-facing description of the resource that may be
+ used to populate a UI.
+ type: string
+ params:
+ type: array
+ items:
+ description: |-
+ ResourceParam declares a string value to use for the parameter called Name, and is used in
+ the specific context of PipelineResources.
+
+ Deprecated: Unused, preserved only for backwards compatibility
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ x-kubernetes-list-type: atomic
+ secrets:
+ description: Secrets to fetch to populate some of resource fields
+ type: array
+ items:
+ description: |-
+ SecretParam indicates which secret can be used to populate a field of the resource
+
+ Deprecated: Unused, preserved only for backwards compatibility
+ type: object
+ required:
+ - fieldName
+ - secretKey
+ - secretName
+ properties:
+ fieldName:
+ type: string
+ secretKey:
+ type: string
+ secretName:
+ type: string
+ x-kubernetes-list-type: atomic
+ type:
+ description: |-
+ PipelineResourceType represents the type of endpoint the pipelineResource is, so that the
+ controller will know this pipelineResource shouldx be fetched and optionally what
+ additional metatdata should be provided for it.
+
+ Deprecated: Unused, preserved only for backwards compatibility
+ type: string
+ x-kubernetes-list-type: atomic
+ outputs:
+ description: Outputs holds the inputs resources this task was invoked with
+ type: array
+ items:
+ description: |-
+ TaskResourceBinding points to the PipelineResource that
+ will be used for the Task input or output called Name.
+
+ Deprecated: Unused, preserved only for backwards compatibility
+ type: object
+ properties:
+ name:
+ description: Name is the name of the PipelineResource in the Pipeline's declaration
+ type: string
+ paths:
+ description: |-
+ Paths will probably be removed in #1284, and then PipelineResourceBinding can be used instead.
+ The optional Path field corresponds to a path on disk at which the Resource can be found
+ (used when providing the resource via mounted volume, overriding the default logic to fetch the Resource).
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ resourceRef:
+ description: |-
+ ResourceRef is a reference to the instance of the actual PipelineResource
+ that should be used
+ type: object
+ properties:
+ apiVersion:
+ description: API version of the referent
+ type: string
+ name:
+ description: 'Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names'
+ type: string
+ resourceSpec:
+ description: |-
+ ResourceSpec is specification of a resource that should be created and
+ consumed by the task
+ type: object
+ required:
+ - params
+ - type
+ properties:
+ description:
+ description: |-
+ Description is a user-facing description of the resource that may be
+ used to populate a UI.
+ type: string
+ params:
+ type: array
+ items:
+ description: |-
+ ResourceParam declares a string value to use for the parameter called Name, and is used in
+ the specific context of PipelineResources.
+
+ Deprecated: Unused, preserved only for backwards compatibility
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ x-kubernetes-list-type: atomic
+ secrets:
+ description: Secrets to fetch to populate some of resource fields
+ type: array
+ items:
+ description: |-
+ SecretParam indicates which secret can be used to populate a field of the resource
+
+ Deprecated: Unused, preserved only for backwards compatibility
+ type: object
+ required:
+ - fieldName
+ - secretKey
+ - secretName
+ properties:
+ fieldName:
+ type: string
+ secretKey:
+ type: string
+ secretName:
+ type: string
+ x-kubernetes-list-type: atomic
+ type:
+ description: |-
+ PipelineResourceType represents the type of endpoint the pipelineResource is, so that the
+ controller will know this pipelineResource shouldx be fetched and optionally what
+ additional metatdata should be provided for it.
+
+ Deprecated: Unused, preserved only for backwards compatibility
+ type: string
+ x-kubernetes-list-type: atomic
+ retries:
+ description: Retries represents how many times this TaskRun should be retried in the event of Task failure.
+ type: integer
+ serviceAccountName:
+ type: string
+ sidecarOverrides:
+ description: |-
+ Overrides to apply to Sidecars in this TaskRun.
+ If a field is specified in both a Sidecar and a SidecarOverride,
+ the value from the SidecarOverride will be used.
+ This field is only supported when the alpha feature gate is enabled.
+ type: array
+ items:
+ description: TaskRunSidecarOverride is used to override the values of a Sidecar in the corresponding Task.
+ type: object
+ required:
+ - name
+ - resources
+ properties:
+ name:
+ description: The name of the Sidecar to override.
+ type: string
+ resources:
+ description: The resource requirements to apply to the Sidecar.
+ type: object
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ type: array
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ requests:
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ x-kubernetes-list-type: atomic
+ status:
+ description: Used for cancelling a TaskRun (and maybe more later on)
+ type: string
+ statusMessage:
+ description: Status message for cancellation.
+ type: string
+ stepOverrides:
+ description: |-
+ Overrides to apply to Steps in this TaskRun.
+ If a field is specified in both a Step and a StepOverride,
+ the value from the StepOverride will be used.
+ This field is only supported when the alpha feature gate is enabled.
+ type: array
+ items:
+ description: TaskRunStepOverride is used to override the values of a Step in the corresponding Task.
+ type: object
+ required:
+ - name
+ - resources
+ properties:
+ name:
+ description: The name of the Step to override.
+ type: string
+ resources:
+ description: The resource requirements to apply to the Step.
+ type: object
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ type: array
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ requests:
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ x-kubernetes-list-type: atomic
+ taskRef:
+ description: no more than one of the TaskRef and TaskSpec may be specified.
+ type: object
+ properties:
+ apiVersion:
+ description: |-
+ API version of the referent
+ Note: A Task with non-empty APIVersion and Kind is considered a Custom Task
+ type: string
+ bundle:
+ description: |-
+ Bundle url reference to a Tekton Bundle.
+
+ Deprecated: Please use ResolverRef with the bundles resolver instead.
+ The field is staying there for go client backward compatibility, but is not used/allowed anymore.
+ type: string
+ kind:
+ description: |-
+ TaskKind indicates the Kind of the Task:
+ 1. Namespaced Task when Kind is set to "Task". If Kind is "", it defaults to "Task".
+ 2. Cluster-Scoped Task when Kind is set to "ClusterTask"
+ 3. Custom Task when Kind is non-empty and APIVersion is non-empty
+ type: string
+ name:
+ description: 'Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names'
+ type: string
+ params:
+ description: |-
+ Params contains the parameters used to identify the
+ referenced Tekton resource. Example entries might include
+ "repo" or "path" but the set of params ultimately depends on
+ the chosen resolver.
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ resolver:
+ description: |-
+ Resolver is the name of the resolver that should perform
+ resolution of the referenced Tekton resource, such as "git".
+ type: string
+ taskSpec:
+ description: |-
+ Specifying TaskSpec can be disabled by setting
+ `disable-inline-spec` feature flag.
+ See Task.spec (API version: tekton.dev/v1beta1)
+ x-kubernetes-preserve-unknown-fields: true
+ timeout:
+ description: |-
+ Time after which one retry attempt times out. Defaults to 1 hour.
+ Refer Go's ParseDuration documentation for expected format: https://golang.org/pkg/time/#ParseDuration
+ type: string
+ workspaces:
+ description: Workspaces is a list of WorkspaceBindings from volumes to workspaces.
+ type: array
+ items:
+ description: WorkspaceBinding maps a Task's declared workspace to a Volume.
+ type: object
+ required:
+ - name
+ properties:
+ configMap:
+ description: ConfigMap represents a configMap that should populate this workspace.
+ type: object
+ properties:
+ defaultMode:
+ description: |-
+ defaultMode is optional: mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ Defaults to 0644.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ items:
+ description: |-
+ items if unspecified, each key-value pair in the Data field of the referenced
+ ConfigMap will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the ConfigMap,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
+ type: array
+ items:
+ description: Maps a string key to a path within a volume.
+ type: object
+ required:
+ - key
+ - path
+ properties:
+ key:
+ description: key is the key to project.
+ type: string
+ mode:
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ path:
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
+ type: string
+ x-kubernetes-list-type: atomic
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: optional specify whether the ConfigMap or its keys must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ csi:
+ description: CSI (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers.
+ type: object
+ required:
+ - driver
+ properties:
+ driver:
+ description: |-
+ driver is the name of the CSI driver that handles this volume.
+ Consult with your admin for the correct name as registered in the cluster.
+ type: string
+ fsType:
+ description: |-
+ fsType to mount. Ex. "ext4", "xfs", "ntfs".
+ If not provided, the empty value is passed to the associated CSI driver
+ which will determine the default filesystem to apply.
+ type: string
+ nodePublishSecretRef:
+ description: |-
+ nodePublishSecretRef is a reference to the secret object containing
+ sensitive information to pass to the CSI driver to complete the CSI
+ NodePublishVolume and NodeUnpublishVolume calls.
+ This field is optional, and may be empty if no secret is required. If the
+ secret object contains more than one secret, all secret references are passed.
+ type: object
+ properties:
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ x-kubernetes-map-type: atomic
+ readOnly:
+ description: |-
+ readOnly specifies a read-only configuration for the volume.
+ Defaults to false (read/write).
+ type: boolean
+ volumeAttributes:
+ description: |-
+ volumeAttributes stores driver-specific properties that are passed to the CSI
+ driver. Consult your driver's documentation for supported values.
+ type: object
+ additionalProperties:
+ type: string
+ emptyDir:
+ description: |-
+ EmptyDir represents a temporary directory that shares a Task's lifetime.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+ Either this OR PersistentVolumeClaim can be used.
+ type: object
+ properties:
+ medium:
+ description: |-
+ medium represents what type of storage medium should back this directory.
+ The default is "" which means to use the node's default medium.
+ Must be an empty string (default) or Memory.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+ type: string
+ sizeLimit:
+ description: |-
+ sizeLimit is the total amount of local storage required for this EmptyDir volume.
+ The size limit is also applicable for memory medium.
+ The maximum usage on memory medium EmptyDir would be the minimum value between
+ the SizeLimit specified here and the sum of memory limits of all containers in a pod.
+ The default is nil which means that the limit is undefined.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ name:
+ description: Name is the name of the workspace populated by the volume.
+ type: string
+ persistentVolumeClaim:
+ description: |-
+ PersistentVolumeClaimVolumeSource represents a reference to a
+ PersistentVolumeClaim in the same namespace. Either this OR EmptyDir can be used.
+ type: object
+ required:
+ - claimName
+ properties:
+ claimName:
+ description: |-
+ claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.
+ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+ type: string
+ readOnly:
+ description: |-
+ readOnly Will force the ReadOnly setting in VolumeMounts.
+ Default false.
+ type: boolean
+ projected:
+ description: Projected represents a projected volume that should populate this workspace.
+ type: object
+ properties:
+ defaultMode:
+ description: |-
+ defaultMode are the mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ sources:
+ description: |-
+ sources is the list of volume projections. Each entry in this list
+ handles one source.
+ type: array
+ items:
+ description: |-
+ Projection that may be projected along with other supported volume types.
+ Exactly one of these fields must be set.
+ type: object
+ properties:
+ clusterTrustBundle:
+ description: |-
+ ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+ of ClusterTrustBundle objects in an auto-updating file.
+
+ Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+ ClusterTrustBundle objects can either be selected by name, or by the
+ combination of signer name and a label selector.
+
+ Kubelet performs aggressive normalization of the PEM contents written
+ into the pod filesystem. Esoteric PEM features such as inter-block
+ comments and block headers are stripped. Certificates are deduplicated.
+ The ordering of certificates within the file is arbitrary, and Kubelet
+ may change the order over time.
+ type: object
+ required:
+ - path
+ properties:
+ labelSelector:
+ description: |-
+ Select all ClusterTrustBundles that match this label selector. Only has
+ effect if signerName is set. Mutually-exclusive with name. If unset,
+ interpreted as "match nothing". If set but empty, interpreted as "match
+ everything".
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ type: array
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ x-kubernetes-map-type: atomic
+ name:
+ description: |-
+ Select a single ClusterTrustBundle by object name. Mutually-exclusive
+ with signerName and labelSelector.
+ type: string
+ optional:
+ description: |-
+ If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+ aren't available. If using name, then the named ClusterTrustBundle is
+ allowed not to exist. If using signerName, then the combination of
+ signerName and labelSelector is allowed to match zero
+ ClusterTrustBundles.
+ type: boolean
+ path:
+ description: Relative path from the volume root to write the bundle.
+ type: string
+ signerName:
+ description: |-
+ Select all ClusterTrustBundles that match this signer name.
+ Mutually-exclusive with name. The contents of all selected
+ ClusterTrustBundles will be unified and deduplicated.
+ type: string
+ configMap:
+ description: configMap information about the configMap data to project
+ type: object
+ properties:
+ items:
+ description: |-
+ items if unspecified, each key-value pair in the Data field of the referenced
+ ConfigMap will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the ConfigMap,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
+ type: array
+ items:
+ description: Maps a string key to a path within a volume.
+ type: object
+ required:
+ - key
+ - path
+ properties:
+ key:
+ description: key is the key to project.
+ type: string
+ mode:
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ path:
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
+ type: string
+ x-kubernetes-list-type: atomic
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: optional specify whether the ConfigMap or its keys must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ downwardAPI:
+ description: downwardAPI information about the downwardAPI data to project
+ type: object
+ properties:
+ items:
+ description: Items is a list of DownwardAPIVolume file
+ type: array
+ items:
+ description: DownwardAPIVolumeFile represents information to create the file containing the pod field
+ type: object
+ required:
+ - path
+ properties:
+ fieldRef:
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
+ type: object
+ required:
+ - fieldPath
+ properties:
+ apiVersion:
+ description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
+ type: string
+ fieldPath:
+ description: Path of the field to select in the specified API version.
+ type: string
+ x-kubernetes-map-type: atomic
+ mode:
+ description: |-
+ Optional: mode bits used to set permissions on this file, must be an octal value
+ between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ path:
+ description: 'Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ''..'' path. Must be utf-8 encoded. The first item of the relative path must not start with ''..'''
+ type: string
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+ type: object
+ required:
+ - resource
+ properties:
+ containerName:
+ description: 'Container name: required for volumes, optional for env vars'
+ type: string
+ divisor:
+ description: Specifies the output format of the exposed resources, defaults to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required: resource to select'
+ type: string
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ secret:
+ description: secret information about the secret data to project
+ type: object
+ properties:
+ items:
+ description: |-
+ items if unspecified, each key-value pair in the Data field of the referenced
+ Secret will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the Secret,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
+ type: array
+ items:
+ description: Maps a string key to a path within a volume.
+ type: object
+ required:
+ - key
+ - path
+ properties:
+ key:
+ description: key is the key to project.
+ type: string
+ mode:
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ path:
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
+ type: string
+ x-kubernetes-list-type: atomic
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: optional field specify whether the Secret or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ serviceAccountToken:
+ description: serviceAccountToken is information about the serviceAccountToken data to project
+ type: object
+ required:
+ - path
+ properties:
+ audience:
+ description: |-
+ audience is the intended audience of the token. A recipient of a token
+ must identify itself with an identifier specified in the audience of the
+ token, and otherwise should reject the token. The audience defaults to the
+ identifier of the apiserver.
+ type: string
+ expirationSeconds:
+ description: |-
+ expirationSeconds is the requested duration of validity of the service
+ account token. As the token approaches expiration, the kubelet volume
+ plugin will proactively rotate the service account token. The kubelet will
+ start trying to rotate the token if the token is older than 80 percent of
+ its time to live or if the token is older than 24 hours.Defaults to 1 hour
+ and must be at least 10 minutes.
+ type: integer
+ format: int64
+ path:
+ description: |-
+ path is the path relative to the mount point of the file to project the
+ token into.
+ type: string
+ x-kubernetes-list-type: atomic
+ secret:
+ description: Secret represents a secret that should populate this workspace.
+ type: object
+ properties:
+ defaultMode:
+ description: |-
+ defaultMode is Optional: mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values
+ for mode bits. Defaults to 0644.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ items:
+ description: |-
+ items If unspecified, each key-value pair in the Data field of the referenced
+ Secret will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the Secret,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
+ type: array
+ items:
+ description: Maps a string key to a path within a volume.
+ type: object
+ required:
+ - key
+ - path
+ properties:
+ key:
+ description: key is the key to project.
+ type: string
+ mode:
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ path:
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
+ type: string
+ x-kubernetes-list-type: atomic
+ optional:
+ description: optional field specify whether the Secret or its keys must be defined
+ type: boolean
+ secretName:
+ description: |-
+ secretName is the name of the secret in the pod's namespace to use.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+ type: string
+ subPath:
+ description: |-
+ SubPath is optionally a directory on the volume which should be used
+ for this binding (i.e. the volume will be mounted at this sub directory).
+ type: string
+ volumeClaimTemplate:
+ description: |-
+ VolumeClaimTemplate is a template for a claim that will be created in the same namespace.
+ The PipelineRun controller is responsible for creating a unique claim for each instance of PipelineRun.
+ See PersistentVolumeClaim (API version: v1)
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ status:
+ description: TaskRunStatus defines the observed state of TaskRun
+ type: object
+ required:
+ - podName
+ properties:
+ annotations:
+ description: |-
+ Annotations is additional Status fields for the Resource to save some
+ additional State as well as convey more information to the user. This is
+ roughly akin to Annotations on any k8s resource, just the reconciler conveying
+ richer information outwards.
+ type: object
+ additionalProperties:
+ type: string
+ cloudEvents:
+ description: |-
+ CloudEvents describe the state of each cloud event requested via a
+ CloudEventResource.
+
+ Deprecated: Removed in v0.44.0.
+ type: array
+ items:
+ description: |-
+ CloudEventDelivery is the target of a cloud event along with the state of
+ delivery.
+ type: object
+ properties:
+ status:
+ description: CloudEventDeliveryState reports the state of a cloud event to be sent.
+ type: object
+ required:
+ - message
+ - retryCount
+ properties:
+ condition:
+ description: Current status
+ type: string
+ message:
+ description: Error is the text of error (if any)
+ type: string
+ retryCount:
+ description: RetryCount is the number of attempts of sending the cloud event
+ type: integer
+ format: int32
+ sentAt:
+ description: SentAt is the time at which the last attempt to send the event was made
+ type: string
+ format: date-time
+ target:
+ description: Target points to an addressable
+ type: string
+ x-kubernetes-list-type: atomic
+ completionTime:
+ description: CompletionTime is the time the build completed.
+ type: string
+ format: date-time
+ conditions:
+ description: Conditions the latest available observations of a resource's current state.
+ type: array
+ items:
+ description: |-
+ Condition defines a readiness condition for a Knative resource.
+ See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
+ type: object
+ required:
+ - status
+ - type
+ properties:
+ lastTransitionTime:
+ description: |-
+ LastTransitionTime is the last time the condition transitioned from one status to another.
+ We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic
+ differences (all other things held constant).
+ type: string
+ message:
+ description: A human readable message indicating details about the transition.
+ type: string
+ reason:
+ description: The reason for the condition's last transition.
+ type: string
+ severity:
+ description: |-
+ Severity with which to treat failures of this type of condition.
+ When this is not specified, it defaults to Error.
+ type: string
+ status:
+ description: Status of the condition, one of True, False, Unknown.
+ type: string
+ type:
+ description: Type of condition.
+ type: string
+ observedGeneration:
+ description: |-
+ ObservedGeneration is the 'Generation' of the Service that
+ was last processed by the controller.
+ type: integer
+ format: int64
+ podName:
+ description: PodName is the name of the pod responsible for executing this task's steps.
+ type: string
+ provenance:
+ description: Provenance contains some key authenticated metadata about how a software artifact was built (what sources, what inputs/outputs, etc.).
+ type: object
+ properties:
+ configSource:
+ description: 'Deprecated: Use RefSource instead'
+ type: object
+ properties:
+ digest:
+ description: |-
+ Digest is a collection of cryptographic digests for the contents of the artifact specified by URI.
+ Example: {"sha1": "f99d13e554ffcb696dee719fa85b695cb5b0f428"}
+ type: object
+ additionalProperties:
+ type: string
+ entryPoint:
+ description: |-
+ EntryPoint identifies the entry point into the build. This is often a path to a
+ build definition file and/or a target label within that file.
+ Example: "task/git-clone/0.8/git-clone.yaml"
+ type: string
+ uri:
+ description: |-
+ URI indicates the identity of the source of the build definition.
+ Example: "https://github.com/tektoncd/catalog"
+ type: string
+ featureFlags:
+ description: FeatureFlags identifies the feature flags that were used during the task/pipeline run
+ type: object
+ properties:
+ awaitSidecarReadiness:
+ type: boolean
+ coschedule:
+ type: string
+ disableAffinityAssistant:
+ type: boolean
+ disableCredsInit:
+ type: boolean
+ disableInlineSpec:
+ type: string
+ enableAPIFields:
+ type: string
+ enableArtifacts:
+ type: boolean
+ enableCELInWhenExpression:
+ type: boolean
+ enableConciseResolverSyntax:
+ type: boolean
+ enableKeepPodOnCancel:
+ type: boolean
+ enableKubernetesSidecar:
+ type: boolean
+ enableParamEnum:
+ type: boolean
+ enableProvenanceInStatus:
+ type: boolean
+ enableStepActions:
+ type: boolean
+ enforceNonfalsifiability:
+ type: string
+ maxResultSize:
+ type: integer
+ requireGitSSHSecretKnownHosts:
+ type: boolean
+ resultExtractionMethod:
+ type: string
+ runningInEnvWithInjectedSidecars:
+ type: boolean
+ sendCloudEventsForRuns:
+ type: boolean
+ setSecurityContext:
+ type: boolean
+ setSecurityContextReadOnlyRootFilesystem:
+ type: boolean
+ verificationNoMatchPolicy:
+ description: |-
+ VerificationNoMatchPolicy is the feature flag for "trusted-resources-verification-no-match-policy"
+ VerificationNoMatchPolicy can be set to "ignore", "warn" and "fail" values.
+ ignore: skip trusted resources verification when no matching verification policies found
+ warn: skip trusted resources verification when no matching verification policies found and log a warning
+ fail: fail the taskrun or pipelines run if no matching verification policies found
+ type: string
+ refSource:
+ description: RefSource identifies the source where a remote task/pipeline came from.
+ type: object
+ properties:
+ digest:
+ description: |-
+ Digest is a collection of cryptographic digests for the contents of the artifact specified by URI.
+ Example: {"sha1": "f99d13e554ffcb696dee719fa85b695cb5b0f428"}
+ type: object
+ additionalProperties:
+ type: string
+ entryPoint:
+ description: |-
+ EntryPoint identifies the entry point into the build. This is often a path to a
+ build definition file and/or a target label within that file.
+ Example: "task/git-clone/0.8/git-clone.yaml"
+ type: string
+ uri:
+ description: |-
+ URI indicates the identity of the source of the build definition.
+ Example: "https://github.com/tektoncd/catalog"
+ type: string
+ resourcesResult:
+ description: |-
+ Results from Resources built during the TaskRun.
+ This is tomb-stoned along with the removal of pipelineResources
+ Deprecated: this field is not populated and is preserved only for backwards compatibility
+ type: array
+ items:
+ description: |-
+ RunResult is used to write key/value pairs to TaskRun pod termination messages.
+ The key/value pairs may come from the entrypoint binary, or represent a TaskRunResult.
+ If they represent a TaskRunResult, the key is the name of the result and the value is the
+ JSON-serialized value of the result.
+ type: object
+ required:
+ - key
+ - value
+ properties:
+ key:
+ type: string
+ resourceName:
+ description: |-
+ ResourceName may be used in tests, but it is not populated in termination messages.
+ It is preserved here for backwards compatibility and will not be ported to v1.
+ type: string
+ type:
+ description: |-
+ ResultType used to find out whether a RunResult is from a task result or not
+ Note that ResultsType is another type which is used to define the data type
+ (e.g. string, array, etc) we used for Results
+ type: integer
+ value:
+ type: string
+ x-kubernetes-list-type: atomic
+ retriesStatus:
+ description: |-
+ RetriesStatus contains the history of TaskRunStatus in case of a retry in order to keep record of failures.
+ All TaskRunStatus stored in RetriesStatus will have no date within the RetriesStatus as is redundant.
+ See TaskRun.status (API version: tekton.dev/v1beta1)
+ x-kubernetes-preserve-unknown-fields: true
+ sidecars:
+ description: |-
+ The list has one entry per sidecar in the manifest. Each entry is
+ represents the imageid of the corresponding sidecar.
+ type: array
+ items:
+ description: SidecarState reports the results of running a sidecar in a Task.
+ type: object
+ properties:
+ container:
+ type: string
+ imageID:
+ type: string
+ name:
+ type: string
+ running:
+ description: Details about a running container
+ type: object
+ properties:
+ startedAt:
+ description: Time at which the container was last (re-)started
+ type: string
+ format: date-time
+ terminated:
+ description: Details about a terminated container
+ type: object
+ required:
+ - exitCode
+ properties:
+ containerID:
+ description: Container's ID in the format '<type>://<container_id>'
+ type: string
+ exitCode:
+ description: Exit status from the last termination of the container
+ type: integer
+ format: int32
+ finishedAt:
+ description: Time at which the container last terminated
+ type: string
+ format: date-time
+ message:
+ description: Message regarding the last termination of the container
+ type: string
+ reason:
+ description: (brief) reason from the last termination of the container
+ type: string
+ signal:
+ description: Signal from the last termination of the container
+ type: integer
+ format: int32
+ startedAt:
+ description: Time at which previous execution of the container started
+ type: string
+ format: date-time
+ waiting:
+ description: Details about a waiting container
+ type: object
+ properties:
+ message:
+ description: Message regarding why the container is not yet running.
+ type: string
+ reason:
+ description: (brief) reason the container is not yet running.
+ type: string
+ x-kubernetes-list-type: atomic
+ spanContext:
+ description: SpanContext contains tracing span context fields
+ type: object
+ additionalProperties:
+ type: string
+ startTime:
+ description: StartTime is the time the build is actually started.
+ type: string
+ format: date-time
+ steps:
+ description: Steps describes the state of each build step container.
+ type: array
+ items:
+ description: StepState reports the results of running a step in a Task.
+ type: object
+ properties:
+ container:
+ type: string
+ imageID:
+ type: string
+ inputs:
+ type: array
+ items:
+ description: |-
+ Artifact represents an artifact within a system, potentially containing multiple values
+ associated with it.
+ type: object
+ properties:
+ buildOutput:
+ description: Indicate if the artifact is a build output or a by-product
+ type: boolean
+ name:
+ description: The artifact's identifying category name
+ type: string
+ values:
+ description: A collection of values related to the artifact
+ type: array
+ items:
+ description: ArtifactValue represents a specific value or data element within an Artifact.
+ type: object
+ properties:
+ digest:
+ type: object
+ additionalProperties:
+ type: string
+ uri:
+ type: string
+ name:
+ type: string
+ outputs:
+ type: array
+ items:
+ description: |-
+ Artifact represents an artifact within a system, potentially containing multiple values
+ associated with it.
+ type: object
+ properties:
+ buildOutput:
+ description: Indicate if the artifact is a build output or a by-product
+ type: boolean
+ name:
+ description: The artifact's identifying category name
+ type: string
+ values:
+ description: A collection of values related to the artifact
+ type: array
+ items:
+ description: ArtifactValue represents a specific value or data element within an Artifact.
+ type: object
+ properties:
+ digest:
+ type: object
+ additionalProperties:
+ type: string
+ uri:
+ type: string
+ provenance:
+ description: |-
+ Provenance contains metadata about resources used in the TaskRun/PipelineRun
+ such as the source from where a remote build definition was fetched.
+ This field aims to carry minimum amoumt of metadata in *Run status so that
+ Tekton Chains can capture them in the provenance.
+ type: object
+ properties:
+ configSource:
+ description: 'Deprecated: Use RefSource instead'
+ type: object
+ properties:
+ digest:
+ description: |-
+ Digest is a collection of cryptographic digests for the contents of the artifact specified by URI.
+ Example: {"sha1": "f99d13e554ffcb696dee719fa85b695cb5b0f428"}
+ type: object
+ additionalProperties:
+ type: string
+ entryPoint:
+ description: |-
+ EntryPoint identifies the entry point into the build. This is often a path to a
+ build definition file and/or a target label within that file.
+ Example: "task/git-clone/0.8/git-clone.yaml"
+ type: string
+ uri:
+ description: |-
+ URI indicates the identity of the source of the build definition.
+ Example: "https://github.com/tektoncd/catalog"
+ type: string
+ featureFlags:
+ description: FeatureFlags identifies the feature flags that were used during the task/pipeline run
+ type: object
+ properties:
+ awaitSidecarReadiness:
+ type: boolean
+ coschedule:
+ type: string
+ disableAffinityAssistant:
+ type: boolean
+ disableCredsInit:
+ type: boolean
+ disableInlineSpec:
+ type: string
+ enableAPIFields:
+ type: string
+ enableArtifacts:
+ type: boolean
+ enableCELInWhenExpression:
+ type: boolean
+ enableConciseResolverSyntax:
+ type: boolean
+ enableKeepPodOnCancel:
+ type: boolean
+ enableKubernetesSidecar:
+ type: boolean
+ enableParamEnum:
+ type: boolean
+ enableProvenanceInStatus:
+ type: boolean
+ enableStepActions:
+ type: boolean
+ enforceNonfalsifiability:
+ type: string
+ maxResultSize:
+ type: integer
+ requireGitSSHSecretKnownHosts:
+ type: boolean
+ resultExtractionMethod:
+ type: string
+ runningInEnvWithInjectedSidecars:
+ type: boolean
+ sendCloudEventsForRuns:
+ type: boolean
+ setSecurityContext:
+ type: boolean
+ setSecurityContextReadOnlyRootFilesystem:
+ type: boolean
+ verificationNoMatchPolicy:
+ description: |-
+ VerificationNoMatchPolicy is the feature flag for "trusted-resources-verification-no-match-policy"
+ VerificationNoMatchPolicy can be set to "ignore", "warn" and "fail" values.
+ ignore: skip trusted resources verification when no matching verification policies found
+ warn: skip trusted resources verification when no matching verification policies found and log a warning
+ fail: fail the taskrun or pipelines run if no matching verification policies found
+ type: string
+ refSource:
+ description: RefSource identifies the source where a remote task/pipeline came from.
+ type: object
+ properties:
+ digest:
+ description: |-
+ Digest is a collection of cryptographic digests for the contents of the artifact specified by URI.
+ Example: {"sha1": "f99d13e554ffcb696dee719fa85b695cb5b0f428"}
+ type: object
+ additionalProperties:
+ type: string
+ entryPoint:
+ description: |-
+ EntryPoint identifies the entry point into the build. This is often a path to a
+ build definition file and/or a target label within that file.
+ Example: "task/git-clone/0.8/git-clone.yaml"
+ type: string
+ uri:
+ description: |-
+ URI indicates the identity of the source of the build definition.
+ Example: "https://github.com/tektoncd/catalog"
+ type: string
+ results:
+ type: array
+ items:
+ description: TaskRunResult used to describe the results of a task
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: Name the given name
+ type: string
+ type:
+ description: |-
+ Type is the user-specified type of the result. The possible type
+ is currently "string" and will support "array" in following work.
+ type: string
+ value:
+ description: Value the given value of the result
+ x-kubernetes-preserve-unknown-fields: true
+ running:
+ description: Details about a running container
+ type: object
+ properties:
+ startedAt:
+ description: Time at which the container was last (re-)started
+ type: string
+ format: date-time
+ terminated:
+ description: Details about a terminated container
+ type: object
+ required:
+ - exitCode
+ properties:
+ containerID:
+ description: Container's ID in the format '<type>://<container_id>'
+ type: string
+ exitCode:
+ description: Exit status from the last termination of the container
+ type: integer
+ format: int32
+ finishedAt:
+ description: Time at which the container last terminated
+ type: string
+ format: date-time
+ message:
+ description: Message regarding the last termination of the container
+ type: string
+ reason:
+ description: (brief) reason from the last termination of the container
+ type: string
+ signal:
+ description: Signal from the last termination of the container
+ type: integer
+ format: int32
+ startedAt:
+ description: Time at which previous execution of the container started
+ type: string
+ format: date-time
+ waiting:
+ description: Details about a waiting container
+ type: object
+ properties:
+ message:
+ description: Message regarding why the container is not yet running.
+ type: string
+ reason:
+ description: (brief) reason the container is not yet running.
+ type: string
+ x-kubernetes-list-type: atomic
+ taskResults:
+ description: TaskRunResults are the list of results written out by the task's containers
+ type: array
+ items:
+ description: TaskRunResult used to describe the results of a task
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: Name the given name
+ type: string
+ type:
+ description: |-
+ Type is the user-specified type of the result. The possible type
+ is currently "string" and will support "array" in following work.
+ type: string
+ value:
+ description: Value the given value of the result
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ taskSpec:
+ description: |-
+ TaskSpec contains the Spec from the dereferenced Task definition used to instantiate this TaskRun.
+ See Task.spec (API version tekton.dev/v1beta1)
+ x-kubernetes-preserve-unknown-fields: true
+ additionalPrinterColumns:
+ - name: Succeeded
+ type: string
+ jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].status"
+ - name: Reason
+ type: string
+ jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].reason"
+ - name: StartTime
+ type: date
+ jsonPath: .status.startTime
+ - name: CompletionTime
+ type: date
+ jsonPath: .status.completionTime
+ # Opt into the status subresource so metadata.generation
+ # starts to increment
+ subresources:
+ status: {}
+ - name: v1
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ description: |-
+ TaskRun represents a single execution of a Task. TaskRuns are how the steps
+ specified in a Task are executed; they specify the parameters and resources
+ used to run the steps in a Task.
+ type: object
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: TaskRunSpec defines the desired state of TaskRun
+ type: object
+ properties:
+ computeResources:
+ description: Compute resources to use for this TaskRun
+ type: object
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ type: array
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ requests:
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ debug:
+ description: TaskRunDebug defines the breakpoint config for a particular TaskRun
+ type: object
+ properties:
+ breakpoints:
+ description: TaskBreakpoints defines the breakpoint config for a particular Task
+ type: object
+ properties:
+ beforeSteps:
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ onFailure:
+ description: |-
+ if enabled, pause TaskRun on failure of a step
+ failed step will not exit
+ type: string
+ params:
+ description: Params is a list of Param
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ podTemplate:
+ description: PodTemplate holds pod specific configuration
+ type: object
+ properties:
+ affinity:
+ description: |-
+ If specified, the pod's scheduling constraints.
+ See Pod.spec.affinity (API version: v1)
+ x-kubernetes-preserve-unknown-fields: true
+ automountServiceAccountToken:
+ description: |-
+ AutomountServiceAccountToken indicates whether pods running as this
+ service account should have an API token automatically mounted.
+ type: boolean
+ dnsConfig:
+ description: |-
+ Specifies the DNS parameters of a pod.
+ Parameters specified here will be merged to the generated DNS
+ configuration based on DNSPolicy.
+ type: object
+ properties:
+ nameservers:
+ description: |-
+ A list of DNS name server IP addresses.
+ This will be appended to the base nameservers generated from DNSPolicy.
+ Duplicated nameservers will be removed.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ options:
+ description: |-
+ A list of DNS resolver options.
+ This will be merged with the base options generated from DNSPolicy.
+ Duplicated entries will be removed. Resolution options given in Options
+ will override those that appear in the base DNSPolicy.
+ type: array
+ items:
+ description: PodDNSConfigOption defines DNS resolver options of a pod.
+ type: object
+ properties:
+ name:
+ description: Required.
+ type: string
+ value:
+ type: string
+ x-kubernetes-list-type: atomic
+ searches:
+ description: |-
+ A list of DNS search domains for host-name lookup.
+ This will be appended to the base search paths generated from DNSPolicy.
+ Duplicated search paths will be removed.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ dnsPolicy:
+ description: |-
+ Set DNS policy for the pod. Defaults to "ClusterFirst". Valid values are
+ 'ClusterFirst', 'Default' or 'None'. DNS parameters given in DNSConfig
+ will be merged with the policy selected with DNSPolicy.
+ type: string
+ enableServiceLinks:
+ description: |-
+ EnableServiceLinks indicates whether information about services should be injected into pod's
+ environment variables, matching the syntax of Docker links.
+ Optional: Defaults to true.
+ type: boolean
+ env:
+ description: List of environment variables that can be provided to the containers belonging to the pod.
+ type: array
+ items:
+ description: EnvVar represents an environment variable present in a Container.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: Name of the environment variable. Must be a C_IDENTIFIER.
+ type: string
+ value:
+ description: |-
+ Variable references $(VAR_NAME) are expanded
+ using the previously defined environment variables in the container and
+ any service environment variables. If a variable cannot be resolved,
+ the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+ "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+ Escaped references will never be expanded, regardless of whether the variable
+ exists or not.
+ Defaults to "".
+ type: string
+ valueFrom:
+ description: Source for the environment variable's value. Cannot be used if value is not empty.
+ type: object
+ properties:
+ configMapKeyRef:
+ description: Selects a key of a ConfigMap.
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key to select.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the ConfigMap or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ fieldRef:
+ description: |-
+ Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
+ spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+ type: object
+ required:
+ - fieldPath
+ properties:
+ apiVersion:
+ description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
+ type: string
+ fieldPath:
+ description: Path of the field to select in the specified API version.
+ type: string
+ x-kubernetes-map-type: atomic
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+ type: object
+ required:
+ - resource
+ properties:
+ containerName:
+ description: 'Container name: required for volumes, optional for env vars'
+ type: string
+ divisor:
+ description: Specifies the output format of the exposed resources, defaults to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required: resource to select'
+ type: string
+ x-kubernetes-map-type: atomic
+ secretKeyRef:
+ description: Selects a key of a secret in the pod's namespace
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key of the secret to select from. Must be a valid secret key.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the Secret or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ hostAliases:
+ description: |-
+ HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts
+ file if specified. This is only valid for non-hostNetwork pods.
+ type: array
+ items:
+ description: |-
+ HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the
+ pod's hosts file.
+ type: object
+ required:
+ - ip
+ properties:
+ hostnames:
+ description: Hostnames for the above IP address.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ ip:
+ description: IP address of the host file entry.
+ type: string
+ x-kubernetes-list-type: atomic
+ hostNetwork:
+ description: HostNetwork specifies whether the pod may use the node network namespace
+ type: boolean
+ imagePullSecrets:
+ description: ImagePullSecrets gives the name of the secret used by the pod to pull the image if specified
+ type: array
+ items:
+ description: |-
+ LocalObjectReference contains enough information to let you locate the
+ referenced object inside the same namespace.
+ type: object
+ properties:
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ nodeSelector:
+ description: |-
+ NodeSelector is a selector which must be true for the pod to fit on a node.
+ Selector which must match a node's labels for the pod to be scheduled on that node.
+ More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+ type: object
+ additionalProperties:
+ type: string
+ priorityClassName:
+ description: |-
+ If specified, indicates the pod's priority. "system-node-critical" and
+ "system-cluster-critical" are two special keywords which indicate the
+ highest priorities with the former being the highest priority. Any other
+ name must be defined by creating a PriorityClass object with that name.
+ If not specified, the pod priority will be default or zero if there is no
+ default.
+ type: string
+ runtimeClassName:
+ description: |-
+ RuntimeClassName refers to a RuntimeClass object in the node.k8s.io
+ group, which should be used to run this pod. If no RuntimeClass resource
+ matches the named class, the pod will not be run. If unset or empty, the
+ "legacy" RuntimeClass will be used, which is an implicit class with an
+ empty definition that uses the default runtime handler.
+ More info: https://git.k8s.io/enhancements/keps/sig-node/runtime-class.md
+ This is a beta feature as of Kubernetes v1.14.
+ type: string
+ schedulerName:
+ description: SchedulerName specifies the scheduler to be used to dispatch the Pod
+ type: string
+ securityContext:
+ description: |-
+ SecurityContext holds pod-level security attributes and common container settings.
+ Optional: Defaults to empty. See type description for default values of each field.
+ type: object
+ properties:
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ fsGroup:
+ description: |-
+ A special supplemental group that applies to all containers in a pod.
+ Some volume types allow the Kubelet to change the ownership of that volume
+ to be owned by the pod:
+
+ 1. The owning GID will be the FSGroup
+ 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+ 3. The permission bits are OR'd with rw-rw----
+
+ If unset, the Kubelet will not modify the ownership and permissions of any volume.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ fsGroupChangePolicy:
+ description: |-
+ fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+ before being exposed inside Pod. This field will only apply to
+ volume types which support fsGroup based ownership(and permissions).
+ It will have no effect on ephemeral volume types such as: secret, configmaps
+ and emptydir.
+ Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ runAsGroup:
+ description: |-
+ The GID to run the entrypoint of the container process.
+ Uses runtime default if unset.
+ May also be set in SecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence
+ for that container.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ runAsNonRoot:
+ description: |-
+ Indicates that the container must run as a non-root user.
+ If true, the Kubelet will validate the image at runtime to ensure that it
+ does not run as UID 0 (root) and fail to start the container if it does.
+ If unset or false, no such validation will be performed.
+ May also be set in SecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: |-
+ The UID to run the entrypoint of the container process.
+ Defaults to user specified in image metadata if unspecified.
+ May also be set in SecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence
+ for that container.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ seLinuxOptions:
+ description: |-
+ The SELinux context to be applied to all containers.
+ If unspecified, the container runtime will allocate a random SELinux context for each
+ container. May also be set in SecurityContext. If set in
+ both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+ takes precedence for that container.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ properties:
+ level:
+ description: Level is SELinux level label that applies to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label that applies to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label that applies to the container.
+ type: string
+ user:
+ description: User is a SELinux user label that applies to the container.
+ type: string
+ seccompProfile:
+ description: |-
+ The seccomp options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile defined in a file on the node should be used.
+ The profile must be preconfigured on the node to work.
+ Must be a descending path, relative to the kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT be set for any other type.
+ type: string
+ type:
+ description: |-
+ type indicates which kind of seccomp profile will be applied.
+ Valid options are:
+
+ Localhost - a profile defined in a file on the node should be used.
+ RuntimeDefault - the container runtime default profile should be used.
+ Unconfined - no profile should be applied.
+ type: string
+ supplementalGroups:
+ description: |-
+ A list of groups applied to the first process run in each container, in
+ addition to the container's primary GID and fsGroup (if specified). If
+ the SupplementalGroupsPolicy feature is enabled, the
+ supplementalGroupsPolicy field determines whether these are in addition
+ to or instead of any group memberships defined in the container image.
+ If unspecified, no additional groups are added, though group memberships
+ defined in the container image may still be used, depending on the
+ supplementalGroupsPolicy field.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: array
+ items:
+ type: integer
+ format: int64
+ x-kubernetes-list-type: atomic
+ supplementalGroupsPolicy:
+ description: |-
+ Defines how supplemental groups of the first container processes are calculated.
+ Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
+ (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
+ and the container runtime must implement support for this feature.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ sysctls:
+ description: |-
+ Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+ sysctls (by the container runtime) might fail to launch.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: array
+ items:
+ description: Sysctl defines a kernel parameter to be set
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: Name of a property to set
+ type: string
+ value:
+ description: Value of a property to set
+ type: string
+ x-kubernetes-list-type: atomic
+ windowsOptions:
+ description: |-
+ The Windows specific settings applied to all containers.
+ If unspecified, the options within a container's SecurityContext will be used.
+ If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is linux.
+ type: object
+ properties:
+ gmsaCredentialSpec:
+ description: |-
+ GMSACredentialSpec is where the GMSA admission webhook
+ (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the name of the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: |-
+ HostProcess determines if a container should be run as a 'Host Process' container.
+ All of a Pod's containers must have the same effective HostProcess value
+ (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then HostNetwork must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: |-
+ The UserName in Windows to run the entrypoint of the container process.
+ Defaults to the user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: string
+ tolerations:
+ description: If specified, the pod's tolerations.
+ type: array
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple <key,value,effect> using the matching operator <operator>.
+ type: object
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ type: integer
+ format: int64
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ x-kubernetes-list-type: atomic
+ topologySpreadConstraints:
+ description: |-
+ TopologySpreadConstraints controls how Pods are spread across your cluster among
+ failure-domains such as regions, zones, nodes, and other user-defined topology domains.
+ type: array
+ items:
+ description: TopologySpreadConstraint specifies how to spread matching pods among the given topology.
+ type: object
+ required:
+ - maxSkew
+ - topologyKey
+ - whenUnsatisfiable
+ properties:
+ labelSelector:
+ description: |-
+ LabelSelector is used to find matching pods.
+ Pods that match this label selector are counted to determine the number of pods
+ in their corresponding topology domain.
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ type: array
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select the pods over which
+ spreading will be calculated. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are ANDed with labelSelector
+ to select the group of existing pods over which spreading will be calculated
+ for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ MatchLabelKeys cannot be set when LabelSelector isn't set.
+ Keys that don't exist in the incoming pod labels will
+ be ignored. A null or empty list means only match against labelSelector.
+
+ This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ maxSkew:
+ description: |-
+ MaxSkew describes the degree to which pods may be unevenly distributed.
+ When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+ between the number of matching pods in the target topology and the global minimum.
+ The global minimum is the minimum number of matching pods in an eligible domain
+ or zero if the number of eligible domains is less than MinDomains.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 2/2/1:
+ In this case, the global minimum is 1.
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P |
+ - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+ scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+ violate MaxSkew(1).
+ - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+ When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+ to topologies that satisfy it.
+ It's a required field. Default value is 1 and 0 is not allowed.
+ type: integer
+ format: int32
+ minDomains:
+ description: |-
+ MinDomains indicates a minimum number of eligible domains.
+ When the number of eligible domains with matching topology keys is less than minDomains,
+ Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+ And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+ this value has no effect on scheduling.
+ As a result, when the number of eligible domains is less than minDomains,
+ scheduler won't schedule more than maxSkew Pods to those domains.
+ If value is nil, the constraint behaves as if MinDomains is equal to 1.
+ Valid values are integers greater than 0.
+ When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+
+ For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+ labelSelector spread as 2/2/2:
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P P |
+ The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+ In this situation, new pod with the same labelSelector cannot be scheduled,
+ because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+ it will violate MaxSkew.
+ type: integer
+ format: int32
+ nodeAffinityPolicy:
+ description: |-
+ NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+ when calculating pod topology spread skew. Options are:
+ - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+ - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+
+ If this value is nil, the behavior is equivalent to the Honor policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ nodeTaintsPolicy:
+ description: |-
+ NodeTaintsPolicy indicates how we will treat node taints when calculating
+ pod topology spread skew. Options are:
+ - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+ has a toleration, are included.
+ - Ignore: node taints are ignored. All nodes are included.
+
+ If this value is nil, the behavior is equivalent to the Ignore policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ topologyKey:
+ description: |-
+ TopologyKey is the key of node labels. Nodes that have a label with this key
+ and identical values are considered to be in the same topology.
+ We consider each <key, value> as a "bucket", and try to put balanced number
+ of pods into each bucket.
+ We define a domain as a particular instance of a topology.
+ Also, we define an eligible domain as a domain whose nodes meet the requirements of
+ nodeAffinityPolicy and nodeTaintsPolicy.
+ e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+ And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+ It's a required field.
+ type: string
+ whenUnsatisfiable:
+ description: |-
+ WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+ the spread constraint.
+ - DoNotSchedule (default) tells the scheduler not to schedule it.
+ - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+ but giving higher precedence to topologies that would help reduce the
+ skew.
+ A constraint is considered "Unsatisfiable" for an incoming pod
+ if and only if every possible node assignment for that pod would violate
+ "MaxSkew" on some topology.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 3/1/1:
+ | zone1 | zone2 | zone3 |
+ | P P P | P | P |
+ If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+ to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+ MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+ won't make it *more* imbalanced.
+ It's a required field.
+ type: string
+ x-kubernetes-list-type: atomic
+ volumes:
+ description: |-
+ List of volumes that can be mounted by containers belonging to the pod.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes
+ See Pod.spec.volumes (API version: v1)
+ x-kubernetes-preserve-unknown-fields: true
+ retries:
+ description: Retries represents how many times this TaskRun should be retried in the event of task failure.
+ type: integer
+ serviceAccountName:
+ type: string
+ sidecarSpecs:
+ description: |-
+ Specs to apply to Sidecars in this TaskRun.
+ If a field is specified in both a Sidecar and a SidecarSpec,
+ the value from the SidecarSpec will be used.
+ This field is only supported when the alpha feature gate is enabled.
+ type: array
+ items:
+ description: TaskRunSidecarSpec is used to override the values of a Sidecar in the corresponding Task.
+ type: object
+ required:
+ - computeResources
+ - name
+ properties:
+ computeResources:
+ description: The resource requirements to apply to the Sidecar.
+ type: object
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ type: array
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ requests:
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ name:
+ description: The name of the Sidecar to override.
+ type: string
+ x-kubernetes-list-type: atomic
+ status:
+ description: Used for cancelling a TaskRun (and maybe more later on)
+ type: string
+ statusMessage:
+ description: Status message for cancellation.
+ type: string
+ stepSpecs:
+ description: |-
+ Specs to apply to Steps in this TaskRun.
+ If a field is specified in both a Step and a StepSpec,
+ the value from the StepSpec will be used.
+ This field is only supported when the alpha feature gate is enabled.
+ type: array
+ items:
+ description: TaskRunStepSpec is used to override the values of a Step in the corresponding Task.
+ type: object
+ required:
+ - computeResources
+ - name
+ properties:
+ computeResources:
+ description: The resource requirements to apply to the Step.
+ type: object
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ type: array
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ requests:
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ name:
+ description: The name of the Step to override.
+ type: string
+ x-kubernetes-list-type: atomic
+ taskRef:
+ description: no more than one of the TaskRef and TaskSpec may be specified.
+ type: object
+ properties:
+ apiVersion:
+ description: |-
+ API version of the referent
+ Note: A Task with non-empty APIVersion and Kind is considered a Custom Task
+ type: string
+ kind:
+ description: |-
+ TaskKind indicates the Kind of the Task:
+ 1. Namespaced Task when Kind is set to "Task". If Kind is "", it defaults to "Task".
+ 2. Custom Task when Kind is non-empty and APIVersion is non-empty
+ type: string
+ name:
+ description: 'Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names'
+ type: string
+ params:
+ description: |-
+ Params contains the parameters used to identify the
+ referenced Tekton resource. Example entries might include
+ "repo" or "path" but the set of params ultimately depends on
+ the chosen resolver.
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ resolver:
+ description: |-
+ Resolver is the name of the resolver that should perform
+ resolution of the referenced Tekton resource, such as "git".
+ type: string
+ taskSpec:
+ description: |-
+ Specifying TaskSpec can be disabled by setting
+ `disable-inline-spec` feature flag.
+ See Task.spec (API version: tekton.dev/v1)
+ x-kubernetes-preserve-unknown-fields: true
+ timeout:
+ description: |-
+ Time after which one retry attempt times out. Defaults to 1 hour.
+ Refer Go's ParseDuration documentation for expected format: https://golang.org/pkg/time/#ParseDuration
+ type: string
+ workspaces:
+ description: Workspaces is a list of WorkspaceBindings from volumes to workspaces.
+ type: array
+ items:
+ description: WorkspaceBinding maps a Task's declared workspace to a Volume.
+ type: object
+ required:
+ - name
+ properties:
+ configMap:
+ description: ConfigMap represents a configMap that should populate this workspace.
+ type: object
+ properties:
+ defaultMode:
+ description: |-
+ defaultMode is optional: mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ Defaults to 0644.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ items:
+ description: |-
+ items if unspecified, each key-value pair in the Data field of the referenced
+ ConfigMap will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the ConfigMap,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
+ type: array
+ items:
+ description: Maps a string key to a path within a volume.
+ type: object
+ required:
+ - key
+ - path
+ properties:
+ key:
+ description: key is the key to project.
+ type: string
+ mode:
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ path:
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
+ type: string
+ x-kubernetes-list-type: atomic
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: optional specify whether the ConfigMap or its keys must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ csi:
+ description: CSI (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers.
+ type: object
+ required:
+ - driver
+ properties:
+ driver:
+ description: |-
+ driver is the name of the CSI driver that handles this volume.
+ Consult with your admin for the correct name as registered in the cluster.
+ type: string
+ fsType:
+ description: |-
+ fsType to mount. Ex. "ext4", "xfs", "ntfs".
+ If not provided, the empty value is passed to the associated CSI driver
+ which will determine the default filesystem to apply.
+ type: string
+ nodePublishSecretRef:
+ description: |-
+ nodePublishSecretRef is a reference to the secret object containing
+ sensitive information to pass to the CSI driver to complete the CSI
+ NodePublishVolume and NodeUnpublishVolume calls.
+ This field is optional, and may be empty if no secret is required. If the
+ secret object contains more than one secret, all secret references are passed.
+ type: object
+ properties:
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ x-kubernetes-map-type: atomic
+ readOnly:
+ description: |-
+ readOnly specifies a read-only configuration for the volume.
+ Defaults to false (read/write).
+ type: boolean
+ volumeAttributes:
+ description: |-
+ volumeAttributes stores driver-specific properties that are passed to the CSI
+ driver. Consult your driver's documentation for supported values.
+ type: object
+ additionalProperties:
+ type: string
+ emptyDir:
+ description: |-
+ EmptyDir represents a temporary directory that shares a Task's lifetime.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+ Either this OR PersistentVolumeClaim can be used.
+ type: object
+ properties:
+ medium:
+ description: |-
+ medium represents what type of storage medium should back this directory.
+ The default is "" which means to use the node's default medium.
+ Must be an empty string (default) or Memory.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+ type: string
+ sizeLimit:
+ description: |-
+ sizeLimit is the total amount of local storage required for this EmptyDir volume.
+ The size limit is also applicable for memory medium.
+ The maximum usage on memory medium EmptyDir would be the minimum value between
+ the SizeLimit specified here and the sum of memory limits of all containers in a pod.
+ The default is nil which means that the limit is undefined.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ name:
+ description: Name is the name of the workspace populated by the volume.
+ type: string
+ persistentVolumeClaim:
+ description: |-
+ PersistentVolumeClaimVolumeSource represents a reference to a
+ PersistentVolumeClaim in the same namespace. Either this OR EmptyDir can be used.
+ type: object
+ required:
+ - claimName
+ properties:
+ claimName:
+ description: |-
+ claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.
+ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+ type: string
+ readOnly:
+ description: |-
+ readOnly Will force the ReadOnly setting in VolumeMounts.
+ Default false.
+ type: boolean
+ projected:
+ description: Projected represents a projected volume that should populate this workspace.
+ type: object
+ properties:
+ defaultMode:
+ description: |-
+ defaultMode are the mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ sources:
+ description: |-
+ sources is the list of volume projections. Each entry in this list
+ handles one source.
+ type: array
+ items:
+ description: |-
+ Projection that may be projected along with other supported volume types.
+ Exactly one of these fields must be set.
+ type: object
+ properties:
+ clusterTrustBundle:
+ description: |-
+ ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+ of ClusterTrustBundle objects in an auto-updating file.
+
+ Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+ ClusterTrustBundle objects can either be selected by name, or by the
+ combination of signer name and a label selector.
+
+ Kubelet performs aggressive normalization of the PEM contents written
+ into the pod filesystem. Esoteric PEM features such as inter-block
+ comments and block headers are stripped. Certificates are deduplicated.
+ The ordering of certificates within the file is arbitrary, and Kubelet
+ may change the order over time.
+ type: object
+ required:
+ - path
+ properties:
+ labelSelector:
+ description: |-
+ Select all ClusterTrustBundles that match this label selector. Only has
+ effect if signerName is set. Mutually-exclusive with name. If unset,
+ interpreted as "match nothing". If set but empty, interpreted as "match
+ everything".
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ type: array
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ x-kubernetes-map-type: atomic
+ name:
+ description: |-
+ Select a single ClusterTrustBundle by object name. Mutually-exclusive
+ with signerName and labelSelector.
+ type: string
+ optional:
+ description: |-
+ If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+ aren't available. If using name, then the named ClusterTrustBundle is
+ allowed not to exist. If using signerName, then the combination of
+ signerName and labelSelector is allowed to match zero
+ ClusterTrustBundles.
+ type: boolean
+ path:
+ description: Relative path from the volume root to write the bundle.
+ type: string
+ signerName:
+ description: |-
+ Select all ClusterTrustBundles that match this signer name.
+ Mutually-exclusive with name. The contents of all selected
+ ClusterTrustBundles will be unified and deduplicated.
+ type: string
+ configMap:
+ description: configMap information about the configMap data to project
+ type: object
+ properties:
+ items:
+ description: |-
+ items if unspecified, each key-value pair in the Data field of the referenced
+ ConfigMap will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the ConfigMap,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
+ type: array
+ items:
+ description: Maps a string key to a path within a volume.
+ type: object
+ required:
+ - key
+ - path
+ properties:
+ key:
+ description: key is the key to project.
+ type: string
+ mode:
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ path:
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
+ type: string
+ x-kubernetes-list-type: atomic
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: optional specify whether the ConfigMap or its keys must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ downwardAPI:
+ description: downwardAPI information about the downwardAPI data to project
+ type: object
+ properties:
+ items:
+ description: Items is a list of DownwardAPIVolume file
+ type: array
+ items:
+ description: DownwardAPIVolumeFile represents information to create the file containing the pod field
+ type: object
+ required:
+ - path
+ properties:
+ fieldRef:
+ description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
+ type: object
+ required:
+ - fieldPath
+ properties:
+ apiVersion:
+ description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
+ type: string
+ fieldPath:
+ description: Path of the field to select in the specified API version.
+ type: string
+ x-kubernetes-map-type: atomic
+ mode:
+ description: |-
+ Optional: mode bits used to set permissions on this file, must be an octal value
+ between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ path:
+ description: 'Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ''..'' path. Must be utf-8 encoded. The first item of the relative path must not start with ''..'''
+ type: string
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+ type: object
+ required:
+ - resource
+ properties:
+ containerName:
+ description: 'Container name: required for volumes, optional for env vars'
+ type: string
+ divisor:
+ description: Specifies the output format of the exposed resources, defaults to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required: resource to select'
+ type: string
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ secret:
+ description: secret information about the secret data to project
+ type: object
+ properties:
+ items:
+ description: |-
+ items if unspecified, each key-value pair in the Data field of the referenced
+ Secret will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the Secret,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
+ type: array
+ items:
+ description: Maps a string key to a path within a volume.
+ type: object
+ required:
+ - key
+ - path
+ properties:
+ key:
+ description: key is the key to project.
+ type: string
+ mode:
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ path:
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
+ type: string
+ x-kubernetes-list-type: atomic
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: optional field specify whether the Secret or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ serviceAccountToken:
+ description: serviceAccountToken is information about the serviceAccountToken data to project
+ type: object
+ required:
+ - path
+ properties:
+ audience:
+ description: |-
+ audience is the intended audience of the token. A recipient of a token
+ must identify itself with an identifier specified in the audience of the
+ token, and otherwise should reject the token. The audience defaults to the
+ identifier of the apiserver.
+ type: string
+ expirationSeconds:
+ description: |-
+ expirationSeconds is the requested duration of validity of the service
+ account token. As the token approaches expiration, the kubelet volume
+ plugin will proactively rotate the service account token. The kubelet will
+ start trying to rotate the token if the token is older than 80 percent of
+ its time to live or if the token is older than 24 hours.Defaults to 1 hour
+ and must be at least 10 minutes.
+ type: integer
+ format: int64
+ path:
+ description: |-
+ path is the path relative to the mount point of the file to project the
+ token into.
+ type: string
+ x-kubernetes-list-type: atomic
+ secret:
+ description: Secret represents a secret that should populate this workspace.
+ type: object
+ properties:
+ defaultMode:
+ description: |-
+ defaultMode is Optional: mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values
+ for mode bits. Defaults to 0644.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ items:
+ description: |-
+ items If unspecified, each key-value pair in the Data field of the referenced
+ Secret will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the Secret,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
+ type: array
+ items:
+ description: Maps a string key to a path within a volume.
+ type: object
+ required:
+ - key
+ - path
+ properties:
+ key:
+ description: key is the key to project.
+ type: string
+ mode:
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ type: integer
+ format: int32
+ path:
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
+ type: string
+ x-kubernetes-list-type: atomic
+ optional:
+ description: optional field specify whether the Secret or its keys must be defined
+ type: boolean
+ secretName:
+ description: |-
+ secretName is the name of the secret in the pod's namespace to use.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+ type: string
+ subPath:
+ description: |-
+ SubPath is optionally a directory on the volume which should be used
+ for this binding (i.e. the volume will be mounted at this sub directory).
+ type: string
+ volumeClaimTemplate:
+ description: |-
+ VolumeClaimTemplate is a template for a claim that will be created in the same namespace.
+ The PipelineRun controller is responsible for creating a unique claim for each instance of PipelineRun.
+ See PersistentVolumeClaim (API version: v1)
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ status:
+ description: TaskRunStatus defines the observed state of TaskRun
+ type: object
+ required:
+ - podName
+ properties:
+ annotations:
+ description: |-
+ Annotations is additional Status fields for the Resource to save some
+ additional State as well as convey more information to the user. This is
+ roughly akin to Annotations on any k8s resource, just the reconciler conveying
+ richer information outwards.
+ type: object
+ additionalProperties:
+ type: string
+ artifacts:
+ description: Artifacts are the list of artifacts written out by the task's containers
+ type: object
+ properties:
+ inputs:
+ type: array
+ items:
+ description: |-
+ Artifact represents an artifact within a system, potentially containing multiple values
+ associated with it.
+ type: object
+ properties:
+ buildOutput:
+ description: Indicate if the artifact is a build output or a by-product
+ type: boolean
+ name:
+ description: The artifact's identifying category name
+ type: string
+ values:
+ description: A collection of values related to the artifact
+ type: array
+ items:
+ description: ArtifactValue represents a specific value or data element within an Artifact.
+ type: object
+ properties:
+ digest:
+ type: object
+ additionalProperties:
+ type: string
+ uri:
+ type: string
+ x-kubernetes-list-type: atomic
+ outputs:
+ type: array
+ items:
+ description: |-
+ Artifact represents an artifact within a system, potentially containing multiple values
+ associated with it.
+ type: object
+ properties:
+ buildOutput:
+ description: Indicate if the artifact is a build output or a by-product
+ type: boolean
+ name:
+ description: The artifact's identifying category name
+ type: string
+ values:
+ description: A collection of values related to the artifact
+ type: array
+ items:
+ description: ArtifactValue represents a specific value or data element within an Artifact.
+ type: object
+ properties:
+ digest:
+ type: object
+ additionalProperties:
+ type: string
+ uri:
+ type: string
+ x-kubernetes-list-type: atomic
+ completionTime:
+ description: CompletionTime is the time the build completed.
+ type: string
+ format: date-time
+ conditions:
+ description: Conditions the latest available observations of a resource's current state.
+ type: array
+ items:
+ description: |-
+ Condition defines a readiness condition for a Knative resource.
+ See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
+ type: object
+ required:
+ - status
+ - type
+ properties:
+ lastTransitionTime:
+ description: |-
+ LastTransitionTime is the last time the condition transitioned from one status to another.
+ We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic
+ differences (all other things held constant).
+ type: string
+ message:
+ description: A human readable message indicating details about the transition.
+ type: string
+ reason:
+ description: The reason for the condition's last transition.
+ type: string
+ severity:
+ description: |-
+ Severity with which to treat failures of this type of condition.
+ When this is not specified, it defaults to Error.
+ type: string
+ status:
+ description: Status of the condition, one of True, False, Unknown.
+ type: string
+ type:
+ description: Type of condition.
+ type: string
+ observedGeneration:
+ description: |-
+ ObservedGeneration is the 'Generation' of the Service that
+ was last processed by the controller.
+ type: integer
+ format: int64
+ podName:
+ description: PodName is the name of the pod responsible for executing this task's steps.
+ type: string
+ provenance:
+ description: Provenance contains some key authenticated metadata about how a software artifact was built (what sources, what inputs/outputs, etc.).
+ type: object
+ properties:
+ featureFlags:
+ description: FeatureFlags identifies the feature flags that were used during the task/pipeline run
+ type: object
+ properties:
+ awaitSidecarReadiness:
+ type: boolean
+ coschedule:
+ type: string
+ disableAffinityAssistant:
+ type: boolean
+ disableCredsInit:
+ type: boolean
+ disableInlineSpec:
+ type: string
+ enableAPIFields:
+ type: string
+ enableArtifacts:
+ type: boolean
+ enableCELInWhenExpression:
+ type: boolean
+ enableConciseResolverSyntax:
+ type: boolean
+ enableKeepPodOnCancel:
+ type: boolean
+ enableKubernetesSidecar:
+ type: boolean
+ enableParamEnum:
+ type: boolean
+ enableProvenanceInStatus:
+ type: boolean
+ enableStepActions:
+ type: boolean
+ enforceNonfalsifiability:
+ type: string
+ maxResultSize:
+ type: integer
+ requireGitSSHSecretKnownHosts:
+ type: boolean
+ resultExtractionMethod:
+ type: string
+ runningInEnvWithInjectedSidecars:
+ type: boolean
+ sendCloudEventsForRuns:
+ type: boolean
+ setSecurityContext:
+ type: boolean
+ setSecurityContextReadOnlyRootFilesystem:
+ type: boolean
+ verificationNoMatchPolicy:
+ description: |-
+ VerificationNoMatchPolicy is the feature flag for "trusted-resources-verification-no-match-policy"
+ VerificationNoMatchPolicy can be set to "ignore", "warn" and "fail" values.
+ ignore: skip trusted resources verification when no matching verification policies found
+ warn: skip trusted resources verification when no matching verification policies found and log a warning
+ fail: fail the taskrun or pipelines run if no matching verification policies found
+ type: string
+ refSource:
+ description: RefSource identifies the source where a remote task/pipeline came from.
+ type: object
+ properties:
+ digest:
+ description: |-
+ Digest is a collection of cryptographic digests for the contents of the artifact specified by URI.
+ Example: {"sha1": "f99d13e554ffcb696dee719fa85b695cb5b0f428"}
+ type: object
+ additionalProperties:
+ type: string
+ entryPoint:
+ description: |-
+ EntryPoint identifies the entry point into the build. This is often a path to a
+ build definition file and/or a target label within that file.
+ Example: "task/git-clone/0.8/git-clone.yaml"
+ type: string
+ uri:
+ description: |-
+ URI indicates the identity of the source of the build definition.
+ Example: "https://github.com/tektoncd/catalog"
+ type: string
+ results:
+ description: Results are the list of results written out by the task's containers
+ type: array
+ items:
+ description: TaskRunResult used to describe the results of a task
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: Name the given name
+ type: string
+ type:
+ description: |-
+ Type is the user-specified type of the result. The possible type
+ is currently "string" and will support "array" in following work.
+ type: string
+ value:
+ description: Value the given value of the result
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ retriesStatus:
+ description: |-
+ RetriesStatus contains the history of TaskRunStatus in case of a retry in order to keep record of failures.
+ All TaskRunStatus stored in RetriesStatus will have no date within the RetriesStatus as is redundant.
+ x-kubernetes-preserve-unknown-fields: true
+ sidecars:
+ description: |-
+ The list has one entry per sidecar in the manifest. Each entry is
+ represents the imageid of the corresponding sidecar.
+ type: array
+ items:
+ description: SidecarState reports the results of running a sidecar in a Task.
+ type: object
+ properties:
+ container:
+ type: string
+ imageID:
+ type: string
+ name:
+ type: string
+ running:
+ description: Details about a running container
+ type: object
+ properties:
+ startedAt:
+ description: Time at which the container was last (re-)started
+ type: string
+ format: date-time
+ terminated:
+ description: Details about a terminated container
+ type: object
+ required:
+ - exitCode
+ properties:
+ containerID:
+ description: Container's ID in the format '<type>://<container_id>'
+ type: string
+ exitCode:
+ description: Exit status from the last termination of the container
+ type: integer
+ format: int32
+ finishedAt:
+ description: Time at which the container last terminated
+ type: string
+ format: date-time
+ message:
+ description: Message regarding the last termination of the container
+ type: string
+ reason:
+ description: (brief) reason from the last termination of the container
+ type: string
+ signal:
+ description: Signal from the last termination of the container
+ type: integer
+ format: int32
+ startedAt:
+ description: Time at which previous execution of the container started
+ type: string
+ format: date-time
+ waiting:
+ description: Details about a waiting container
+ type: object
+ properties:
+ message:
+ description: Message regarding why the container is not yet running.
+ type: string
+ reason:
+ description: (brief) reason the container is not yet running.
+ type: string
+ x-kubernetes-list-type: atomic
+ spanContext:
+ description: SpanContext contains tracing span context fields
+ type: object
+ additionalProperties:
+ type: string
+ startTime:
+ description: StartTime is the time the build is actually started.
+ type: string
+ format: date-time
+ steps:
+ description: Steps describes the state of each build step container.
+ type: array
+ items:
+ description: StepState reports the results of running a step in a Task.
+ type: object
+ properties:
+ container:
+ type: string
+ imageID:
+ type: string
+ inputs:
+ type: array
+ items:
+ description: |-
+ Artifact represents an artifact within a system, potentially containing multiple values
+ associated with it.
+ type: object
+ properties:
+ buildOutput:
+ description: Indicate if the artifact is a build output or a by-product
+ type: boolean
+ name:
+ description: The artifact's identifying category name
+ type: string
+ values:
+ description: A collection of values related to the artifact
+ type: array
+ items:
+ description: ArtifactValue represents a specific value or data element within an Artifact.
+ type: object
+ properties:
+ digest:
+ type: object
+ additionalProperties:
+ type: string
+ uri:
+ type: string
+ name:
+ type: string
+ outputs:
+ type: array
+ items:
+ description: |-
+ Artifact represents an artifact within a system, potentially containing multiple values
+ associated with it.
+ type: object
+ properties:
+ buildOutput:
+ description: Indicate if the artifact is a build output or a by-product
+ type: boolean
+ name:
+ description: The artifact's identifying category name
+ type: string
+ values:
+ description: A collection of values related to the artifact
+ type: array
+ items:
+ description: ArtifactValue represents a specific value or data element within an Artifact.
+ type: object
+ properties:
+ digest:
+ type: object
+ additionalProperties:
+ type: string
+ uri:
+ type: string
+ provenance:
+ description: |-
+ Provenance contains metadata about resources used in the TaskRun/PipelineRun
+ such as the source from where a remote build definition was fetched.
+ This field aims to carry minimum amoumt of metadata in *Run status so that
+ Tekton Chains can capture them in the provenance.
+ type: object
+ properties:
+ featureFlags:
+ description: FeatureFlags identifies the feature flags that were used during the task/pipeline run
+ type: object
+ properties:
+ awaitSidecarReadiness:
+ type: boolean
+ coschedule:
+ type: string
+ disableAffinityAssistant:
+ type: boolean
+ disableCredsInit:
+ type: boolean
+ disableInlineSpec:
+ type: string
+ enableAPIFields:
+ type: string
+ enableArtifacts:
+ type: boolean
+ enableCELInWhenExpression:
+ type: boolean
+ enableConciseResolverSyntax:
+ type: boolean
+ enableKeepPodOnCancel:
+ type: boolean
+ enableKubernetesSidecar:
+ type: boolean
+ enableParamEnum:
+ type: boolean
+ enableProvenanceInStatus:
+ type: boolean
+ enableStepActions:
+ type: boolean
+ enforceNonfalsifiability:
+ type: string
+ maxResultSize:
+ type: integer
+ requireGitSSHSecretKnownHosts:
+ type: boolean
+ resultExtractionMethod:
+ type: string
+ runningInEnvWithInjectedSidecars:
+ type: boolean
+ sendCloudEventsForRuns:
+ type: boolean
+ setSecurityContext:
+ type: boolean
+ setSecurityContextReadOnlyRootFilesystem:
+ type: boolean
+ verificationNoMatchPolicy:
+ description: |-
+ VerificationNoMatchPolicy is the feature flag for "trusted-resources-verification-no-match-policy"
+ VerificationNoMatchPolicy can be set to "ignore", "warn" and "fail" values.
+ ignore: skip trusted resources verification when no matching verification policies found
+ warn: skip trusted resources verification when no matching verification policies found and log a warning
+ fail: fail the taskrun or pipelines run if no matching verification policies found
+ type: string
+ refSource:
+ description: RefSource identifies the source where a remote task/pipeline came from.
+ type: object
+ properties:
+ digest:
+ description: |-
+ Digest is a collection of cryptographic digests for the contents of the artifact specified by URI.
+ Example: {"sha1": "f99d13e554ffcb696dee719fa85b695cb5b0f428"}
+ type: object
+ additionalProperties:
+ type: string
+ entryPoint:
+ description: |-
+ EntryPoint identifies the entry point into the build. This is often a path to a
+ build definition file and/or a target label within that file.
+ Example: "task/git-clone/0.8/git-clone.yaml"
+ type: string
+ uri:
+ description: |-
+ URI indicates the identity of the source of the build definition.
+ Example: "https://github.com/tektoncd/catalog"
+ type: string
+ results:
+ type: array
+ items:
+ description: TaskRunResult used to describe the results of a task
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: Name the given name
+ type: string
+ type:
+ description: |-
+ Type is the user-specified type of the result. The possible type
+ is currently "string" and will support "array" in following work.
+ type: string
+ value:
+ description: Value the given value of the result
+ x-kubernetes-preserve-unknown-fields: true
+ running:
+ description: Details about a running container
+ type: object
+ properties:
+ startedAt:
+ description: Time at which the container was last (re-)started
+ type: string
+ format: date-time
+ terminated:
+ description: Details about a terminated container
+ type: object
+ required:
+ - exitCode
+ properties:
+ containerID:
+ description: Container's ID in the format '<type>://<container_id>'
+ type: string
+ exitCode:
+ description: Exit status from the last termination of the container
+ type: integer
+ format: int32
+ finishedAt:
+ description: Time at which the container last terminated
+ type: string
+ format: date-time
+ message:
+ description: Message regarding the last termination of the container
+ type: string
+ reason:
+ description: (brief) reason from the last termination of the container
+ type: string
+ signal:
+ description: Signal from the last termination of the container
+ type: integer
+ format: int32
+ startedAt:
+ description: Time at which previous execution of the container started
+ type: string
+ format: date-time
+ terminationReason:
+ type: string
+ waiting:
+ description: Details about a waiting container
+ type: object
+ properties:
+ message:
+ description: Message regarding why the container is not yet running.
+ type: string
+ reason:
+ description: (brief) reason the container is not yet running.
+ type: string
+ x-kubernetes-list-type: atomic
+ taskSpec:
+ description: TaskSpec contains the Spec from the dereferenced Task definition used to instantiate this TaskRun.
+ type: object
+ properties:
+ description:
+ description: |-
+ Description is a user-facing description of the task that may be
+ used to populate a UI.
+ type: string
+ displayName:
+ description: |-
+ DisplayName is a user-facing name of the task that may be
+ used to populate a UI.
+ type: string
+ params:
+ description: |-
+ Params is a list of input parameters required to run the task. Params
+ must be supplied as inputs in TaskRuns unless they declare a default
+ value.
+ type: array
+ items:
+ description: |-
+ ParamSpec defines arbitrary parameters needed beyond typed inputs (such as
+ resources). Parameter values are provided by users as inputs on a TaskRun
+ or PipelineRun.
+ type: object
+ required:
+ - name
+ properties:
+ default:
+ description: |-
+ Default is the value a parameter takes if no input value is supplied. If
+ default is set, a Task may be executed without a supplied value for the
+ parameter.
+ x-kubernetes-preserve-unknown-fields: true
+ description:
+ description: |-
+ Description is a user-facing description of the parameter that may be
+ used to populate a UI.
+ type: string
+ enum:
+ description: |-
+ Enum declares a set of allowed param input values for tasks/pipelines that can be validated.
+ If Enum is not set, no input validation is performed for the param.
+ type: array
+ items:
+ type: string
+ name:
+ description: Name declares the name by which a parameter is referenced.
+ type: string
+ properties:
+ description: Properties is the JSON Schema properties to support key-value pairs parameter.
+ type: object
+ additionalProperties:
+ description: PropertySpec defines the struct for object keys
+ type: object
+ properties:
+ type:
+ description: |-
+ ParamType indicates the type of an input parameter;
+ Used to distinguish between a single string and an array of strings.
+ type: string
+ type:
+ description: |-
+ Type is the user-specified type of the parameter. The possible types
+ are currently "string", "array" and "object", and "string" is the default.
+ type: string
+ x-kubernetes-list-type: atomic
+ results:
+ description: Results are values that this Task can output
+ type: array
+ items:
+ description: TaskResult used to describe the results of a task
+ type: object
+ required:
+ - name
+ properties:
+ description:
+ description: Description is a human-readable description of the result
+ type: string
+ name:
+ description: Name the given name
+ type: string
+ properties:
+ description: Properties is the JSON Schema properties to support key-value pairs results.
+ type: object
+ additionalProperties:
+ description: PropertySpec defines the struct for object keys
+ type: object
+ properties:
+ type:
+ description: |-
+ ParamType indicates the type of an input parameter;
+ Used to distinguish between a single string and an array of strings.
+ type: string
+ type:
+ description: |-
+ Type is the user-specified type of the result. The possible type
+ is currently "string" and will support "array" in following work.
+ type: string
+ value:
+ description: Value the expression used to retrieve the value of the result from an underlying Step.
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ sidecars:
+ description: |-
+ Sidecars are run alongside the Task's step containers. They begin before
+ the steps start and end after the steps complete.
+ type: array
+ items:
+ description: Sidecar has nearly the same data structure as Step but does not have the ability to timeout.
+ type: object
+ required:
+ - name
+ properties:
+ args:
+ description: |-
+ Arguments to the entrypoint.
+ The image's CMD is used if this is not provided.
+ Variable references $(VAR_NAME) are expanded using the Sidecar's environment. If a variable
+ cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+ produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+ of whether the variable exists or not. Cannot be updated.
+ More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ command:
+ description: |-
+ Entrypoint array. Not executed within a shell.
+ The image's ENTRYPOINT is used if this is not provided.
+ Variable references $(VAR_NAME) are expanded using the Sidecar's environment. If a variable
+ cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+ produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+ of whether the variable exists or not. Cannot be updated.
+ More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ computeResources:
+ description: |-
+ ComputeResources required by this Sidecar.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ type: array
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ requests:
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ env:
+ description: |-
+ List of environment variables to set in the Sidecar.
+ Cannot be updated.
+ type: array
+ items:
+ description: EnvVar represents an environment variable present in a Container.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: Name of the environment variable. Must be a C_IDENTIFIER.
+ type: string
+ value:
+ description: |-
+ Variable references $(VAR_NAME) are expanded
+ using the previously defined environment variables in the container and
+ any service environment variables. If a variable cannot be resolved,
+ the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+ "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+ Escaped references will never be expanded, regardless of whether the variable
+ exists or not.
+ Defaults to "".
+ type: string
+ valueFrom:
+ description: Source for the environment variable's value. Cannot be used if value is not empty.
+ type: object
+ properties:
+ configMapKeyRef:
+ description: Selects a key of a ConfigMap.
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key to select.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the ConfigMap or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ fieldRef:
+ description: |-
+ Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
+ spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+ type: object
+ required:
+ - fieldPath
+ properties:
+ apiVersion:
+ description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
+ type: string
+ fieldPath:
+ description: Path of the field to select in the specified API version.
+ type: string
+ x-kubernetes-map-type: atomic
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+ type: object
+ required:
+ - resource
+ properties:
+ containerName:
+ description: 'Container name: required for volumes, optional for env vars'
+ type: string
+ divisor:
+ description: Specifies the output format of the exposed resources, defaults to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required: resource to select'
+ type: string
+ x-kubernetes-map-type: atomic
+ secretKeyRef:
+ description: Selects a key of a secret in the pod's namespace
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key of the secret to select from. Must be a valid secret key.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the Secret or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ envFrom:
+ description: |-
+ List of sources to populate environment variables in the Sidecar.
+ The keys defined within a source must be a C_IDENTIFIER. All invalid keys
+ will be reported as an event when the container is starting. When a key exists in multiple
+ sources, the value associated with the last source will take precedence.
+ Values defined by an Env with a duplicate key will take precedence.
+ Cannot be updated.
+ type: array
+ items:
+ description: EnvFromSource represents the source of a set of ConfigMaps
+ type: object
+ properties:
+ configMapRef:
+ description: The ConfigMap to select from
+ type: object
+ properties:
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the ConfigMap must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ prefix:
+ description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
+ type: string
+ secretRef:
+ description: The Secret to select from
+ type: object
+ properties:
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the Secret must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ image:
+ description: |-
+ Image reference name.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ type: string
+ imagePullPolicy:
+ description: |-
+ Image pull policy.
+ One of Always, Never, IfNotPresent.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
+ type: string
+ lifecycle:
+ description: |-
+ Actions that the management system should take in response to Sidecar lifecycle events.
+ Cannot be updated.
+ type: object
+ properties:
+ postStart:
+ description: |-
+ PostStart is called immediately after a container is created. If the handler fails,
+ the container is terminated and restarted according to its restart policy.
+ Other management of the container blocks until the hook completes.
+ More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ sleep:
+ description: Sleep represents the duration that the container should sleep before being terminated.
+ type: object
+ required:
+ - seconds
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ type: integer
+ format: int64
+ tcpSocket:
+ description: |-
+ Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
+ for the backward compatibility. There are no validation of this field and
+ lifecycle hooks will fail in runtime when tcp handler is specified.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ preStop:
+ description: |-
+ PreStop is called immediately before a container is terminated due to an
+ API request or management event such as liveness/startup probe failure,
+ preemption, resource contention, etc. The handler is not called if the
+ container crashes or exits. The Pod's termination grace period countdown begins before the
+ PreStop hook is executed. Regardless of the outcome of the handler, the
+ container will eventually terminate within the Pod's termination grace
+ period (unless delayed by finalizers). Other management of the container blocks until the hook completes
+ or until the termination grace period is reached.
+ More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ sleep:
+ description: Sleep represents the duration that the container should sleep before being terminated.
+ type: object
+ required:
+ - seconds
+ properties:
+ seconds:
+ description: Seconds is the number of seconds to sleep.
+ type: integer
+ format: int64
+ tcpSocket:
+ description: |-
+ Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
+ for the backward compatibility. There are no validation of this field and
+ lifecycle hooks will fail in runtime when tcp handler is specified.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ livenessProbe:
+ description: |-
+ Periodic probe of Sidecar liveness.
+ Container will be restarted if the probe fails.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ failureThreshold:
+ description: |-
+ Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ Defaults to 3. Minimum value is 1.
+ type: integer
+ format: int32
+ grpc:
+ description: GRPC specifies an action involving a GRPC port.
+ type: object
+ required:
+ - port
+ properties:
+ port:
+ description: Port number of the gRPC service. Number must be in the range 1 to 65535.
+ type: integer
+ format: int32
+ service:
+ description: |-
+ Service is the name of the service to place in the gRPC HealthCheckRequest
+ (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
+
+ If this is not specified, the default behavior is defined by gRPC.
+ type: string
+ default: ""
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ initialDelaySeconds:
+ description: |-
+ Number of seconds after the container has started before liveness probes are initiated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ periodSeconds:
+ description: |-
+ How often (in seconds) to perform the probe.
+ Default to 10 seconds. Minimum value is 1.
+ type: integer
+ format: int32
+ successThreshold:
+ description: |-
+ Minimum consecutive successes for the probe to be considered successful after having failed.
+ Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
+ type: integer
+ format: int32
+ tcpSocket:
+ description: TCPSocket specifies an action involving a TCP port.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ terminationGracePeriodSeconds:
+ description: |-
+ Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
+ The grace period is the duration in seconds after the processes running in the pod are sent
+ a termination signal and the time when the processes are forcibly halted with a kill signal.
+ Set this value longer than the expected cleanup time for your process.
+ If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
+ value overrides the value provided by the pod spec.
+ Value must be non-negative integer. The value zero indicates stop immediately via
+ the kill signal (no opportunity to shut down).
+ This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
+ Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
+ type: integer
+ format: int64
+ timeoutSeconds:
+ description: |-
+ Number of seconds after which the probe times out.
+ Defaults to 1 second. Minimum value is 1.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ name:
+ description: |-
+ Name of the Sidecar specified as a DNS_LABEL.
+ Each Sidecar in a Task must have a unique name (DNS_LABEL).
+ Cannot be updated.
+ type: string
+ ports:
+ description: |-
+ List of ports to expose from the Sidecar. Exposing a port here gives
+ the system additional information about the network connections a
+ container uses, but is primarily informational. Not specifying a port here
+ DOES NOT prevent that port from being exposed. Any port which is
+ listening on the default "0.0.0.0" address inside a container will be
+ accessible from the network.
+ Cannot be updated.
+ type: array
+ items:
+ description: ContainerPort represents a network port in a single container.
+ type: object
+ required:
+ - containerPort
+ properties:
+ containerPort:
+ description: |-
+ Number of port to expose on the pod's IP address.
+ This must be a valid port number, 0 < x < 65536.
+ type: integer
+ format: int32
+ hostIP:
+ description: What host IP to bind the external port to.
+ type: string
+ hostPort:
+ description: |-
+ Number of port to expose on the host.
+ If specified, this must be a valid port number, 0 < x < 65536.
+ If HostNetwork is specified, this must match ContainerPort.
+ Most containers do not need this.
+ type: integer
+ format: int32
+ name:
+ description: |-
+ If specified, this must be an IANA_SVC_NAME and unique within the pod. Each
+ named port in a pod must have a unique name. Name for the port that can be
+ referred to by services.
+ type: string
+ protocol:
+ description: |-
+ Protocol for port. Must be UDP, TCP, or SCTP.
+ Defaults to "TCP".
+ type: string
+ default: TCP
+ x-kubernetes-list-map-keys:
+ - containerPort
+ - protocol
+ x-kubernetes-list-type: map
+ readinessProbe:
+ description: |-
+ Periodic probe of Sidecar service readiness.
+ Container will be removed from service endpoints if the probe fails.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ failureThreshold:
+ description: |-
+ Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ Defaults to 3. Minimum value is 1.
+ type: integer
+ format: int32
+ grpc:
+ description: GRPC specifies an action involving a GRPC port.
+ type: object
+ required:
+ - port
+ properties:
+ port:
+ description: Port number of the gRPC service. Number must be in the range 1 to 65535.
+ type: integer
+ format: int32
+ service:
+ description: |-
+ Service is the name of the service to place in the gRPC HealthCheckRequest
+ (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
+
+ If this is not specified, the default behavior is defined by gRPC.
+ type: string
+ default: ""
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ initialDelaySeconds:
+ description: |-
+ Number of seconds after the container has started before liveness probes are initiated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ periodSeconds:
+ description: |-
+ How often (in seconds) to perform the probe.
+ Default to 10 seconds. Minimum value is 1.
+ type: integer
+ format: int32
+ successThreshold:
+ description: |-
+ Minimum consecutive successes for the probe to be considered successful after having failed.
+ Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
+ type: integer
+ format: int32
+ tcpSocket:
+ description: TCPSocket specifies an action involving a TCP port.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ terminationGracePeriodSeconds:
+ description: |-
+ Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
+ The grace period is the duration in seconds after the processes running in the pod are sent
+ a termination signal and the time when the processes are forcibly halted with a kill signal.
+ Set this value longer than the expected cleanup time for your process.
+ If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
+ value overrides the value provided by the pod spec.
+ Value must be non-negative integer. The value zero indicates stop immediately via
+ the kill signal (no opportunity to shut down).
+ This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
+ Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
+ type: integer
+ format: int64
+ timeoutSeconds:
+ description: |-
+ Number of seconds after which the probe times out.
+ Defaults to 1 second. Minimum value is 1.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ restartPolicy:
+ description: |-
+ RestartPolicy refers to kubernetes RestartPolicy. It can only be set for an
+ initContainer and must have it's policy set to "Always". It is currently
+ left optional to help support Kubernetes versions prior to 1.29 when this feature
+ was introduced.
+ type: string
+ script:
+ description: |-
+ Script is the contents of an executable file to execute.
+
+ If Script is not empty, the Step cannot have an Command or Args.
+ type: string
+ securityContext:
+ description: |-
+ SecurityContext defines the security options the Sidecar should be run with.
+ If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
+ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ type: object
+ properties:
+ allowPrivilegeEscalation:
+ description: |-
+ AllowPrivilegeEscalation controls whether a process can gain more
+ privileges than its parent process. This bool directly controls if
+ the no_new_privs flag will be set on the container process.
+ AllowPrivilegeEscalation is true always when the container is:
+ 1) run as Privileged
+ 2) has CAP_SYS_ADMIN
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ capabilities:
+ description: |-
+ The capabilities to add/drop when running containers.
+ Defaults to the default set of capabilities granted by the container runtime.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ properties:
+ add:
+ description: Added capabilities
+ type: array
+ items:
+ description: Capability represent POSIX capabilities type
+ type: string
+ x-kubernetes-list-type: atomic
+ drop:
+ description: Removed capabilities
+ type: array
+ items:
+ description: Capability represent POSIX capabilities type
+ type: string
+ x-kubernetes-list-type: atomic
+ privileged:
+ description: |-
+ Run container in privileged mode.
+ Processes in privileged containers are essentially equivalent to root on the host.
+ Defaults to false.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ procMount:
+ description: |-
+ procMount denotes the type of proc mount to use for the containers.
+ The default value is Default which uses the container runtime defaults for
+ readonly paths and masked paths.
+ This requires the ProcMountType feature flag to be enabled.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ readOnlyRootFilesystem:
+ description: |-
+ Whether this container has a read-only root filesystem.
+ Default is false.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ runAsGroup:
+ description: |-
+ The GID to run the entrypoint of the container process.
+ Uses runtime default if unset.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ runAsNonRoot:
+ description: |-
+ Indicates that the container must run as a non-root user.
+ If true, the Kubelet will validate the image at runtime to ensure that it
+ does not run as UID 0 (root) and fail to start the container if it does.
+ If unset or false, no such validation will be performed.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: |-
+ The UID to run the entrypoint of the container process.
+ Defaults to user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ seLinuxOptions:
+ description: |-
+ The SELinux context to be applied to the container.
+ If unspecified, the container runtime will allocate a random SELinux context for each
+ container. May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ properties:
+ level:
+ description: Level is SELinux level label that applies to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label that applies to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label that applies to the container.
+ type: string
+ user:
+ description: User is a SELinux user label that applies to the container.
+ type: string
+ seccompProfile:
+ description: |-
+ The seccomp options to use by this container. If seccomp options are
+ provided at both the pod & container level, the container options
+ override the pod options.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile defined in a file on the node should be used.
+ The profile must be preconfigured on the node to work.
+ Must be a descending path, relative to the kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT be set for any other type.
+ type: string
+ type:
+ description: |-
+ type indicates which kind of seccomp profile will be applied.
+ Valid options are:
+
+ Localhost - a profile defined in a file on the node should be used.
+ RuntimeDefault - the container runtime default profile should be used.
+ Unconfined - no profile should be applied.
+ type: string
+ windowsOptions:
+ description: |-
+ The Windows specific settings applied to all containers.
+ If unspecified, the options from the PodSecurityContext will be used.
+ If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is linux.
+ type: object
+ properties:
+ gmsaCredentialSpec:
+ description: |-
+ GMSACredentialSpec is where the GMSA admission webhook
+ (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the name of the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: |-
+ HostProcess determines if a container should be run as a 'Host Process' container.
+ All of a Pod's containers must have the same effective HostProcess value
+ (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then HostNetwork must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: |-
+ The UserName in Windows to run the entrypoint of the container process.
+ Defaults to the user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: string
+ startupProbe:
+ description: |-
+ StartupProbe indicates that the Pod the Sidecar is running in has successfully initialized.
+ If specified, no other probes are executed until this completes successfully.
+ If this probe fails, the Pod will be restarted, just as if the livenessProbe failed.
+ This can be used to provide different probe parameters at the beginning of a Pod's lifecycle,
+ when it might take a long time to load data or warm a cache, than during steady-state operation.
+ This cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: object
+ properties:
+ exec:
+ description: Exec specifies the action to take.
+ type: object
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ failureThreshold:
+ description: |-
+ Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ Defaults to 3. Minimum value is 1.
+ type: integer
+ format: int32
+ grpc:
+ description: GRPC specifies an action involving a GRPC port.
+ type: object
+ required:
+ - port
+ properties:
+ port:
+ description: Port number of the gRPC service. Number must be in the range 1 to 65535.
+ type: integer
+ format: int32
+ service:
+ description: |-
+ Service is the name of the service to place in the gRPC HealthCheckRequest
+ (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
+
+ If this is not specified, the default behavior is defined by gRPC.
+ type: string
+ default: ""
+ httpGet:
+ description: HTTPGet specifies the http request to perform.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the request. HTTP allows repeated headers.
+ type: array
+ items:
+ description: HTTPHeader describes a custom header to be used in HTTP probes
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ initialDelaySeconds:
+ description: |-
+ Number of seconds after the container has started before liveness probes are initiated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ periodSeconds:
+ description: |-
+ How often (in seconds) to perform the probe.
+ Default to 10 seconds. Minimum value is 1.
+ type: integer
+ format: int32
+ successThreshold:
+ description: |-
+ Minimum consecutive successes for the probe to be considered successful after having failed.
+ Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
+ type: integer
+ format: int32
+ tcpSocket:
+ description: TCPSocket specifies an action involving a TCP port.
+ type: object
+ required:
+ - port
+ properties:
+ host:
+ description: 'Optional: Host name to connect to, defaults to the pod IP.'
+ type: string
+ port:
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ terminationGracePeriodSeconds:
+ description: |-
+ Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
+ The grace period is the duration in seconds after the processes running in the pod are sent
+ a termination signal and the time when the processes are forcibly halted with a kill signal.
+ Set this value longer than the expected cleanup time for your process.
+ If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
+ value overrides the value provided by the pod spec.
+ Value must be non-negative integer. The value zero indicates stop immediately via
+ the kill signal (no opportunity to shut down).
+ This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
+ Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
+ type: integer
+ format: int64
+ timeoutSeconds:
+ description: |-
+ Number of seconds after which the probe times out.
+ Defaults to 1 second. Minimum value is 1.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ type: integer
+ format: int32
+ stdin:
+ description: |-
+ Whether this Sidecar should allocate a buffer for stdin in the container runtime. If this
+ is not set, reads from stdin in the Sidecar will always result in EOF.
+ Default is false.
+ type: boolean
+ stdinOnce:
+ description: |-
+ Whether the container runtime should close the stdin channel after it has been opened by
+ a single attach. When stdin is true the stdin stream will remain open across multiple attach
+ sessions. If stdinOnce is set to true, stdin is opened on Sidecar start, is empty until the
+ first client attaches to stdin, and then remains open and accepts data until the client disconnects,
+ at which time stdin is closed and remains closed until the Sidecar is restarted. If this
+ flag is false, a container processes that reads from stdin will never receive an EOF.
+ Default is false
+ type: boolean
+ terminationMessagePath:
+ description: |-
+ Optional: Path at which the file to which the Sidecar's termination message
+ will be written is mounted into the Sidecar's filesystem.
+ Message written is intended to be brief final status, such as an assertion failure message.
+ Will be truncated by the node if greater than 4096 bytes. The total message length across
+ all containers will be limited to 12kb.
+ Defaults to /dev/termination-log.
+ Cannot be updated.
+ type: string
+ terminationMessagePolicy:
+ description: |-
+ Indicate how the termination message should be populated. File will use the contents of
+ terminationMessagePath to populate the Sidecar status message on both success and failure.
+ FallbackToLogsOnError will use the last chunk of Sidecar log output if the termination
+ message file is empty and the Sidecar exited with an error.
+ The log output is limited to 2048 bytes or 80 lines, whichever is smaller.
+ Defaults to File.
+ Cannot be updated.
+ type: string
+ tty:
+ description: |-
+ Whether this Sidecar should allocate a TTY for itself, also requires 'stdin' to be true.
+ Default is false.
+ type: boolean
+ volumeDevices:
+ description: volumeDevices is the list of block devices to be used by the Sidecar.
+ type: array
+ items:
+ description: volumeDevice describes a mapping of a raw block device within a container.
+ type: object
+ required:
+ - devicePath
+ - name
+ properties:
+ devicePath:
+ description: devicePath is the path inside of the container that the device will be mapped to.
+ type: string
+ name:
+ description: name must match the name of a persistentVolumeClaim in the pod
+ type: string
+ x-kubernetes-list-type: atomic
+ volumeMounts:
+ description: |-
+ Volumes to mount into the Sidecar's filesystem.
+ Cannot be updated.
+ type: array
+ items:
+ description: VolumeMount describes a mounting of a Volume within a container.
+ type: object
+ required:
+ - mountPath
+ - name
+ properties:
+ mountPath:
+ description: |-
+ Path within the container at which the volume should be mounted. Must
+ not contain ':'.
+ type: string
+ mountPropagation:
+ description: |-
+ mountPropagation determines how mounts are propagated from the host
+ to container and the other way around.
+ When not set, MountPropagationNone is used.
+ This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
+ type: string
+ name:
+ description: This must match the Name of a Volume.
+ type: string
+ readOnly:
+ description: |-
+ Mounted read-only if true, read-write otherwise (false or unspecified).
+ Defaults to false.
+ type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
+ subPath:
+ description: |-
+ Path within the volume from which the container's volume should be mounted.
+ Defaults to "" (volume's root).
+ type: string
+ subPathExpr:
+ description: |-
+ Expanded path within the volume from which the container's volume should be mounted.
+ Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+ Defaults to "" (volume's root).
+ SubPathExpr and SubPath are mutually exclusive.
+ type: string
+ x-kubernetes-list-type: atomic
+ workingDir:
+ description: |-
+ Sidecar's working directory.
+ If not specified, the container runtime's default will be used, which
+ might be configured in the container image.
+ Cannot be updated.
+ type: string
+ workspaces:
+ description: |-
+ This is an alpha field. You must set the "enable-api-fields" feature flag to "alpha"
+ for this field to be supported.
+
+ Workspaces is a list of workspaces from the Task that this Sidecar wants
+ exclusive access to. Adding a workspace to this list means that any
+ other Step or Sidecar that does not also request this Workspace will
+ not have access to it.
+ type: array
+ items:
+ description: |-
+ WorkspaceUsage is used by a Step or Sidecar to declare that it wants isolated access
+ to a Workspace defined in a Task.
+ type: object
+ required:
+ - mountPath
+ - name
+ properties:
+ mountPath:
+ description: |-
+ MountPath is the path that the workspace should be mounted to inside the Step or Sidecar,
+ overriding any MountPath specified in the Task's WorkspaceDeclaration.
+ type: string
+ name:
+ description: Name is the name of the workspace this Step or Sidecar wants access to.
+ type: string
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ stepTemplate:
+ description: |-
+ StepTemplate can be used as the basis for all step containers within the
+ Task, so that the steps inherit settings on the base container.
+ type: object
+ properties:
+ args:
+ description: |-
+ Arguments to the entrypoint.
+ The image's CMD is used if this is not provided.
+ Variable references $(VAR_NAME) are expanded using the Step's environment. If a variable
+ cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+ produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+ of whether the variable exists or not. Cannot be updated.
+ More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ command:
+ description: |-
+ Entrypoint array. Not executed within a shell.
+ The image's ENTRYPOINT is used if this is not provided.
+ Variable references $(VAR_NAME) are expanded using the Step's environment. If a variable
+ cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+ produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+ of whether the variable exists or not. Cannot be updated.
+ More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ computeResources:
+ description: |-
+ ComputeResources required by this Step.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ type: array
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ requests:
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ env:
+ description: |-
+ List of environment variables to set in the Step.
+ Cannot be updated.
+ type: array
+ items:
+ description: EnvVar represents an environment variable present in a Container.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: Name of the environment variable. Must be a C_IDENTIFIER.
+ type: string
+ value:
+ description: |-
+ Variable references $(VAR_NAME) are expanded
+ using the previously defined environment variables in the container and
+ any service environment variables. If a variable cannot be resolved,
+ the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+ "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+ Escaped references will never be expanded, regardless of whether the variable
+ exists or not.
+ Defaults to "".
+ type: string
+ valueFrom:
+ description: Source for the environment variable's value. Cannot be used if value is not empty.
+ type: object
+ properties:
+ configMapKeyRef:
+ description: Selects a key of a ConfigMap.
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key to select.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the ConfigMap or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ fieldRef:
+ description: |-
+ Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
+ spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+ type: object
+ required:
+ - fieldPath
+ properties:
+ apiVersion:
+ description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
+ type: string
+ fieldPath:
+ description: Path of the field to select in the specified API version.
+ type: string
+ x-kubernetes-map-type: atomic
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+ type: object
+ required:
+ - resource
+ properties:
+ containerName:
+ description: 'Container name: required for volumes, optional for env vars'
+ type: string
+ divisor:
+ description: Specifies the output format of the exposed resources, defaults to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required: resource to select'
+ type: string
+ x-kubernetes-map-type: atomic
+ secretKeyRef:
+ description: Selects a key of a secret in the pod's namespace
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key of the secret to select from. Must be a valid secret key.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the Secret or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ envFrom:
+ description: |-
+ List of sources to populate environment variables in the Step.
+ The keys defined within a source must be a C_IDENTIFIER. All invalid keys
+ will be reported as an event when the Step is starting. When a key exists in multiple
+ sources, the value associated with the last source will take precedence.
+ Values defined by an Env with a duplicate key will take precedence.
+ Cannot be updated.
+ type: array
+ items:
+ description: EnvFromSource represents the source of a set of ConfigMaps
+ type: object
+ properties:
+ configMapRef:
+ description: The ConfigMap to select from
+ type: object
+ properties:
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the ConfigMap must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ prefix:
+ description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
+ type: string
+ secretRef:
+ description: The Secret to select from
+ type: object
+ properties:
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the Secret must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ image:
+ description: |-
+ Image reference name.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ type: string
+ imagePullPolicy:
+ description: |-
+ Image pull policy.
+ One of Always, Never, IfNotPresent.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
+ type: string
+ securityContext:
+ description: |-
+ SecurityContext defines the security options the Step should be run with.
+ If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
+ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ type: object
+ properties:
+ allowPrivilegeEscalation:
+ description: |-
+ AllowPrivilegeEscalation controls whether a process can gain more
+ privileges than its parent process. This bool directly controls if
+ the no_new_privs flag will be set on the container process.
+ AllowPrivilegeEscalation is true always when the container is:
+ 1) run as Privileged
+ 2) has CAP_SYS_ADMIN
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ capabilities:
+ description: |-
+ The capabilities to add/drop when running containers.
+ Defaults to the default set of capabilities granted by the container runtime.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ properties:
+ add:
+ description: Added capabilities
+ type: array
+ items:
+ description: Capability represent POSIX capabilities type
+ type: string
+ x-kubernetes-list-type: atomic
+ drop:
+ description: Removed capabilities
+ type: array
+ items:
+ description: Capability represent POSIX capabilities type
+ type: string
+ x-kubernetes-list-type: atomic
+ privileged:
+ description: |-
+ Run container in privileged mode.
+ Processes in privileged containers are essentially equivalent to root on the host.
+ Defaults to false.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ procMount:
+ description: |-
+ procMount denotes the type of proc mount to use for the containers.
+ The default value is Default which uses the container runtime defaults for
+ readonly paths and masked paths.
+ This requires the ProcMountType feature flag to be enabled.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ readOnlyRootFilesystem:
+ description: |-
+ Whether this container has a read-only root filesystem.
+ Default is false.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ runAsGroup:
+ description: |-
+ The GID to run the entrypoint of the container process.
+ Uses runtime default if unset.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ runAsNonRoot:
+ description: |-
+ Indicates that the container must run as a non-root user.
+ If true, the Kubelet will validate the image at runtime to ensure that it
+ does not run as UID 0 (root) and fail to start the container if it does.
+ If unset or false, no such validation will be performed.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: |-
+ The UID to run the entrypoint of the container process.
+ Defaults to user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ seLinuxOptions:
+ description: |-
+ The SELinux context to be applied to the container.
+ If unspecified, the container runtime will allocate a random SELinux context for each
+ container. May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ properties:
+ level:
+ description: Level is SELinux level label that applies to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label that applies to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label that applies to the container.
+ type: string
+ user:
+ description: User is a SELinux user label that applies to the container.
+ type: string
+ seccompProfile:
+ description: |-
+ The seccomp options to use by this container. If seccomp options are
+ provided at both the pod & container level, the container options
+ override the pod options.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile defined in a file on the node should be used.
+ The profile must be preconfigured on the node to work.
+ Must be a descending path, relative to the kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT be set for any other type.
+ type: string
+ type:
+ description: |-
+ type indicates which kind of seccomp profile will be applied.
+ Valid options are:
+
+ Localhost - a profile defined in a file on the node should be used.
+ RuntimeDefault - the container runtime default profile should be used.
+ Unconfined - no profile should be applied.
+ type: string
+ windowsOptions:
+ description: |-
+ The Windows specific settings applied to all containers.
+ If unspecified, the options from the PodSecurityContext will be used.
+ If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is linux.
+ type: object
+ properties:
+ gmsaCredentialSpec:
+ description: |-
+ GMSACredentialSpec is where the GMSA admission webhook
+ (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the name of the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: |-
+ HostProcess determines if a container should be run as a 'Host Process' container.
+ All of a Pod's containers must have the same effective HostProcess value
+ (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then HostNetwork must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: |-
+ The UserName in Windows to run the entrypoint of the container process.
+ Defaults to the user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: string
+ volumeDevices:
+ description: volumeDevices is the list of block devices to be used by the Step.
+ type: array
+ items:
+ description: volumeDevice describes a mapping of a raw block device within a container.
+ type: object
+ required:
+ - devicePath
+ - name
+ properties:
+ devicePath:
+ description: devicePath is the path inside of the container that the device will be mapped to.
+ type: string
+ name:
+ description: name must match the name of a persistentVolumeClaim in the pod
+ type: string
+ x-kubernetes-list-type: atomic
+ volumeMounts:
+ description: |-
+ Volumes to mount into the Step's filesystem.
+ Cannot be updated.
+ type: array
+ items:
+ description: VolumeMount describes a mounting of a Volume within a container.
+ type: object
+ required:
+ - mountPath
+ - name
+ properties:
+ mountPath:
+ description: |-
+ Path within the container at which the volume should be mounted. Must
+ not contain ':'.
+ type: string
+ mountPropagation:
+ description: |-
+ mountPropagation determines how mounts are propagated from the host
+ to container and the other way around.
+ When not set, MountPropagationNone is used.
+ This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
+ type: string
+ name:
+ description: This must match the Name of a Volume.
+ type: string
+ readOnly:
+ description: |-
+ Mounted read-only if true, read-write otherwise (false or unspecified).
+ Defaults to false.
+ type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
+ subPath:
+ description: |-
+ Path within the volume from which the container's volume should be mounted.
+ Defaults to "" (volume's root).
+ type: string
+ subPathExpr:
+ description: |-
+ Expanded path within the volume from which the container's volume should be mounted.
+ Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+ Defaults to "" (volume's root).
+ SubPathExpr and SubPath are mutually exclusive.
+ type: string
+ x-kubernetes-list-type: atomic
+ workingDir:
+ description: |-
+ Step's working directory.
+ If not specified, the container runtime's default will be used, which
+ might be configured in the container image.
+ Cannot be updated.
+ type: string
+ steps:
+ description: |-
+ Steps are the steps of the build; each step is run sequentially with the
+ source mounted into /workspace.
+ type: array
+ items:
+ description: Step runs a subcomponent of a Task
+ type: object
+ required:
+ - name
+ properties:
+ args:
+ description: |-
+ Arguments to the entrypoint.
+ The image's CMD is used if this is not provided.
+ Variable references $(VAR_NAME) are expanded using the container's environment. If a variable
+ cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+ produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+ of whether the variable exists or not. Cannot be updated.
+ More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ command:
+ description: |-
+ Entrypoint array. Not executed within a shell.
+ The image's ENTRYPOINT is used if this is not provided.
+ Variable references $(VAR_NAME) are expanded using the container's environment. If a variable
+ cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+ produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+ of whether the variable exists or not. Cannot be updated.
+ More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ computeResources:
+ description: |-
+ ComputeResources required by this Step.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ type: array
+ items:
+ description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ requests:
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ additionalProperties:
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ env:
+ description: |-
+ List of environment variables to set in the Step.
+ Cannot be updated.
+ type: array
+ items:
+ description: EnvVar represents an environment variable present in a Container.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: Name of the environment variable. Must be a C_IDENTIFIER.
+ type: string
+ value:
+ description: |-
+ Variable references $(VAR_NAME) are expanded
+ using the previously defined environment variables in the container and
+ any service environment variables. If a variable cannot be resolved,
+ the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+ "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+ Escaped references will never be expanded, regardless of whether the variable
+ exists or not.
+ Defaults to "".
+ type: string
+ valueFrom:
+ description: Source for the environment variable's value. Cannot be used if value is not empty.
+ type: object
+ properties:
+ configMapKeyRef:
+ description: Selects a key of a ConfigMap.
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key to select.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the ConfigMap or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ fieldRef:
+ description: |-
+ Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
+ spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+ type: object
+ required:
+ - fieldPath
+ properties:
+ apiVersion:
+ description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
+ type: string
+ fieldPath:
+ description: Path of the field to select in the specified API version.
+ type: string
+ x-kubernetes-map-type: atomic
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+ type: object
+ required:
+ - resource
+ properties:
+ containerName:
+ description: 'Container name: required for volumes, optional for env vars'
+ type: string
+ divisor:
+ description: Specifies the output format of the exposed resources, defaults to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required: resource to select'
+ type: string
+ x-kubernetes-map-type: atomic
+ secretKeyRef:
+ description: Selects a key of a secret in the pod's namespace
+ type: object
+ required:
+ - key
+ properties:
+ key:
+ description: The key of the secret to select from. Must be a valid secret key.
+ type: string
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the Secret or its key must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ envFrom:
+ description: |-
+ List of sources to populate environment variables in the Step.
+ The keys defined within a source must be a C_IDENTIFIER. All invalid keys
+ will be reported as an event when the Step is starting. When a key exists in multiple
+ sources, the value associated with the last source will take precedence.
+ Values defined by an Env with a duplicate key will take precedence.
+ Cannot be updated.
+ type: array
+ items:
+ description: EnvFromSource represents the source of a set of ConfigMaps
+ type: object
+ properties:
+ configMapRef:
+ description: The ConfigMap to select from
+ type: object
+ properties:
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the ConfigMap must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ prefix:
+ description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
+ type: string
+ secretRef:
+ description: The Secret to select from
+ type: object
+ properties:
+ name:
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ default: ""
+ optional:
+ description: Specify whether the Secret must be defined
+ type: boolean
+ x-kubernetes-map-type: atomic
+ x-kubernetes-list-type: atomic
+ image:
+ description: |-
+ Docker image name.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ type: string
+ imagePullPolicy:
+ description: |-
+ Image pull policy.
+ One of Always, Never, IfNotPresent.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
+ type: string
+ name:
+ description: |-
+ Name of the Step specified as a DNS_LABEL.
+ Each Step in a Task must have a unique name.
+ type: string
+ onError:
+ description: |-
+ OnError defines the exiting behavior of a container on error
+ can be set to [ continue | stopAndFail ]
+ type: string
+ params:
+ description: Params declares parameters passed to this step action.
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ ref:
+ description: Contains the reference to an existing StepAction.
+ type: object
+ properties:
+ name:
+ description: Name of the referenced step
+ type: string
+ params:
+ description: |-
+ Params contains the parameters used to identify the
+ referenced Tekton resource. Example entries might include
+ "repo" or "path" but the set of params ultimately depends on
+ the chosen resolver.
+ type: array
+ items:
+ description: Param declares an ParamValues to use for the parameter called name.
+ type: object
+ required:
+ - name
+ - value
+ properties:
+ name:
+ type: string
+ value:
+ x-kubernetes-preserve-unknown-fields: true
+ x-kubernetes-list-type: atomic
+ resolver:
+ description: |-
+ Resolver is the name of the resolver that should perform
+ resolution of the referenced Tekton resource, such as "git".
+ type: string
+ results:
+ description: |-
+ Results declares StepResults produced by the Step.
+
+ This is field is at an ALPHA stability level and gated by "enable-step-actions" feature flag.
+
+ It can be used in an inlined Step when used to store Results to $(step.results.resultName.path).
+ It cannot be used when referencing StepActions using [v1.Step.Ref].
+ The Results declared by the StepActions will be stored here instead.
+ type: array
+ items:
+ description: |-
+ StepResult used to describe the Results of a Step.
+
+ This is field is at an BETA stability level and gated by "enable-step-actions" feature flag.
+ type: object
+ required:
+ - name
+ properties:
+ description:
+ description: Description is a human-readable description of the result
+ type: string
+ name:
+ description: Name the given name
+ type: string
+ properties:
+ description: Properties is the JSON Schema properties to support key-value pairs results.
+ type: object
+ additionalProperties:
+ description: PropertySpec defines the struct for object keys
+ type: object
+ properties:
+ type:
+ description: |-
+ ParamType indicates the type of an input parameter;
+ Used to distinguish between a single string and an array of strings.
+ type: string
+ type:
+ description: The possible types are 'string', 'array', and 'object', with 'string' as the default.
+ type: string
+ x-kubernetes-list-type: atomic
+ script:
+ description: |-
+ Script is the contents of an executable file to execute.
+
+ If Script is not empty, the Step cannot have an Command and the Args will be passed to the Script.
+ type: string
+ securityContext:
+ description: |-
+ SecurityContext defines the security options the Step should be run with.
+ If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
+ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ type: object
+ properties:
+ allowPrivilegeEscalation:
+ description: |-
+ AllowPrivilegeEscalation controls whether a process can gain more
+ privileges than its parent process. This bool directly controls if
+ the no_new_privs flag will be set on the container process.
+ AllowPrivilegeEscalation is true always when the container is:
+ 1) run as Privileged
+ 2) has CAP_SYS_ADMIN
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ capabilities:
+ description: |-
+ The capabilities to add/drop when running containers.
+ Defaults to the default set of capabilities granted by the container runtime.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ properties:
+ add:
+ description: Added capabilities
+ type: array
+ items:
+ description: Capability represent POSIX capabilities type
+ type: string
+ x-kubernetes-list-type: atomic
+ drop:
+ description: Removed capabilities
+ type: array
+ items:
+ description: Capability represent POSIX capabilities type
+ type: string
+ x-kubernetes-list-type: atomic
+ privileged:
+ description: |-
+ Run container in privileged mode.
+ Processes in privileged containers are essentially equivalent to root on the host.
+ Defaults to false.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ procMount:
+ description: |-
+ procMount denotes the type of proc mount to use for the containers.
+ The default value is Default which uses the container runtime defaults for
+ readonly paths and masked paths.
+ This requires the ProcMountType feature flag to be enabled.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ readOnlyRootFilesystem:
+ description: |-
+ Whether this container has a read-only root filesystem.
+ Default is false.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ runAsGroup:
+ description: |-
+ The GID to run the entrypoint of the container process.
+ Uses runtime default if unset.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ runAsNonRoot:
+ description: |-
+ Indicates that the container must run as a non-root user.
+ If true, the Kubelet will validate the image at runtime to ensure that it
+ does not run as UID 0 (root) and fail to start the container if it does.
+ If unset or false, no such validation will be performed.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: |-
+ The UID to run the entrypoint of the container process.
+ Defaults to user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: integer
+ format: int64
+ seLinuxOptions:
+ description: |-
+ The SELinux context to be applied to the container.
+ If unspecified, the container runtime will allocate a random SELinux context for each
+ container. May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ properties:
+ level:
+ description: Level is SELinux level label that applies to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label that applies to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label that applies to the container.
+ type: string
+ user:
+ description: User is a SELinux user label that applies to the container.
+ type: string
+ seccompProfile:
+ description: |-
+ The seccomp options to use by this container. If seccomp options are
+ provided at both the pod & container level, the container options
+ override the pod options.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: object
+ required:
+ - type
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile defined in a file on the node should be used.
+ The profile must be preconfigured on the node to work.
+ Must be a descending path, relative to the kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT be set for any other type.
+ type: string
+ type:
+ description: |-
+ type indicates which kind of seccomp profile will be applied.
+ Valid options are:
+
+ Localhost - a profile defined in a file on the node should be used.
+ RuntimeDefault - the container runtime default profile should be used.
+ Unconfined - no profile should be applied.
+ type: string
+ windowsOptions:
+ description: |-
+ The Windows specific settings applied to all containers.
+ If unspecified, the options from the PodSecurityContext will be used.
+ If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is linux.
+ type: object
+ properties:
+ gmsaCredentialSpec:
+ description: |-
+ GMSACredentialSpec is where the GMSA admission webhook
+ (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the name of the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: |-
+ HostProcess determines if a container should be run as a 'Host Process' container.
+ All of a Pod's containers must have the same effective HostProcess value
+ (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then HostNetwork must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: |-
+ The UserName in Windows to run the entrypoint of the container process.
+ Defaults to the user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: string
+ stderrConfig:
+ description: Stores configuration for the stderr stream of the step.
+ type: object
+ properties:
+ path:
+ description: Path to duplicate stdout stream to on container's local filesystem.
+ type: string
+ stdoutConfig:
+ description: Stores configuration for the stdout stream of the step.
+ type: object
+ properties:
+ path:
+ description: Path to duplicate stdout stream to on container's local filesystem.
+ type: string
+ timeout:
+ description: |-
+ Timeout is the time after which the step times out. Defaults to never.
+ Refer to Go's ParseDuration documentation for expected format: https://golang.org/pkg/time/#ParseDuration
+ type: string
+ volumeDevices:
+ description: volumeDevices is the list of block devices to be used by the Step.
+ type: array
+ items:
+ description: volumeDevice describes a mapping of a raw block device within a container.
+ type: object
+ required:
+ - devicePath
+ - name
+ properties:
+ devicePath:
+ description: devicePath is the path inside of the container that the device will be mapped to.
+ type: string
+ name:
+ description: name must match the name of a persistentVolumeClaim in the pod
+ type: string
+ x-kubernetes-list-type: atomic
+ volumeMounts:
+ description: |-
+ Volumes to mount into the Step's filesystem.
+ Cannot be updated.
+ type: array
+ items:
+ description: VolumeMount describes a mounting of a Volume within a container.
+ type: object
+ required:
+ - mountPath
+ - name
+ properties:
+ mountPath:
+ description: |-
+ Path within the container at which the volume should be mounted. Must
+ not contain ':'.
+ type: string
+ mountPropagation:
+ description: |-
+ mountPropagation determines how mounts are propagated from the host
+ to container and the other way around.
+ When not set, MountPropagationNone is used.
+ This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
+ type: string
+ name:
+ description: This must match the Name of a Volume.
+ type: string
+ readOnly:
+ description: |-
+ Mounted read-only if true, read-write otherwise (false or unspecified).
+ Defaults to false.
+ type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
+ subPath:
+ description: |-
+ Path within the volume from which the container's volume should be mounted.
+ Defaults to "" (volume's root).
+ type: string
+ subPathExpr:
+ description: |-
+ Expanded path within the volume from which the container's volume should be mounted.
+ Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+ Defaults to "" (volume's root).
+ SubPathExpr and SubPath are mutually exclusive.
+ type: string
+ x-kubernetes-list-type: atomic
+ when:
+ description: When is a list of when expressions that need to be true for the task to run
+ type: array
+ items:
+ description: |-
+ WhenExpression allows a PipelineTask to declare expressions to be evaluated before the Task is run
+ to determine whether the Task should be executed or skipped
+ type: object
+ properties:
+ cel:
+ description: |-
+ CEL is a string of Common Language Expression, which can be used to conditionally execute
+ the task based on the result of the expression evaluation
+ More info about CEL syntax: https://github.com/google/cel-spec/blob/master/doc/langdef.md
+ type: string
+ input:
+ description: Input is the string for guard checking which can be a static input or an output from a parent Task
+ type: string
+ operator:
+ description: Operator that represents an Input's relationship to the values
+ type: string
+ values:
+ description: |-
+ Values is an array of strings, which is compared against the input, for guard checking
+ It must be non-empty
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ workingDir:
+ description: |-
+ Step's working directory.
+ If not specified, the container runtime's default will be used, which
+ might be configured in the container image.
+ Cannot be updated.
+ type: string
+ workspaces:
+ description: |-
+ This is an alpha field. You must set the "enable-api-fields" feature flag to "alpha"
+ for this field to be supported.
+
+ Workspaces is a list of workspaces from the Task that this Step wants
+ exclusive access to. Adding a workspace to this list means that any
+ other Step or Sidecar that does not also request this Workspace will
+ not have access to it.
+ type: array
+ items:
+ description: |-
+ WorkspaceUsage is used by a Step or Sidecar to declare that it wants isolated access
+ to a Workspace defined in a Task.
+ type: object
+ required:
+ - mountPath
+ - name
+ properties:
+ mountPath:
+ description: |-
+ MountPath is the path that the workspace should be mounted to inside the Step or Sidecar,
+ overriding any MountPath specified in the Task's WorkspaceDeclaration.
+ type: string
+ name:
+ description: Name is the name of the workspace this Step or Sidecar wants access to.
+ type: string
+ x-kubernetes-list-type: atomic
+ x-kubernetes-list-type: atomic
+ volumes:
+ description: |-
+ Volumes is a collection of volumes that are available to mount into the
+ steps of the build.
+ See Pod.spec.volumes (API version: v1)
+ x-kubernetes-preserve-unknown-fields: true
+ workspaces:
+ description: Workspaces are the volumes that this Task requires.
+ type: array
+ items:
+ description: WorkspaceDeclaration is a declaration of a volume that a Task requires.
+ type: object
+ required:
+ - name
+ properties:
+ description:
+ description: Description is an optional human readable description of this volume.
+ type: string
+ mountPath:
+ description: MountPath overrides the directory that the volume will be made available at.
+ type: string
+ name:
+ description: Name is the name by which you can bind the volume at runtime.
+ type: string
+ optional:
+ description: |-
+ Optional marks a Workspace as not being required in TaskRuns. By default
+ this field is false and so declared workspaces are required.
+ type: boolean
+ readOnly:
+ description: |-
+ ReadOnly dictates whether a mounted volume is writable. By default this
+ field is false and so mounted volumes are writable.
+ type: boolean
+ x-kubernetes-list-type: atomic
+ additionalPrinterColumns:
+ - name: Succeeded
+ type: string
+ jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].status"
+ - name: Reason
+ type: string
+ jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].reason"
+ - name: StartTime
+ type: date
+ jsonPath: .status.startTime
+ - name: CompletionTime
+ type: date
+ jsonPath: .status.completionTime
+ # Opt into the status subresource so metadata.generation
+ # starts to increment
+ subresources:
+ status: {}
+ names:
+ kind: TaskRun
+ plural: taskruns
+ singular: taskrun
+ categories:
+ - tekton
+ - tekton-pipelines
+ shortNames:
+ - tr
+ - trs
+ scope: Namespaced
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions: ["v1beta1", "v1"]
+ clientConfig:
+ service:
+ name: tekton-pipelines-webhook
+ namespace: tekton-pipelines
+
+---
+# Copyright 2022 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: verificationpolicies.tekton.dev
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+ pipeline.tekton.dev/release: "v0.70.0"
+ version: "v0.70.0"
+spec:
+ group: tekton.dev
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ description: |-
+ VerificationPolicy defines the rules to verify Tekton resources.
+ VerificationPolicy can config the mapping from resources to a list of public
+ keys, so when verifying the resources we can use the corresponding public keys.
+ type: object
+ required:
+ - spec
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec holds the desired state of the VerificationPolicy.
+ type: object
+ required:
+ - authorities
+ - resources
+ properties:
+ authorities:
+ description: Authorities defines the rules for validating signatures.
+ type: array
+ items:
+ description: The Authority block defines the keys for validating signatures.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: Key contains the public key to validate the resource.
+ type: object
+ properties:
+ data:
+ description: Data contains the inline public key.
+ type: string
+ hashAlgorithm:
+ description: HashAlgorithm always defaults to sha256 if the algorithm hasn't been explicitly set
+ type: string
+ kms:
+ description: |-
+ KMS contains the KMS url of the public key
+ Supported formats differ based on the KMS system used.
+ One example of a KMS url could be:
+ gcpkms://projects/[PROJECT]/locations/[LOCATION]>/keyRings/[KEYRING]/cryptoKeys/[KEY]/cryptoKeyVersions/[KEY_VERSION]
+ For more examples please refer https://docs.sigstore.dev/cosign/kms_support.
+ Note that the KMS is not supported yet.
+ type: string
+ secretRef:
+ description: SecretRef sets a reference to a secret with the key.
+ type: object
+ properties:
+ name:
+ description: name is unique within a namespace to reference a secret resource.
+ type: string
+ namespace:
+ description: namespace defines the space within which the secret name must be unique.
+ type: string
+ x-kubernetes-map-type: atomic
+ name:
+ description: Name is the name for this authority.
+ type: string
+ mode:
+ description: |-
+ Mode controls whether a failing policy will fail the taskrun/pipelinerun, or only log the warnings
+ enforce - fail the taskrun/pipelinerun if verification fails (default)
+ warn - don't fail the taskrun/pipelinerun if verification fails but log warnings
+ type: string
+ resources:
+ description: |-
+ Resources defines the patterns of resources sources that should be subject to this policy.
+ For example, we may want to apply this Policy from a certain GitHub repo.
+ Then the ResourcesPattern should be valid regex. E.g. If using gitresolver, and we want to config keys from a certain git repo.
+ `ResourcesPattern` can be `https://github.com/tektoncd/catalog.git`, we will use regex to filter out those resources.
+ type: array
+ items:
+ description: ResourcePattern defines the pattern of the resource source
+ type: object
+ required:
+ - pattern
+ properties:
+ pattern:
+ description: |-
+ Pattern defines a resource pattern. Regex is created to filter resources based on `Pattern`
+ Example patterns:
+ GitHub resource: https://github.com/tektoncd/catalog.git, https://github.com/tektoncd/*
+ Bundle resource: gcr.io/tekton-releases/catalog/upstream/git-clone, gcr.io/tekton-releases/catalog/upstream/*
+ Hub resource: https://artifacthub.io/*,
+ type: string
+ names:
+ kind: VerificationPolicy
+ plural: verificationpolicies
+ singular: verificationpolicy
+ categories:
+ - tekton
+ - tekton-pipelines
+ scope: Namespaced
+
+---
+# Copyright 2020 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Secret
+metadata:
+ name: webhook-certs
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+ pipeline.tekton.dev/release: "v0.70.0"
+# The data is populated at install time.
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+ name: validation.webhook.pipeline.tekton.dev
+ labels:
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+ pipeline.tekton.dev/release: "v0.70.0"
+webhooks:
+ - admissionReviewVersions: ["v1"]
+ clientConfig:
+ service:
+ name: tekton-pipelines-webhook
+ namespace: tekton-pipelines
+ failurePolicy: Fail
+ sideEffects: None
+ name: validation.webhook.pipeline.tekton.dev
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+ name: webhook.pipeline.tekton.dev
+ labels:
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+ pipeline.tekton.dev/release: "v0.70.0"
+webhooks:
+ - admissionReviewVersions: ["v1"]
+ clientConfig:
+ service:
+ name: tekton-pipelines-webhook
+ namespace: tekton-pipelines
+ failurePolicy: Fail
+ sideEffects: None
+ name: webhook.pipeline.tekton.dev
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+ name: config.webhook.pipeline.tekton.dev
+ labels:
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+ pipeline.tekton.dev/release: "v0.70.0"
+webhooks:
+ - admissionReviewVersions: ["v1"]
+ clientConfig:
+ service:
+ name: tekton-pipelines-webhook
+ namespace: tekton-pipelines
+ failurePolicy: Fail
+ sideEffects: None
+ name: config.webhook.pipeline.tekton.dev
+ objectSelector:
+ matchLabels:
+ app.kubernetes.io/part-of: tekton-pipelines
+
+---
+# Copyright 2019-2022 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: tekton-aggregate-edit
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+ rbac.authorization.k8s.io/aggregate-to-edit: "true"
+ rbac.authorization.k8s.io/aggregate-to-admin: "true"
+rules:
+ - apiGroups:
+ - tekton.dev
+ resources:
+ - tasks
+ - taskruns
+ - pipelines
+ - pipelineruns
+ - runs
+ - customruns
+ - stepactions
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+
+---
+# Copyright 2019-2022 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: tekton-aggregate-view
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+ rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+ - apiGroups:
+ - tekton.dev
+ resources:
+ - tasks
+ - taskruns
+ - pipelines
+ - pipelineruns
+ - runs
+ - customruns
+ - stepactions
+ verbs:
+ - get
+ - list
+ - watch
+
+---
+# Copyright 2019 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: config-defaults
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+data:
+ _example: |
+ ################################
+ # #
+ # EXAMPLE CONFIGURATION #
+ # #
+ ################################
+
+ # This block is not actually functional configuration,
+ # but serves to illustrate the available configuration
+ # options and document them in a way that is accessible
+ # to users that `kubectl edit` this config map.
+ #
+ # These sample configuration options may be copied out of
+ # this example block and unindented to be in the data block
+ # to actually change the configuration.
+
+ # default-timeout-minutes contains the default number of
+ # minutes to use for TaskRun and PipelineRun, if none is specified.
+ default-timeout-minutes: "60" # 60 minutes
+
+ # default-service-account contains the default service account name
+ # to use for TaskRun and PipelineRun, if none is specified.
+ default-service-account: "default"
+
+ # default-managed-by-label-value contains the default value given to the
+ # "app.kubernetes.io/managed-by" label applied to all Pods created for
+ # TaskRuns. If a user's requested TaskRun specifies another value for this
+ # label, the user's request supercedes.
+ default-managed-by-label-value: "tekton-pipelines"
+
+ # default-pod-template contains the default pod template to use for
+ # TaskRun and PipelineRun. If a pod template is specified on the
+ # PipelineRun, the default-pod-template is merged with that one.
+ # default-pod-template:
+
+ # default-affinity-assistant-pod-template contains the default pod template
+ # to use for affinity assistant pods. If a pod template is specified on the
+ # PipelineRun, the default-affinity-assistant-pod-template is merged with
+ # that one.
+ # default-affinity-assistant-pod-template:
+
+ # default-cloud-events-sink contains the default CloudEvents sink to be
+ # used for TaskRun and PipelineRun, when no sink is specified.
+ # Note that right now it is still not possible to set a PipelineRun or
+ # TaskRun specific sink, so the default is the only option available.
+ # If no sink is specified, no CloudEvent is generated
+ # default-cloud-events-sink:
+
+ # default-task-run-workspace-binding contains the default workspace
+ # configuration provided for any Workspaces that a Task declares
+ # but that a TaskRun does not explicitly provide.
+ # default-task-run-workspace-binding: |
+ # emptyDir: {}
+
+ # default-max-matrix-combinations-count contains the default maximum number
+ # of combinations from a Matrix, if none is specified.
+ default-max-matrix-combinations-count: "256"
+
+ # default-forbidden-env contains comma seperated environment variables that cannot be
+ # overridden by podTemplate.
+ default-forbidden-env:
+
+ # default-resolver-type contains the default resolver type to be used in the cluster,
+ # no default-resolver-type is specified by default
+ default-resolver-type:
+
+ # default-imagepullbackoff-timeout contains the default duration to wait
+ # before requeuing the TaskRun to retry, specifying 0 here is equivalent to fail fast
+ # possible values could be 1m, 5m, 10s, 1h, etc
+ # default-imagepullbackoff-timeout: "5m"
+
+ # default-maximum-resolution-timeout specifies the default duration used by the
+ # resolution controller before timing out when exceeded.
+ # Possible values include "1m", "5m", "10s", "1h", etc.
+ # Example: default-maximum-resolution-timeout: "1m"
+
+ # default-container-resource-requirements allow users to update default resource requirements
+ # to a init-containers and containers of a pods create by the controller
+ # Onet: All the resource requirements are applied to init-containers and containers
+ # only if the existing resource requirements are empty.
+ # default-container-resource-requirements: |
+ # place-scripts: # updates resource requirements of a 'place-scripts' container
+ # requests:
+ # memory: "64Mi"
+ # cpu: "250m"
+ # limits:
+ # memory: "128Mi"
+ # cpu: "500m"
+ #
+ # prepare: # updates resource requirements of a 'prepare' container
+ # requests:
+ # memory: "64Mi"
+ # cpu: "250m"
+ # limits:
+ # memory: "256Mi"
+ # cpu: "500m"
+ #
+ # working-dir-initializer: # updates resource requirements of a 'working-dir-initializer' container
+ # requests:
+ # memory: "64Mi"
+ # cpu: "250m"
+ # limits:
+ # memory: "512Mi"
+ # cpu: "500m"
+ #
+ # prefix-scripts: # updates resource requirements of containers which starts with 'scripts-'
+ # requests:
+ # memory: "64Mi"
+ # cpu: "250m"
+ # limits:
+ # memory: "128Mi"
+ # cpu: "500m"
+ #
+ # prefix-sidecar-scripts: # updates resource requirements of containers which starts with 'sidecar-scripts-'
+ # requests:
+ # memory: "64Mi"
+ # cpu: "250m"
+ # limits:
+ # memory: "128Mi"
+ # cpu: "500m"
+ #
+ # default: # updates resource requirements of init-containers and containers which has empty resource resource requirements
+ # requests:
+ # memory: "64Mi"
+ # cpu: "250m"
+ # limits:
+ # memory: "256Mi"
+ # cpu: "500m"
+
+---
+# Copyright 2023 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: config-events
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+data:
+ _example: |
+ ################################
+ # #
+ # EXAMPLE CONFIGURATION #
+ # #
+ ################################
+
+ # This block is not actually functional configuration,
+ # but serves to illustrate the available configuration
+ # options and document them in a way that is accessible
+ # to users that `kubectl edit` this config map.
+ #
+ # These sample configuration options may be copied out of
+ # this example block and unindented to be in the data block
+ # to actually change the configuration.
+
+ # formats contains a comma seperated list of event formats to be used
+ # the only format supported today is "tektonv1". An empty string is not
+ # a valid configuration. To disable events, do not specify the sink.
+ formats: "tektonv1"
+
+ # sink contains the event sink to be used for TaskRun, PipelineRun and
+ # CustomRun. If no sink is specified, no CloudEvent is generated.
+ # This setting supercedes the "default-cloud-events-sink" from the
+ # "config-defaults" config map
+ sink: "https://events.sink/cdevents"
+
+---
+# Copyright 2019 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: feature-flags
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+data:
+ # Setting this flag to "true" will prevent Tekton to create an
+ # Affinity Assistant for every TaskRun sharing a PVC workspace
+ #
+ # The default behaviour is for Tekton to create Affinity Assistants
+ #
+ # See more in the Affinity Assistant documentation
+ # https://github.com/tektoncd/pipeline/blob/main/docs/affinityassistants.md
+ # or https://github.com/tektoncd/pipeline/pull/2630 for more info.
+ #
+ # Note: This feature flag is deprecated and will be removed in release v0.60. Consider using `coschedule` feature flag to configure Affinity Assistant behavior.
+ disable-affinity-assistant: "false"
+ # Setting this flag will determine how PipelineRun Pods are scheduled with Affinity Assistant.
+ # Acceptable values are "workspaces" (default), "pipelineruns", "isolate-pipelinerun", or "disabled".
+ #
+ # Setting it to "workspaces" will schedule all the taskruns sharing the same PVC-based workspace in a pipelinerun to the same node.
+ # Setting it to "pipelineruns" will schedule all the taskruns in a pipelinerun to the same node.
+ # Setting it to "isolate-pipelinerun" will schedule all the taskruns in a pipelinerun to the same node,
+ # and only allows one pipelinerun to run on a node at a time.
+ # Setting it to "disabled" will not apply any coschedule policy.
+ #
+ # See more in the Affinity Assistant documentation
+ # https://github.com/tektoncd/pipeline/blob/main/docs/affinityassistants.md
+ coschedule: "workspaces"
+ # Setting this flag to "true" will prevent Tekton scanning attached
+ # service accounts and injecting any credentials it finds into your
+ # Steps.
+ #
+ # The default behaviour currently is for Tekton to search service
+ # accounts for secrets matching a specified format and automatically
+ # mount those into your Steps.
+ #
+ # Note: setting this to "true" will prevent PipelineResources from
+ # working.
+ #
+ # See https://github.com/tektoncd/pipeline/issues/2791 for more
+ # info.
+ disable-creds-init: "false"
+ # Setting this flag to "false" will stop Tekton from waiting for a
+ # TaskRun's sidecar containers to be running before starting the first
+ # step. This will allow Tasks to be run in environments that don't
+ # support the DownwardAPI volume type, but may lead to unintended
+ # behaviour if sidecars are used.
+ #
+ # See https://github.com/tektoncd/pipeline/issues/4937 for more info.
+ await-sidecar-readiness: "true"
+ # This option should be set to false when Pipelines is running in a
+ # cluster that does not use injected sidecars such as Istio. Setting
+ # it to false should decrease the time it takes for a TaskRun to start
+ # running. For clusters that use injected sidecars, setting this
+ # option to false can lead to unexpected behavior.
+ #
+ # See https://github.com/tektoncd/pipeline/issues/2080 for more info.
+ running-in-environment-with-injected-sidecars: "true"
+ # Setting this flag to "true" will require that any Git SSH Secret
+ # offered to Tekton must have known_hosts included.
+ #
+ # See https://github.com/tektoncd/pipeline/issues/2981 for more
+ # info.
+ require-git-ssh-secret-known-hosts: "false"
+ # Setting this flag to "true" enables the use of Tekton OCI bundle.
+ # This is an experimental feature and thus should still be considered
+ # an alpha feature.
+ enable-tekton-oci-bundles: "false"
+ # Setting this flag will determine which gated features are enabled.
+ # Acceptable values are "stable", "beta", or "alpha".
+ enable-api-fields: "beta"
+ # Setting this flag to "true" enables CloudEvents for CustomRuns and Runs, as long as a
+ # CloudEvents sink is configured in the config-defaults config map
+ send-cloudevents-for-runs: "false"
+ # This flag affects the behavior of taskruns and pipelineruns in cases where no VerificationPolicies match them.
+ # If it is set to "fail", TaskRuns and PipelineRuns will fail verification if no matching policies are found.
+ # If it is set to "warn", TaskRuns and PipelineRuns will run to completion if no matching policies are found, and an error will be logged.
+ # If it is set to "ignore", TaskRuns and PipelineRuns will run to completion if no matching policies are found, and no error will be logged.
+ trusted-resources-verification-no-match-policy: "ignore"
+ # Setting this flag to "true" enables populating the "provenance" field in TaskRun
+ # and PipelineRun status. This field contains metadata about resources used
+ # in the TaskRun/PipelineRun such as the source from where a remote Task/Pipeline
+ # definition was fetched.
+ enable-provenance-in-status: "true"
+ # Setting this flag will determine how Tekton pipelines will handle non-falsifiable provenance.
+ # If set to "spire", then SPIRE will be used to ensure non-falsifiable provenance.
+ # If set to "none", then Tekton will not have non-falsifiable provenance.
+ # This is an experimental feature and thus should still be considered an alpha feature.
+ enforce-nonfalsifiability: "none"
+ # Setting this flag will determine how Tekton pipelines will handle extracting results from the task.
+ # Acceptable values are "termination-message" or "sidecar-logs".
+ # "sidecar-logs" is now a beta feature.
+ results-from: "termination-message"
+ # Setting this flag will determine the upper limit of each task result
+ # This flag is optional and only associated with the previous flag, results-from
+ # When results-from is set to "sidecar-logs", this flag can be used to configure the upper limit of a task result
+ # max-result-size: "4096"
+ # Setting this flag to "true" will limit privileges for containers injected by Tekton into TaskRuns.
+ # This allows TaskRuns to run in namespaces with "restricted" pod security standards.
+ # Not all Kubernetes implementations support this option.
+ set-security-context: "false"
+ # Setting this flag to "true" will set readOnlyRootFilesystem in securityContext for all containers used in TaskRuns and AffinityAssistant.
+ set-security-context-read-only-root-filesystem: "false"
+ # Setting this flag to "true" will keep pod on cancellation
+ # allowing examination of the logs on the pods from cancelled taskruns
+ keep-pod-on-cancel: "false"
+ # Setting this flag to "true" will enable the CEL evaluation in WhenExpression
+ enable-cel-in-whenexpression: "false"
+ # Setting this flag to "true" will enable the use of StepActions in Steps
+ # This feature is in preview mode and not implemented yet. Please check #7259 for updates.
+ enable-step-actions: "false"
+ # Setting this flag to "true" will enable the use of Artifacts in Steps
+ # This feature is in preview mode and not implemented yet. Please check #7693 for updates.
+ enable-artifacts: "false"
+ # Setting this flag to "true" will enable the built-in param input validation via param enum.
+ enable-param-enum: "false"
+ # Setting this flag to "pipeline,pipelinerun,taskrun" will prevent users from creating
+ # embedded spec Taskruns or Pipelineruns for Pipeline, Pipelinerun and taskrun
+ # respectively. We can specify "pipeline" to disable for Pipeline resource only.
+ # "pipelinerun" for Pipelinerun and "taskrun" for Taskrun. Or a combination of
+ # these.
+ disable-inline-spec: ""
+ # Setting this flag to "true" will enable the use of concise resolver syntax
+ enable-concise-resolver-syntax: "false"
+ # Setthing this flag to "true" will enable native Kubernetes Sidecar support
+ enable-kubernetes-sidecar: "false"
+
+---
+# Copyright 2021 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: pipelines-info
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+data:
+ # Contains pipelines version which can be queried by external
+ # tools such as CLI. Elevated permissions are already given to
+ # this ConfigMap such that even if we don't have access to
+ # other resources in the namespace we still can have access to
+ # this ConfigMap.
+ version: "v0.70.0"
+
+---
+# Copyright 2020 Tekton Authors LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: config-leader-election-controller
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+data:
+ _example: |
+ ################################
+ # #
+ # EXAMPLE CONFIGURATION #
+ # #
+ ################################
+ # This block is not actually functional configuration,
+ # but serves to illustrate the available configuration
+ # options and document them in a way that is accessible
+ # to users that `kubectl edit` this config map.
+ #
+ # These sample configuration options may be copied out of
+ # this example block and unindented to be in the data block
+ # to actually change the configuration.
+ # lease-duration is how long non-leaders will wait to try to acquire the
+ # lock; 15 seconds is the value used by core kubernetes controllers.
+ lease-duration: "60s"
+ # renew-deadline is how long a leader will try to renew the lease before
+ # giving up; 10 seconds is the value used by core kubernetes controllers.
+ renew-deadline: "40s"
+ # retry-period is how long the leader election client waits between tries of
+ # actions; 2 seconds is the value used by core kubernetes controllers.
+ retry-period: "10s"
+ # buckets is the number of buckets used to partition key space of each
+ # Reconciler. If this number is M and the replica number of the controller
+ # is N, the N replicas will compete for the M buckets. The owner of a
+ # bucket will take care of the reconciling for the keys partitioned into
+ # that bucket.
+ buckets: "1"
+
+---
+# Copyright 2023 Tekton Authors LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: config-leader-election-events
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+data:
+ _example: |
+ ################################
+ # #
+ # EXAMPLE CONFIGURATION #
+ # #
+ ################################
+ # This block is not actually functional configuration,
+ # but serves to illustrate the available configuration
+ # options and document them in a way that is accessible
+ # to users that `kubectl edit` this config map.
+ #
+ # These sample configuration options may be copied out of
+ # this example block and unindented to be in the data block
+ # to actually change the configuration.
+ # lease-duration is how long non-leaders will wait to try to acquire the
+ # lock; 15 seconds is the value used by core kubernetes controllers.
+ lease-duration: "60s"
+ # renew-deadline is how long a leader will try to renew the lease before
+ # giving up; 10 seconds is the value used by core kubernetes controllers.
+ renew-deadline: "40s"
+ # retry-period is how long the leader election client waits between tries of
+ # actions; 2 seconds is the value used by core kubernetes controllers.
+ retry-period: "10s"
+ # buckets is the number of buckets used to partition key space of each
+ # Reconciler. If this number is M and the replica number of the controller
+ # is N, the N replicas will compete for the M buckets. The owner of a
+ # bucket will take care of the reconciling for the keys partitioned into
+ # that bucket.
+ buckets: "1"
+
+---
+# Copyright 2023 Tekton Authors LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: config-leader-election-webhook
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+data:
+ _example: |
+ ################################
+ # #
+ # EXAMPLE CONFIGURATION #
+ # #
+ ################################
+ # This block is not actually functional configuration,
+ # but serves to illustrate the available configuration
+ # options and document them in a way that is accessible
+ # to users that `kubectl edit` this config map.
+ #
+ # These sample configuration options may be copied out of
+ # this example block and unindented to be in the data block
+ # to actually change the configuration.
+ # lease-duration is how long non-leaders will wait to try to acquire the
+ # lock; 15 seconds is the value used by core kubernetes controllers.
+ lease-duration: "60s"
+ # renew-deadline is how long a leader will try to renew the lease before
+ # giving up; 10 seconds is the value used by core kubernetes controllers.
+ renew-deadline: "40s"
+ # retry-period is how long the leader election client waits between tries of
+ # actions; 2 seconds is the value used by core kubernetes controllers.
+ retry-period: "10s"
+ # buckets is the number of buckets used to partition key space of each
+ # Reconciler. If this number is M and the replica number of the controller
+ # is N, the N replicas will compete for the M buckets. The owner of a
+ # bucket will take care of the reconciling for the keys partitioned into
+ # that bucket.
+ buckets: "1"
+
+---
+# Copyright 2019 Tekton Authors LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: config-logging
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+data:
+ zap-logger-config: |
+ {
+ "level": "info",
+ "development": false,
+ "sampling": {
+ "initial": 100,
+ "thereafter": 100
+ },
+ "outputPaths": ["stdout"],
+ "errorOutputPaths": ["stderr"],
+ "encoding": "json",
+ "encoderConfig": {
+ "timeKey": "timestamp",
+ "levelKey": "severity",
+ "nameKey": "logger",
+ "callerKey": "caller",
+ "messageKey": "message",
+ "stacktraceKey": "stacktrace",
+ "lineEnding": "",
+ "levelEncoder": "",
+ "timeEncoder": "iso8601",
+ "durationEncoder": "",
+ "callerEncoder": ""
+ }
+ }
+ # Log level overrides
+ loglevel.controller: "info"
+ loglevel.webhook: "info"
+
+---
+# Copyright 2019 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: config-observability
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+data:
+ _example: |
+ ################################
+ # #
+ # EXAMPLE CONFIGURATION #
+ # #
+ ################################
+
+ # This block is not actually functional configuration,
+ # but serves to illustrate the available configuration
+ # options and document them in a way that is accessible
+ # to users that `kubectl edit` this config map.
+ #
+ # These sample configuration options may be copied out of
+ # this example block and unindented to be in the data block
+ # to actually change the configuration.
+
+ # metrics.backend-destination field specifies the system metrics destination.
+ # It supports either prometheus (the default) or stackdriver.
+ # Note: Using Stackdriver will incur additional charges.
+ metrics.backend-destination: prometheus
+
+ # metrics.stackdriver-project-id field specifies the Stackdriver project ID. This
+ # field is optional. When running on GCE, application default credentials will be
+ # used and metrics will be sent to the cluster's project if this field is
+ # not provided.
+ metrics.stackdriver-project-id: "<your stackdriver project id>"
+
+ # metrics.allow-stackdriver-custom-metrics indicates whether it is allowed
+ # to send metrics to Stackdriver using "global" resource type and custom
+ # metric type. Setting this flag to "true" could cause extra Stackdriver
+ # charge. If metrics.backend-destination is not Stackdriver, this is
+ # ignored.
+ metrics.allow-stackdriver-custom-metrics: "false"
+ metrics.taskrun.level: "task"
+ metrics.taskrun.duration-type: "histogram"
+ metrics.pipelinerun.level: "pipeline"
+ metrics.pipelinerun.duration-type: "histogram"
+ metrics.count.enable-reason: "false"
+ metrics.running-pipelinerun.level: ""
+
+---
+# Copyright 2020 Tekton Authors LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: config-registry-cert
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+# data:
+# # Registry's self-signed certificate
+# cert: |
+
+---
+# Copyright 2022 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: config-spire
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+data:
+ _example: |
+ ################################
+ # #
+ # EXAMPLE CONFIGURATION #
+ # #
+ ################################
+ # This block is not actually functional configuration,
+ # but serves to illustrate the available configuration
+ # options and document them in a way that is accessible
+ # to users that `kubectl edit` this config map.
+ #
+ # These sample configuration options may be copied out of
+ # this example block and unindented to be in the data block
+ # to actually change the configuration.
+ #
+ # spire-trust-domain specifies the SPIRE trust domain to use.
+ # spire-trust-domain: "example.org"
+ #
+ # spire-socket-path specifies the SPIRE agent socket for SPIFFE workload API.
+ # spire-socket-path: "unix:///spiffe-workload-api/spire-agent.sock"
+ #
+ # spire-server-addr specifies the SPIRE server address for workload/node registration.
+ # spire-server-addr: "spire-server.spire.svc.cluster.local:8081"
+ #
+ # spire-node-alias-prefix specifies the SPIRE node alias prefix to use.
+ # spire-node-alias-prefix: "/tekton-node/"
+
+---
+# Copyright 2023 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: config-tracing
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+data:
+ _example: |
+ ################################
+ # #
+ # EXAMPLE CONFIGURATION #
+ # #
+ ################################
+ # This block is not actually functional configuration,
+ # but serves to illustrate the available configuration
+ # options and document them in a way that is accessible
+ # to users that `kubectl edit` this config map.
+ #
+ # These sample configuration options may be copied out of
+ # this example block and unindented to be in the data block
+ # to actually change the configuration.
+ #
+ # Enable sending traces to defined endpoint by setting this to true
+ enabled: "true"
+ #
+ # API endpoint to send the traces to
+ # (optional): The default value is given below
+ endpoint: "http://jaeger-collector.jaeger.svc.cluster.local:14268/api/traces"
+ # (optional) Name of the k8s secret which contains basic auth credentials
+ credentialsSecret: "jaeger-creds"
+
+---
+# Copyright 2019 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: tekton-pipelines-controller
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/name: controller
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/version: "v0.70.0"
+ app.kubernetes.io/part-of: tekton-pipelines
+ # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
+ pipeline.tekton.dev/release: "v0.70.0"
+ # labels below are related to istio and should not be used for resource lookup
+ version: "v0.70.0"
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: controller
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: controller
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/version: "v0.70.0"
+ app.kubernetes.io/part-of: tekton-pipelines
+ # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
+ pipeline.tekton.dev/release: "v0.70.0"
+ # labels below are related to istio and should not be used for resource lookup
+ app: tekton-pipelines-controller
+ version: "v0.70.0"
+ spec:
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: kubernetes.io/os
+ operator: NotIn
+ values:
+ - windows
+ serviceAccountName: tekton-pipelines-controller
+ containers:
+ - name: tekton-pipelines-controller
+ image: ghcr.io/tektoncd/pipeline/controller-10a3e32792f33651396d02b6855a6e36:v0.70.0@sha256:7c8b2b44592048addf124e8831aaf54a044a72cb396474b342251bbbb0a4e849
+ args: [
+ # These images are built on-demand by `ko resolve` and are replaced
+ # by image references by digest.
+ "-entrypoint-image", "ghcr.io/tektoncd/pipeline/entrypoint-bff0a22da108bc2f16c818c97641a296:v0.70.0@sha256:763d4cd4e362d381b46a5474d3d358e7731d7c13e22ebf632ef530b857521a48", "-nop-image", "ghcr.io/tektoncd/pipeline/nop-8eac7c133edad5df719dc37b36b62482:v0.70.0@sha256:3ee35bb7f537e5b3599668f8705980839a07181619cbad59ef42f6df2671422f", "-sidecarlogresults-image", "ghcr.io/tektoncd/pipeline/sidecarlogresults-7501c6a20d741631510a448b48ab098f:v0.70.0@sha256:a996d5f56574945733d9b854ac651a1b994919fd3ebf06b5847eeac3d72ec1b6", "-workingdirinit-image", "ghcr.io/tektoncd/pipeline/workingdirinit-0c558922ec6a1b739e550e349f2d5fc1:v0.70.0@sha256:ed97cc8058e349c48be1364753a6e47732ba4f8d8aec814bd2cdb8a4ddafa23a",
+ # The shell image must allow root in order to create directories and copy files to PVCs.
+ # cgr.dev/chainguard/busybox as of April 14 2022
+ # image shall not contains tag, so it will be supported on a runtime like cri-o
+ "-shell-image", "cgr.dev/chainguard/busybox@sha256:19f02276bf8dbdd62f069b922f10c65262cc34b710eea26ff928129a736be791",
+ # for script mode to work with windows we need a powershell image
+ # pinning to nanoserver tag as of July 15 2021
+ "-shell-image-win", "mcr.microsoft.com/powershell:nanoserver@sha256:b6d5ff841b78bdf2dfed7550000fd4f3437385b8fa686ec0f010be24777654d6"]
+ volumeMounts:
+ - name: config-logging
+ mountPath: /etc/config-logging
+ - name: config-registry-cert
+ mountPath: /etc/config-registry-cert
+ env:
+ - name: SYSTEM_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: KUBERNETES_MIN_VERSION
+ value: "v1.28.0"
+ # If you are changing these names, you will also need to update
+ # the controller's Role in 200-role.yaml to include the new
+ # values in the "configmaps" "get" rule.
+ - name: CONFIG_DEFAULTS_NAME
+ value: config-defaults
+ - name: CONFIG_LOGGING_NAME
+ value: config-logging
+ - name: CONFIG_OBSERVABILITY_NAME
+ value: config-observability
+ - name: CONFIG_FEATURE_FLAGS_NAME
+ value: feature-flags
+ - name: CONFIG_LEADERELECTION_NAME
+ value: config-leader-election-controller
+ - name: CONFIG_SPIRE
+ value: config-spire
+ - name: SSL_CERT_FILE
+ value: /etc/config-registry-cert/cert
+ - name: SSL_CERT_DIR
+ value: /etc/ssl/certs
+ - name: METRICS_DOMAIN
+ value: tekton.dev/pipeline
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ capabilities:
+ drop:
+ - "ALL"
+ # User 65532 is the nonroot user ID
+ runAsUser: 65532
+ runAsGroup: 65532
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
+ ports:
+ - name: metrics
+ containerPort: 9090
+ - name: profiling
+ containerPort: 8008
+ - name: probes
+ containerPort: 8080
+ livenessProbe:
+ httpGet:
+ path: /health
+ port: probes
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ timeoutSeconds: 5
+ readinessProbe:
+ httpGet:
+ path: /readiness
+ port: probes
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ timeoutSeconds: 5
+ volumes:
+ - name: config-logging
+ configMap:
+ name: config-logging
+ - name: config-registry-cert
+ configMap:
+ name: config-registry-cert
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubernetes.io/name: controller
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/version: "v0.70.0"
+ app.kubernetes.io/part-of: tekton-pipelines
+ # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
+ pipeline.tekton.dev/release: "v0.70.0"
+ # labels below are related to istio and should not be used for resource lookup
+ app: tekton-pipelines-controller
+ version: "v0.70.0"
+ name: tekton-pipelines-controller
+ namespace: tekton-pipelines
+spec:
+ ports:
+ - name: http-metrics
+ port: 9090
+ protocol: TCP
+ targetPort: 9090
+ - name: http-profiling
+ port: 8008
+ targetPort: 8008
+ - name: probes
+ port: 8080
+ selector:
+ app.kubernetes.io/name: controller
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+
+---
+# Copyright 2023 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: tekton-events-controller
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/name: events
+ app.kubernetes.io/component: events
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/version: "v0.70.0"
+ app.kubernetes.io/part-of: tekton-pipelines
+ # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
+ pipeline.tekton.dev/release: "v0.70.0"
+ # labels below are related to istio and should not be used for resource lookup
+ version: "v0.70.0"
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: events
+ app.kubernetes.io/component: events
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: events
+ app.kubernetes.io/component: events
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/version: "v0.70.0"
+ app.kubernetes.io/part-of: tekton-pipelines
+ # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
+ pipeline.tekton.dev/release: "v0.70.0"
+ # labels below are related to istio and should not be used for resource lookup
+ app: tekton-events-controller
+ version: "v0.70.0"
+ spec:
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: kubernetes.io/os
+ operator: NotIn
+ values:
+ - windows
+ serviceAccountName: tekton-events-controller
+ containers:
+ - name: tekton-events-controller
+ image: ghcr.io/tektoncd/pipeline/events-a9042f7efb0cbade2a868a1ee5ddd52c:v0.70.0@sha256:4766db5f4d0cb923a0ef440c3f0fb309477162935d121289d85965d6adda8448
+ args: []
+ volumeMounts:
+ - name: config-logging
+ mountPath: /etc/config-logging
+ - name: config-registry-cert
+ mountPath: /etc/config-registry-cert
+ env:
+ - name: SYSTEM_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: KUBERNETES_MIN_VERSION
+ value: "v1.28.0"
+ # If you are changing these names, you will also need to update
+ # the controller's Role in 200-role.yaml to include the new
+ # values in the "configmaps" "get" rule.
+ - name: CONFIG_DEFAULTS_NAME
+ value: config-defaults
+ - name: CONFIG_LOGGING_NAME
+ value: config-logging
+ - name: CONFIG_OBSERVABILITY_NAME
+ value: config-observability
+ - name: CONFIG_LEADERELECTION_NAME
+ value: config-leader-election-events
+ - name: SSL_CERT_FILE
+ value: /etc/config-registry-cert/cert
+ - name: SSL_CERT_DIR
+ value: /etc/ssl/certs
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ capabilities:
+ drop:
+ - "ALL"
+ # User 65532 is the nonroot user ID
+ runAsUser: 65532
+ runAsGroup: 65532
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
+ ports:
+ - name: metrics
+ containerPort: 9090
+ - name: profiling
+ containerPort: 8008
+ - name: probes
+ containerPort: 8080
+ livenessProbe:
+ httpGet:
+ path: /health
+ port: probes
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ timeoutSeconds: 5
+ readinessProbe:
+ httpGet:
+ path: /readiness
+ port: probes
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ timeoutSeconds: 5
+ volumes:
+ - name: config-logging
+ configMap:
+ name: config-logging
+ - name: config-registry-cert
+ configMap:
+ name: config-registry-cert
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubernetes.io/name: events
+ app.kubernetes.io/component: events
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/version: "v0.70.0"
+ app.kubernetes.io/part-of: tekton-pipelines
+ # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
+ pipeline.tekton.dev/release: "v0.70.0"
+ # labels below are related to istio and should not be used for resource lookup
+ app: tekton-events-controller
+ version: "v0.70.0"
+ name: tekton-events-controller
+ namespace: tekton-pipelines
+spec:
+ ports:
+ - name: http-metrics
+ port: 9090
+ protocol: TCP
+ targetPort: 9090
+ - name: http-profiling
+ port: 8008
+ targetPort: 8008
+ - name: probes
+ port: 8080
+ selector:
+ app.kubernetes.io/name: events
+ app.kubernetes.io/component: events
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+
+---
+# Copyright 2022 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: tekton-pipelines-resolvers
+ labels:
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+ pod-security.kubernetes.io/enforce: restricted
+
+---
+# Copyright 2022 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ # ClusterRole for resolvers to monitor and update resolutionrequests.
+ name: tekton-pipelines-resolvers-resolution-request-updates
+ labels:
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+rules:
+ - apiGroups: ["resolution.tekton.dev"]
+ resources: ["resolutionrequests", "resolutionrequests/status"]
+ verbs: ["get", "list", "watch", "update", "patch"]
+ - apiGroups: ["tekton.dev"]
+ resources: ["tasks", "pipelines", "stepactions"]
+ verbs: ["get", "list"]
+ # Read-only access to these.
+ - apiGroups: [""]
+ resources: ["secrets", "serviceaccounts"]
+ verbs: ["get", "list", "watch"]
+
+---
+# Copyright 2022 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: tekton-pipelines-resolvers-namespace-rbac
+ namespace: tekton-pipelines-resolvers
+ labels:
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+rules:
+ # Needed to watch and load configuration and secret data.
+ - apiGroups: [""]
+ resources: ["configmaps", "secrets"]
+ verbs: ["get", "list", "update", "watch"]
+ # This is needed by leader election to run the controller in HA.
+ - apiGroups: ["coordination.k8s.io"]
+ resources: ["leases"]
+ verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+
+---
+# Copyright 2022 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: tekton-pipelines-resolvers
+ namespace: tekton-pipelines-resolvers
+ labels:
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+
+---
+# Copyright 2021 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: tekton-pipelines-resolvers
+ labels:
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+subjects:
+ - kind: ServiceAccount
+ name: tekton-pipelines-resolvers
+ namespace: tekton-pipelines-resolvers
+roleRef:
+ kind: ClusterRole
+ name: tekton-pipelines-resolvers-resolution-request-updates
+ apiGroup: rbac.authorization.k8s.io
+
+---
+# Copyright 2021 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: tekton-pipelines-resolvers-namespace-rbac
+ namespace: tekton-pipelines-resolvers
+ labels:
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+subjects:
+ - kind: ServiceAccount
+ name: tekton-pipelines-resolvers
+ namespace: tekton-pipelines-resolvers
+roleRef:
+ kind: Role
+ name: tekton-pipelines-resolvers-namespace-rbac
+ apiGroup: rbac.authorization.k8s.io
+
+---
+# Copyright 2022 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: bundleresolver-config
+ namespace: tekton-pipelines-resolvers
+ labels:
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+data:
+ # the default service account name to use for bundle requests.
+ default-service-account: "default"
+ # The default layer kind in the bundle image.
+ default-kind: "task"
+
+---
+# Copyright 2022 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: cluster-resolver-config
+ namespace: tekton-pipelines-resolvers
+ labels:
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+data:
+ # The default kind to fetch.
+ default-kind: "task"
+ # The default namespace to look for resources in.
+ default-namespace: ""
+ # An optional comma-separated list of namespaces which the resolver is allowed to access. Defaults to empty, meaning all namespaces are allowed.
+ allowed-namespaces: ""
+ # An optional comma-separated list of namespaces which the resolver is blocked from accessing. Defaults to empty, meaning all namespaces are allowed.
+ blocked-namespaces: ""
+
+---
+# Copyright 2019 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: resolvers-feature-flags
+ namespace: tekton-pipelines-resolvers
+ labels:
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+data:
+ # Setting this flag to "true" enables remote resolution of Tekton OCI bundles.
+ enable-bundles-resolver: "true"
+ # Setting this flag to "true" enables remote resolution of tasks and pipelines via the Tekton Hub.
+ enable-hub-resolver: "true"
+ # Setting this flag to "true" enables remote resolution of tasks and pipelines from Git repositories.
+ enable-git-resolver: "true"
+ # Setting this flag to "true" enables remote resolution of tasks and pipelines from other namespaces within the cluster.
+ enable-cluster-resolver: "true"
+
+---
+# Copyright 2020 Tekton Authors LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: config-leader-election-resolvers
+ namespace: tekton-pipelines-resolvers
+ labels:
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+data:
+ _example: |
+ ################################
+ # #
+ # EXAMPLE CONFIGURATION #
+ # #
+ ################################
+ # This block is not actually functional configuration,
+ # but serves to illustrate the available configuration
+ # options and document them in a way that is accessible
+ # to users that `kubectl edit` this config map.
+ #
+ # These sample configuration options may be copied out of
+ # this example block and unindented to be in the data block
+ # to actually change the configuration.
+ # lease-duration is how long non-leaders will wait to try to acquire the
+ # lock; 15 seconds is the value used by core kubernetes controllers.
+ lease-duration: "60s"
+ # renew-deadline is how long a leader will try to renew the lease before
+ # giving up; 10 seconds is the value used by core kubernetes controllers.
+ renew-deadline: "40s"
+ # retry-period is how long the leader election client waits between tries of
+ # actions; 2 seconds is the value used by core kubernetes controllers.
+ retry-period: "10s"
+ # buckets is the number of buckets used to partition key space of each
+ # Reconciler. If this number is M and the replica number of the controller
+ # is N, the N replicas will compete for the M buckets. The owner of a
+ # bucket will take care of the reconciling for the keys partitioned into
+ # that bucket.
+ buckets: "1"
+
+---
+# Copyright 2019 Tekton Authors LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: config-logging
+ namespace: tekton-pipelines-resolvers
+ labels:
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+data:
+ zap-logger-config: |
+ {
+ "level": "info",
+ "development": false,
+ "sampling": {
+ "initial": 100,
+ "thereafter": 100
+ },
+ "outputPaths": ["stdout"],
+ "errorOutputPaths": ["stderr"],
+ "encoding": "json",
+ "encoderConfig": {
+ "timeKey": "timestamp",
+ "levelKey": "severity",
+ "nameKey": "logger",
+ "callerKey": "caller",
+ "messageKey": "message",
+ "stacktraceKey": "stacktrace",
+ "lineEnding": "",
+ "levelEncoder": "",
+ "timeEncoder": "iso8601",
+ "durationEncoder": "",
+ "callerEncoder": ""
+ }
+ }
+ # Log level overrides
+ loglevel.controller: "info"
+ loglevel.webhook: "info"
+
+---
+# Copyright 2022 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: config-observability
+ namespace: tekton-pipelines-resolvers
+ labels:
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+data:
+ _example: |
+ ################################
+ # #
+ # EXAMPLE CONFIGURATION #
+ # #
+ ################################
+
+ # This block is not actually functional configuration,
+ # but serves to illustrate the available configuration
+ # options and document them in a way that is accessible
+ # to users that `kubectl edit` this config map.
+ #
+ # These sample configuration options may be copied out of
+ # this example block and unindented to be in the data block
+ # to actually change the configuration.
+
+ # metrics.backend-destination field specifies the system metrics destination.
+ # It supports either prometheus (the default) or stackdriver.
+ # Note: Using stackdriver will incur additional charges
+ metrics.backend-destination: prometheus
+
+ # metrics.request-metrics-backend-destination specifies the request metrics
+ # destination. If non-empty, it enables queue proxy to send request metrics.
+ # Currently supported values: prometheus, stackdriver.
+ metrics.request-metrics-backend-destination: prometheus
+
+ # metrics.stackdriver-project-id field specifies the stackdriver project ID. This
+ # field is optional. When running on GCE, application default credentials will be
+ # used if this field is not provided.
+ metrics.stackdriver-project-id: "<your stackdriver project id>"
+
+ # metrics.allow-stackdriver-custom-metrics indicates whether it is allowed to send metrics to
+ # Stackdriver using "global" resource type and custom metric type if the
+ # metrics are not supported by "knative_revision" resource type. Setting this
+ # flag to "true" could cause extra Stackdriver charge.
+ # If metrics.backend-destination is not Stackdriver, this is ignored.
+ metrics.allow-stackdriver-custom-metrics: "false"
+
+---
+# Copyright 2022 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: git-resolver-config
+ namespace: tekton-pipelines-resolvers
+ labels:
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+data:
+ # The maximum amount of time a single anonymous cloning resolution may take.
+ fetch-timeout: "1m"
+ # The git url to fetch the remote resource from when using anonymous cloning.
+ default-url: "https://github.com/tektoncd/catalog.git"
+ # The git revision to fetch the remote resource from with either anonymous cloning or the authenticated API.
+ default-revision: "main"
+ # The SCM type to use with the authenticated API. Can be github, gitlab, gitea, bitbucketserver, bitbucketcloud
+ scm-type: "github"
+ # The SCM server URL to use with the authenticated API. Not needed when using github.com, gitlab.com, or BitBucket Cloud
+ server-url: ""
+ # The Kubernetes secret containing the API token for the SCM provider. Required when using the authenticated API.
+ api-token-secret-name: ""
+ # The key in the API token secret containing the actual token. Required when using the authenticated API.
+ api-token-secret-key: ""
+ # The namespace containing the API token secret. Defaults to "default".
+ api-token-secret-namespace: "default"
+ # The default organization to look for repositories under when using the authenticated API,
+ # if not specified in the resolver parameters. Optional.
+ default-org: ""
+
+---
+# Copyright 2023 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: http-resolver-config
+ namespace: tekton-pipelines-resolvers
+ labels:
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+data:
+ # The maximum amount of time the http resolver will wait for a response from the server.
+ fetch-timeout: "1m"
+
+---
+# Copyright 2022 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: hubresolver-config
+ namespace: tekton-pipelines-resolvers
+ labels:
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+data:
+ # the default Tekton Hub catalog from where to pull the resource.
+ default-tekton-hub-catalog: "Tekton"
+ # the default Artifact Hub Task catalog from where to pull the resource.
+ default-artifact-hub-task-catalog: "tekton-catalog-tasks"
+ # the default Artifact Hub Pipeline catalog from where to pull the resource.
+ default-artifact-hub-pipeline-catalog: "tekton-catalog-pipelines"
+ # the default layer kind in the hub image.
+ default-kind: "task"
+ # the default hub source to pull the resource from.
+ default-type: "artifact"
+
+---
+# Copyright 2022 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: tekton-pipelines-remote-resolvers
+ namespace: tekton-pipelines-resolvers
+ labels:
+ app.kubernetes.io/name: resolvers
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/version: "v0.70.0"
+ app.kubernetes.io/part-of: tekton-pipelines
+ # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
+ pipeline.tekton.dev/release: "v0.70.0"
+ # labels below are related to istio and should not be used for resource lookup
+ version: "v0.70.0"
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: resolvers
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: resolvers
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/version: "v0.70.0"
+ app.kubernetes.io/part-of: tekton-pipelines
+ # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
+ pipeline.tekton.dev/release: "v0.70.0"
+ # labels below are related to istio and should not be used for resource lookup
+ app: tekton-pipelines-resolvers
+ version: "v0.70.0"
+ spec:
+ affinity:
+ podAntiAffinity:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - podAffinityTerm:
+ labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: resolvers
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+ topologyKey: kubernetes.io/hostname
+ weight: 100
+ serviceAccountName: tekton-pipelines-resolvers
+ containers:
+ - name: controller
+ image: ghcr.io/tektoncd/pipeline/resolvers-ff86b24f130c42b88983d3c13993056d:v0.70.0@sha256:8b20efb3866e4bd41b4beba7a7ed51dc7c76f0763b84c32564fbc31c715f0cff
+ resources:
+ requests:
+ cpu: 100m
+ memory: 100Mi
+ limits:
+ cpu: 1000m
+ memory: 4Gi
+ ports:
+ - name: metrics
+ containerPort: 9090
+ - name: profiling
+ containerPort: 8008
+ # This must match the value of the environment variable PROBES_PORT.
+ - name: probes
+ containerPort: 8080
+ env:
+ - name: SYSTEM_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: KUBERNETES_MIN_VERSION
+ value: "v1.28.0"
+ # If you are changing these names, you will also need to update
+ # the controller's Role in 200-role.yaml to include the new
+ # values in the "configmaps" "get" rule.
+ - name: CONFIG_LOGGING_NAME
+ value: config-logging
+ - name: CONFIG_OBSERVABILITY_NAME
+ value: config-observability
+ - name: CONFIG_FEATURE_FLAGS_NAME
+ value: feature-flags
+ - name: CONFIG_LEADERELECTION_NAME
+ value: config-leader-election-resolvers
+ - name: METRICS_DOMAIN
+ value: tekton.dev/resolution
+ - name: PROBES_PORT
+ value: "8080"
+ # Override this env var to set a private hub api endpoint
+ - name: ARTIFACT_HUB_API
+ value: "https://artifacthub.io/"
+ - name: TEKTON_HUB_API
+ value: "https://api.hub.tekton.dev/"
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ capabilities:
+ drop:
+ - "ALL"
+ seccompProfile:
+ type: RuntimeDefault
+
+---
+# Copyright 2023 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubernetes.io/name: resolvers
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/version: "v0.70.0"
+ app.kubernetes.io/part-of: tekton-pipelines
+ # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
+ pipeline.tekton.dev/release: "v0.70.0"
+ # labels below are related to istio and should not be used for resource lookup
+ app: tekton-pipelines-remote-resolvers
+ version: "v0.70.0"
+ name: tekton-pipelines-remote-resolvers
+ namespace: tekton-pipelines-resolvers
+spec:
+ ports:
+ - name: http-metrics
+ port: 9090
+ protocol: TCP
+ targetPort: 9090
+ - name: http-profiling
+ port: 8008
+ targetPort: 8008
+ - name: probes
+ port: 8080
+ selector:
+ app.kubernetes.io/name: resolvers
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+
+---
+# Copyright 2020 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+ name: tekton-pipelines-webhook
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/version: "v0.70.0"
+ app.kubernetes.io/part-of: tekton-pipelines
+ # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
+ pipeline.tekton.dev/release: "v0.70.0"
+ # labels below are related to istio and should not be used for resource lookup
+ version: "v0.70.0"
+spec:
+ minReplicas: 1
+ maxReplicas: 5
+ scaleTargetRef:
+ apiVersion: apps/v1
+ kind: Deployment
+ name: tekton-pipelines-webhook
+ metrics:
+ - type: Resource
+ resource:
+ name: cpu
+ target:
+ type: Utilization
+ averageUtilization: 100
+
+---
+# Copyright 2020 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ # Note: the Deployment name must be the same as the Service name specified in
+ # config/400-webhook-service.yaml. If you change this name, you must also
+ # change the value of WEBHOOK_SERVICE_NAME below.
+ name: tekton-pipelines-webhook
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/version: "v0.70.0"
+ app.kubernetes.io/part-of: tekton-pipelines
+ # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
+ pipeline.tekton.dev/release: "v0.70.0"
+ # labels below are related to istio and should not be used for resource lookup
+ version: "v0.70.0"
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/version: "v0.70.0"
+ app.kubernetes.io/part-of: tekton-pipelines
+ # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
+ pipeline.tekton.dev/release: "v0.70.0"
+ # labels below are related to istio and should not be used for resource lookup
+ app: tekton-pipelines-webhook
+ version: "v0.70.0"
+ spec:
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: kubernetes.io/os
+ operator: NotIn
+ values:
+ - windows
+ podAntiAffinity:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - podAffinityTerm:
+ labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+ topologyKey: kubernetes.io/hostname
+ weight: 100
+ serviceAccountName: tekton-pipelines-webhook
+ containers:
+ - name: webhook
+ # This is the Go import path for the binary that is containerized
+ # and substituted here.
+ image: ghcr.io/tektoncd/pipeline/webhook-d4749e605405422fd87700164e31b2d1:v0.70.0@sha256:454b6ccc39ff1f13226ad5610bf91d7c3a7de2fe6e253a9aff972fa3f5511bd1
+ # Resource request required for autoscaler to take any action for a metric
+ resources:
+ requests:
+ cpu: 100m
+ memory: 100Mi
+ limits:
+ cpu: 500m
+ memory: 500Mi
+ env:
+ - name: SYSTEM_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: KUBERNETES_MIN_VERSION
+ value: "v1.28.0"
+ # If you are changing these names, you will also need to update
+ # the webhook's Role in 200-role.yaml to include the new
+ # values in the "configmaps" "get" rule.
+ - name: CONFIG_LOGGING_NAME
+ value: config-logging
+ - name: CONFIG_OBSERVABILITY_NAME
+ value: config-observability
+ - name: CONFIG_LEADERELECTION_NAME
+ value: config-leader-election-webhook
+ - name: CONFIG_FEATURE_FLAGS_NAME
+ value: feature-flags
+ # If you change PROBES_PORT, you will also need to change the
+ # containerPort "probes" to the same value.
+ - name: PROBES_PORT
+ value: "8080"
+ # If you change WEBHOOK_PORT, you will also need to change the
+ # containerPort "https-webhook" to the same value.
+ - name: WEBHOOK_PORT
+ value: "8443"
+ # if you change WEBHOOK_ADMISSION_CONTROLLER_NAME, you will also need to update
+ # the webhooks.name in 500-webhooks.yaml to include the new names of admission webhooks.
+ # Additionally, you will also need to change the resource names (metadata.name) of
+ # "MutatingWebhookConfiguration" and "ValidatingWebhookConfiguration" in 500-webhooks.yaml
+ # to reflect the change in the name of the admission webhook.
+ # Followed by changing the webhook's Role in 200-clusterrole.yaml to update the "resourceNames" of
+ # "mutatingwebhookconfigurations" and "validatingwebhookconfigurations" resources.
+ - name: WEBHOOK_ADMISSION_CONTROLLER_NAME
+ value: webhook.pipeline.tekton.dev
+ - name: WEBHOOK_SERVICE_NAME
+ value: tekton-pipelines-webhook
+ - name: WEBHOOK_SECRET_NAME
+ value: webhook-certs
+ - name: METRICS_DOMAIN
+ value: tekton.dev/pipeline
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ capabilities:
+ drop:
+ - "ALL"
+ # User 65532 is the distroless nonroot user ID
+ runAsUser: 65532
+ runAsGroup: 65532
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
+ ports:
+ - name: metrics
+ containerPort: 9090
+ - name: profiling
+ containerPort: 8008
+ # This must match the value of the environment variable WEBHOOK_PORT.
+ - name: https-webhook
+ containerPort: 8443
+ # This must match the value of the environment variable PROBES_PORT.
+ - name: probes
+ containerPort: 8080
+ livenessProbe:
+ httpGet:
+ path: /health
+ port: probes
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ timeoutSeconds: 5
+ readinessProbe:
+ httpGet:
+ path: /readiness
+ port: probes
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ timeoutSeconds: 5
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/version: "v0.70.0"
+ app.kubernetes.io/part-of: tekton-pipelines
+ # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
+ pipeline.tekton.dev/release: "v0.70.0"
+ # labels below are related to istio and should not be used for resource lookup
+ app: tekton-pipelines-webhook
+ version: "v0.70.0"
+ name: tekton-pipelines-webhook
+ namespace: tekton-pipelines
+spec:
+ ports:
+ # Define metrics and profiling for them to be accessible within service meshes.
+ - name: http-metrics
+ port: 9090
+ targetPort: metrics
+ - name: http-profiling
+ port: 8008
+ targetPort: profiling
+ - name: https-webhook
+ port: 443
+ targetPort: https-webhook
+ - name: probes
+ port: 8080
+ targetPort: probes
+ selector:
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+
+---
diff --git a/apps/base/tekton/tekton-triggers-v0.31.0.yaml b/apps/base/tekton/tekton-triggers-v0.31.0.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..1e10e7fe3a0d8a5558c5f7d31173e19cdc16e56d
--- /dev/null
+++ b/apps/base/tekton/tekton-triggers-v0.31.0.yaml
@@ -0,0 +1,1648 @@
+# Copyright 2019 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: tekton-triggers-admin
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+rules:
+ - apiGroups: [""]
+ resources: ["configmaps", "services", "events"]
+ verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+ - apiGroups: ["apps"]
+ resources: ["deployments", "deployments/finalizers"]
+ verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+ - apiGroups: ["admissionregistration.k8s.io"]
+ resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
+ verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+ - apiGroups: ["triggers.tekton.dev"]
+ resources: ["clustertriggerbindings", "clusterinterceptors", "interceptors", "eventlisteners", "triggerbindings", "triggertemplates", "triggers", "eventlisteners/finalizers"]
+ verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+ - apiGroups: ["triggers.tekton.dev"]
+ resources: ["clustertriggerbindings/status", "clusterinterceptors/status", "interceptors/status", "eventlisteners/status", "triggerbindings/status", "triggertemplates/status", "triggers/status"]
+ verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+ # We uses leases for leaderelection
+ - apiGroups: ["coordination.k8s.io"]
+ resources: ["leases"]
+ verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+ - apiGroups: ["serving.knative.dev"]
+ resources: ["*", "*/status", "*/finalizers"]
+ verbs: ["get", "list", "create", "update", "delete", "deletecollection", "patch", "watch"]
+ - apiGroups: [""]
+ resources: ["namespaces"]
+ verbs: ["get"]
+ # The webhook configured the namespace as the OwnerRef on various cluster-scoped resources,
+ # which requires we can Get the system namespace.
+ resourceNames: ["tekton-pipelines"]
+ - apiGroups: [""]
+ resources: ["namespaces/finalizers"]
+ verbs: ["update"]
+ # The webhook configured the namespace as the OwnerRef on various cluster-scoped resources,
+ # which requires we can update the system namespace finalizers.
+ resourceNames: ["tekton-pipelines"]
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: tekton-triggers-core-interceptors
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+rules:
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list", "watch"]
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: tekton-triggers-core-interceptors-secrets
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+rules:
+ - apiGroups: ["triggers.tekton.dev"]
+ resources: ["clusterinterceptors"]
+ verbs: ["get", "list", "watch", "update"]
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list", "watch", "update"]
+ resourceNames: ["tekton-triggers-core-interceptors-certs"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: tekton-triggers-eventlistener-roles
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+rules:
+ - apiGroups: ["triggers.tekton.dev"]
+ resources: ["eventlisteners", "triggerbindings", "interceptors", "triggertemplates", "triggers"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["tekton.dev"]
+ resources: ["pipelineruns", "pipelineresources", "taskruns"]
+ verbs: ["create"]
+ - apiGroups: [""]
+ resources: ["serviceaccounts"]
+ verbs: ["impersonate"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["create", "patch"]
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: tekton-triggers-eventlistener-clusterroles
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+rules:
+ - apiGroups: ["triggers.tekton.dev"]
+ resources: ["clustertriggerbindings", "clusterinterceptors"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list", "watch"]
+
+---
+# Copyright 2020 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# NOTE: when multi-tenant EventListener progresses, moving this Role
+# to a ClusterRole is not the advisable path. Additional Roles that
+# adds access to Secrets to the Namespaces managed by the multi-tenant
+# EventListener is what should be done. While not as simple, it avoids
+# giving access to K8S system level, cluster admin privileged level Secrets
+
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: tekton-triggers-admin-webhook
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+rules:
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: tekton-triggers-core-interceptors
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+rules:
+ - apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: tekton-triggers-info
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+rules:
+ # All system:authenticated users needs to have access
+ # of the triggers-info ConfigMap even if they don't
+ # have access to the other resources present in the
+ # installed namespace.
+ - apiGroups: [""]
+ resources: ["configmaps"]
+ resourceNames: ["triggers-info"]
+ verbs: ["get"]
+
+---
+# Copyright 2019 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: tekton-triggers-controller
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: tekton-triggers-webhook
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: tekton-triggers-core-interceptors
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+
+---
+# Copyright 2019 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: tekton-triggers-controller-admin
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+subjects:
+ - kind: ServiceAccount
+ name: tekton-triggers-controller
+ namespace: tekton-pipelines
+roleRef:
+ kind: ClusterRole
+ name: tekton-triggers-admin
+ apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: tekton-triggers-webhook-admin
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+subjects:
+ - kind: ServiceAccount
+ name: tekton-triggers-webhook
+ namespace: tekton-pipelines
+roleRef:
+ kind: ClusterRole
+ name: tekton-triggers-admin
+ apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: tekton-triggers-core-interceptors
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+subjects:
+ - kind: ServiceAccount
+ name: tekton-triggers-core-interceptors
+ namespace: tekton-pipelines
+roleRef:
+ kind: ClusterRole
+ name: tekton-triggers-core-interceptors
+ apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: tekton-triggers-core-interceptors-secrets
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+subjects:
+ - kind: ServiceAccount
+ name: tekton-triggers-core-interceptors
+ namespace: tekton-pipelines
+roleRef:
+ kind: ClusterRole
+ name: tekton-triggers-core-interceptors-secrets
+ apiGroup: rbac.authorization.k8s.io
+
+---
+# Copyright 2020 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: tekton-triggers-webhook-admin
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+subjects:
+ - kind: ServiceAccount
+ name: tekton-triggers-webhook
+ namespace: tekton-pipelines
+roleRef:
+ kind: Role
+ name: tekton-triggers-admin-webhook
+ apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: tekton-triggers-core-interceptors
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+subjects:
+ - kind: ServiceAccount
+ name: tekton-triggers-core-interceptors
+ namespace: tekton-pipelines
+roleRef:
+ kind: Role
+ name: tekton-triggers-core-interceptors
+ apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: tekton-triggers-info
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+subjects:
+ # Giving all system:authenticated users the access of the
+ # ConfigMap which contains version information.
+ - kind: Group
+ name: system:authenticated
+ apiGroup: rbac.authorization.k8s.io
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: tekton-triggers-info
+
+---
+# Copyright 2021 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: clusterinterceptors.triggers.tekton.dev
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+ triggers.tekton.dev/release: "v0.31.0"
+ version: "v0.31.0"
+spec:
+ group: triggers.tekton.dev
+ scope: Cluster
+ names:
+ kind: ClusterInterceptor
+ plural: clusterinterceptors
+ singular: clusterinterceptor
+ shortNames:
+ - ci
+ categories:
+ - tekton
+ - tekton-triggers
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ # One can use x-kubernetes-preserve-unknown-fields: true
+ # at the root of the schema (and inside any properties, additionalProperties)
+ # to get the traditional CRD behaviour that nothing is pruned, despite
+ # setting spec.preserveUnknownProperties: false.
+ #
+ # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/
+ # See issue: https://github.com/knative/serving/issues/912
+ x-kubernetes-preserve-unknown-fields: true
+ # Opt into the status subresource so metadata.generation
+ # starts to increment
+ subresources:
+ status: {}
+
+---
+# Copyright 2019 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: clustertriggerbindings.triggers.tekton.dev
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+ triggers.tekton.dev/release: "v0.31.0"
+ version: "v0.31.0"
+spec:
+ group: triggers.tekton.dev
+ scope: Cluster
+ names:
+ kind: ClusterTriggerBinding
+ plural: clustertriggerbindings
+ singular: clustertriggerbinding
+ shortNames:
+ - ctb
+ categories:
+ - tekton
+ - tekton-triggers
+ versions:
+ - name: v1beta1
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ # One can use x-kubernetes-preserve-unknown-fields: true
+ # at the root of the schema (and inside any properties, additionalProperties)
+ # to get the traditional CRD behaviour that nothing is pruned, despite
+ # setting spec.preserveUnknownProperties: false.
+ #
+ # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/
+ # See issue: https://github.com/knative/serving/issues/912
+ x-kubernetes-preserve-unknown-fields: true
+ subresources:
+ status: {}
+ - name: v1alpha1
+ served: true
+ storage: false
+ schema:
+ openAPIV3Schema:
+ type: object
+ # One can use x-kubernetes-preserve-unknown-fields: true
+ # at the root of the schema (and inside any properties, additionalProperties)
+ # to get the traditional CRD behaviour that nothing is pruned, despite
+ # setting spec.preserveUnknownProperties: false.
+ #
+ # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/
+ # See issue: https://github.com/knative/serving/issues/912
+ x-kubernetes-preserve-unknown-fields: true
+ subresources:
+ status: {}
+
+---
+# Copyright 2019 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: eventlisteners.triggers.tekton.dev
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+ triggers.tekton.dev/release: "v0.31.0"
+ version: "v0.31.0"
+spec:
+ group: triggers.tekton.dev
+ scope: Namespaced
+ names:
+ kind: EventListener
+ plural: eventlisteners
+ singular: eventlistener
+ shortNames:
+ - el
+ categories:
+ - tekton
+ - tekton-triggers
+ versions:
+ - name: v1beta1
+ served: true
+ storage: true
+ # Opt into the status subresource so metadata.generation
+ # starts to increment
+ subresources:
+ status: {}
+ schema:
+ openAPIV3Schema:
+ type: object
+ # One can use x-kubernetes-preserve-unknown-fields: true
+ # at the root of the schema (and inside any properties, additionalProperties)
+ # to get the traditional CRD behaviour that nothing is pruned, despite
+ # setting spec.preserveUnknownProperties: false.
+ #
+ # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/
+ # See issue: https://github.com/knative/serving/issues/912
+ x-kubernetes-preserve-unknown-fields: true
+ additionalPrinterColumns:
+ - name: Address
+ type: string
+ jsonPath: .status.address.url
+ - name: Available
+ type: string
+ jsonPath: ".status.conditions[?(@.type=='Available')].status"
+ - name: Reason
+ type: string
+ jsonPath: ".status.conditions[?(@.type=='Available')].reason"
+ - name: Ready
+ type: string
+ jsonPath: ".status.conditions[?(@.type=='Ready')].status"
+ - name: Reason
+ type: string
+ jsonPath: ".status.conditions[?(@.type=='Ready')].reason"
+ - name: v1alpha1
+ served: true
+ storage: false
+ schema:
+ openAPIV3Schema:
+ type: object
+ # One can use x-kubernetes-preserve-unknown-fields: true
+ # at the root of the schema (and inside any properties, additionalProperties)
+ # to get the traditional CRD behaviour that nothing is pruned, despite
+ # setting spec.preserveUnknownProperties: false.
+ #
+ # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/
+ # See issue: https://github.com/knative/serving/issues/912
+ x-kubernetes-preserve-unknown-fields: true
+ # Opt into the status subresource so metadata.generation
+ # starts to increment
+ subresources:
+ status: {}
+ additionalPrinterColumns:
+ - name: Address
+ type: string
+ jsonPath: .status.address.url
+ - name: Available
+ type: string
+ jsonPath: ".status.conditions[?(@.type=='Available')].status"
+ - name: Reason
+ type: string
+ jsonPath: ".status.conditions[?(@.type=='Available')].reason"
+ - name: Ready
+ type: string
+ jsonPath: ".status.conditions[?(@.type=='Ready')].status"
+ - name: Reason
+ type: string
+ jsonPath: ".status.conditions[?(@.type=='Ready')].reason"
+
+---
+# Copyright 2022 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: interceptors.triggers.tekton.dev
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+ triggers.tekton.dev/release: "v0.31.0"
+ version: "v0.31.0"
+spec:
+ group: triggers.tekton.dev
+ scope: Namespaced
+ names:
+ kind: Interceptor
+ plural: interceptors
+ singular: interceptor
+ shortNames:
+ - ni
+ categories:
+ - tekton
+ - tekton-triggers
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ # One can use x-kubernetes-preserve-unknown-fields: true
+ # at the root of the schema (and inside any properties, additionalProperties)
+ # to get the traditional CRD behaviour that nothing is pruned, despite
+ # setting spec.preserveUnknownProperties: false.
+ #
+ # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/
+ # See issue: https://github.com/knative/serving/issues/912
+ x-kubernetes-preserve-unknown-fields: true
+ # Opt into the status subresource so metadata.generation
+ # starts to increment
+ subresources:
+ status: {}
+
+---
+# Copyright 2019 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: triggers.triggers.tekton.dev
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+ triggers.tekton.dev/release: "v0.31.0"
+ version: "v0.31.0"
+spec:
+ group: triggers.tekton.dev
+ scope: Namespaced
+ names:
+ kind: Trigger
+ plural: triggers
+ singular: trigger
+ shortNames:
+ - tri
+ categories:
+ - tekton
+ - tekton-triggers
+ versions:
+ - name: v1beta1
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ # One can use x-kubernetes-preserve-unknown-fields: true
+ # at the root of the schema (and inside any properties, additionalProperties)
+ # to get the traditional CRD behaviour that nothing is pruned, despite
+ # setting spec.preserveUnknownProperties: false.
+ #
+ # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/
+ # See issue: https://github.com/knative/serving/issues/912
+ x-kubernetes-preserve-unknown-fields: true
+ subresources:
+ status: {}
+ - name: v1alpha1
+ served: true
+ storage: false
+ schema:
+ openAPIV3Schema:
+ type: object
+ # One can use x-kubernetes-preserve-unknown-fields: true
+ # at the root of the schema (and inside any properties, additionalProperties)
+ # to get the traditional CRD behaviour that nothing is pruned, despite
+ # setting spec.preserveUnknownProperties: false.
+ #
+ # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/
+ # See issue: https://github.com/knative/serving/issues/912
+ x-kubernetes-preserve-unknown-fields: true
+ # Opt into the status subresource so metadata.generation
+ # starts to increment
+ subresources:
+ status: {}
+
+---
+# Copyright 2019 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: triggerbindings.triggers.tekton.dev
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+ triggers.tekton.dev/release: "v0.31.0"
+ version: "v0.31.0"
+spec:
+ group: triggers.tekton.dev
+ scope: Namespaced
+ names:
+ kind: TriggerBinding
+ plural: triggerbindings
+ singular: triggerbinding
+ shortNames:
+ - tb
+ categories:
+ - tekton
+ - tekton-triggers
+ versions:
+ - name: v1beta1
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ # One can use x-kubernetes-preserve-unknown-fields: true
+ # at the root of the schema (and inside any properties, additionalProperties)
+ # to get the traditional CRD behaviour that nothing is pruned, despite
+ # setting spec.preserveUnknownProperties: false.
+ #
+ # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/
+ # See issue: https://github.com/knative/serving/issues/912
+ x-kubernetes-preserve-unknown-fields: true
+ # Opt into the status subresource so metadata.generation
+ # starts to increment
+ subresources:
+ status: {}
+ - name: v1alpha1
+ served: true
+ storage: false
+ schema:
+ openAPIV3Schema:
+ type: object
+ # One can use x-kubernetes-preserve-unknown-fields: true
+ # at the root of the schema (and inside any properties, additionalProperties)
+ # to get the traditional CRD behaviour that nothing is pruned, despite
+ # setting spec.preserveUnknownProperties: false.
+ #
+ # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/
+ # See issue: https://github.com/knative/serving/issues/912
+ x-kubernetes-preserve-unknown-fields: true
+ # Opt into the status subresource so metadata.generation
+ # starts to increment
+ subresources:
+ status: {}
+
+---
+# Copyright 2019 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: triggertemplates.triggers.tekton.dev
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+ triggers.tekton.dev/release: "v0.31.0"
+ version: "v0.31.0"
+spec:
+ group: triggers.tekton.dev
+ scope: Namespaced
+ names:
+ kind: TriggerTemplate
+ plural: triggertemplates
+ singular: triggertemplate
+ shortNames:
+ - tt
+ categories:
+ - tekton
+ - tekton-triggers
+ versions:
+ - name: v1beta1
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ type: object
+ # One can use x-kubernetes-preserve-unknown-fields: true
+ # at the root of the schema (and inside any properties, additionalProperties)
+ # to get the traditional CRD behaviour that nothing is pruned, despite
+ # setting spec.preserveUnknownProperties: false.
+ #
+ # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/
+ # See issue: https://github.com/knative/serving/issues/912
+ x-kubernetes-preserve-unknown-fields: true
+ # Opt into the status subresource so metadata.generation
+ # starts to increment
+ subresources:
+ status: {}
+ - name: v1alpha1
+ served: true
+ storage: false
+ schema:
+ openAPIV3Schema:
+ type: object
+ # One can use x-kubernetes-preserve-unknown-fields: true
+ # at the root of the schema (and inside any properties, additionalProperties)
+ # to get the traditional CRD behaviour that nothing is pruned, despite
+ # setting spec.preserveUnknownProperties: false.
+ #
+ # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/
+ # See issue: https://github.com/knative/serving/issues/912
+ x-kubernetes-preserve-unknown-fields: true
+ # Opt into the status subresource so metadata.generation
+ # starts to increment
+ subresources:
+ status: {}
+
+---
+# Copyright 2020 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Secret
+metadata:
+ name: triggers-webhook-certs
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+ triggers.tekton.dev/release: "v0.31.0"
+# The data is populated at install time.
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+ name: validation.webhook.triggers.tekton.dev
+ labels:
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+ triggers.tekton.dev/release: "v0.31.0"
+webhooks:
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: tekton-triggers-webhook
+ namespace: tekton-pipelines
+ failurePolicy: Fail
+ sideEffects: None
+ name: validation.webhook.triggers.tekton.dev
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+ name: webhook.triggers.tekton.dev
+ labels:
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+ triggers.tekton.dev/release: "v0.31.0"
+webhooks:
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: tekton-triggers-webhook
+ namespace: tekton-pipelines
+ failurePolicy: Fail
+ sideEffects: None
+ name: webhook.triggers.tekton.dev
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+ name: config.webhook.triggers.tekton.dev
+ labels:
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+ triggers.tekton.dev/release: "v0.31.0"
+webhooks:
+ - admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: tekton-triggers-webhook
+ namespace: tekton-pipelines
+ failurePolicy: Fail
+ sideEffects: None
+ name: config.webhook.triggers.tekton.dev
+ namespaceSelector:
+ matchExpressions:
+ - key: triggers.tekton.dev/release
+ operator: Exists
+
+---
+# Copyright 2019 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: tekton-triggers-aggregate-edit
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+ rbac.authorization.k8s.io/aggregate-to-edit: "true"
+ rbac.authorization.k8s.io/aggregate-to-admin: "true"
+rules:
+ - apiGroups:
+ - triggers.tekton.dev
+ resources:
+ - clustertriggerbindings
+ - clusterinterceptors
+ - eventlisteners
+ - interceptors
+ - triggers
+ - triggerbindings
+ - triggertemplates
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+
+---
+# Copyright 2019 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: tekton-triggers-aggregate-view
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+ rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+ - apiGroups:
+ - triggers.tekton.dev
+ resources:
+ - clustertriggerbindings
+ - clusterinterceptors
+ - eventlisteners
+ - interceptors
+ - triggers
+ - triggerbindings
+ - triggertemplates
+ verbs:
+ - get
+ - list
+ - watch
+
+---
+# Copyright 2021 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: config-defaults-triggers
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+data:
+ _example: |
+ ################################
+ # #
+ # EXAMPLE CONFIGURATION #
+ # #
+ ################################
+
+ # This block is not actually functional configuration,
+ # but serves to illustrate the available configuration
+ # options and document them in a way that is accessible
+ # to users that `kubectl edit` this config map.
+ #
+ # These sample configuration options may be copied out of
+ # this example block and unindented to be in the data block
+ # to actually change the configuration.
+
+ # default-service-account contains the default service account name
+ # to use for TaskRun and PipelineRun, if none is specified.
+ default-service-account: "default"
+ default-run-as-user: "65532"
+ default-run-as-group: "65532"
+ default-fs-group: "65532"
+ default-run-as-non-root: "true" # allowed values are true and false
+
+---
+# Copyright 2021 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: feature-flags-triggers
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+data:
+ # Setting this flag will determine which gated features are enabled.
+ # Acceptable values are "stable" or "alpha".
+ enable-api-fields: "stable"
+ # Setting this field with valid regex pattern matching the pattern will exclude labels from
+ # getting added to resources created by the EventListener such as the deployment
+ labels-exclusion-pattern: ""
+
+---
+# Copyright 2021 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: triggers-info
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+data:
+ # Contains triggers version which can be queried by external
+ # tools such as CLI. Elevated permissions are already given to
+ # this ConfigMap such that even if we don't have access to
+ # other resources in the namespace we still can have access to
+ # this ConfigMap.
+ version: "v0.31.0"
+
+---
+# Copyright 2023 Tekton Authors LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: config-leader-election-triggers-controller
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+data:
+ _example: |
+ ################################
+ # #
+ # EXAMPLE CONFIGURATION #
+ # #
+ ################################
+ # This block is not actually functional configuration,
+ # but serves to illustrate the available configuration
+ # options and document them in a way that is accessible
+ # to users that `kubectl edit` this config map.
+ #
+ # These sample configuration options may be copied out of
+ # this example block and unindented to be in the data block
+ # to actually change the configuration.
+ # lease-duration is how long non-leaders will wait to try to acquire the
+ # lock; 15 seconds is the value used by core kubernetes controllers.
+ lease-duration: "60s"
+ # renew-deadline is how long a leader will try to renew the lease before
+ # giving up; 10 seconds is the value used by core kubernetes controllers.
+ renew-deadline: "40s"
+ # retry-period is how long the leader election client waits between tries of
+ # actions; 2 seconds is the value used by core kubernetes controllers.
+ retry-period: "10s"
+ # buckets is the number of buckets used to partition key space of each
+ # Reconciler. If this number is M and the replica number of the controller
+ # is N, the N replicas will compete for the M buckets. The owner of a
+ # bucket will take care of the reconciling for the keys partitioned into
+ # that bucket.
+ buckets: "1"
+
+---
+# Copyright 2023 Tekton Authors LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: config-leader-election-triggers-webhook
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+data:
+ _example: |
+ ################################
+ # #
+ # EXAMPLE CONFIGURATION #
+ # #
+ ################################
+ # This block is not actually functional configuration,
+ # but serves to illustrate the available configuration
+ # options and document them in a way that is accessible
+ # to users that `kubectl edit` this config map.
+ #
+ # These sample configuration options may be copied out of
+ # this example block and unindented to be in the data block
+ # to actually change the configuration.
+ # lease-duration is how long non-leaders will wait to try to acquire the
+ # lock; 15 seconds is the value used by core kubernetes controllers.
+ lease-duration: "60s"
+ # renew-deadline is how long a leader will try to renew the lease before
+ # giving up; 10 seconds is the value used by core kubernetes controllers.
+ renew-deadline: "40s"
+ # retry-period is how long the leader election client waits between tries of
+ # actions; 2 seconds is the value used by core kubernetes controllers.
+ retry-period: "10s"
+ # buckets is the number of buckets used to partition key space of each
+ # Reconciler. If this number is M and the replica number of the controller
+ # is N, the N replicas will compete for the M buckets. The owner of a
+ # bucket will take care of the reconciling for the keys partitioned into
+ # that bucket.
+ buckets: "1"
+
+---
+# Copyright 2019 Tekton Authors LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: config-logging-triggers
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+data:
+ # Common configuration for all knative codebase
+ zap-logger-config: |
+ {
+ "level": "info",
+ "development": false,
+ "disableStacktrace": true,
+ "sampling": {
+ "initial": 100,
+ "thereafter": 100
+ },
+ "outputPaths": ["stdout"],
+ "errorOutputPaths": ["stderr"],
+ "encoding": "json",
+ "encoderConfig": {
+ "timeKey": "timestamp",
+ "levelKey": "severity",
+ "nameKey": "logger",
+ "callerKey": "caller",
+ "messageKey": "message",
+ "stacktraceKey": "stacktrace",
+ "lineEnding": "",
+ "levelEncoder": "",
+ "timeEncoder": "iso8601",
+ "durationEncoder": "",
+ "callerEncoder": ""
+ }
+ }
+ # Log level overrides
+ loglevel.controller: "info"
+ loglevel.webhook: "info"
+ loglevel.eventlistener: "info"
+
+---
+# Copyright 2019 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: config-observability-triggers
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+data:
+ _example: |
+ ################################
+ # #
+ # EXAMPLE CONFIGURATION #
+ # #
+ ################################
+
+ # This block is not actually functional configuration,
+ # but serves to illustrate the available configuration
+ # options and document them in a way that is accessible
+ # to users that `kubectl edit` this config map.
+ #
+ # These sample configuration options may be copied out of
+ # this example block and unindented to be in the data block
+ # to actually change the configuration.
+
+ # metrics.backend-destination field specifies the system metrics destination.
+ # It supports either prometheus (the default) or stackdriver.
+ # Note: Using stackdriver will incur additional charges
+ metrics.backend-destination: prometheus
+
+ # metrics.stackdriver-project-id field specifies the stackdriver project ID. This
+ # field is optional. When running on GCE, application default credentials will be
+ # used if this field is not provided.
+ metrics.stackdriver-project-id: "<your stackdriver project id>"
+
+ # metrics.allow-stackdriver-custom-metrics indicates whether it is allowed to send metrics to
+ # Stackdriver using "global" resource type and custom metric type if the
+ # metrics are not supported by "knative_revision" resource type. Setting this
+ # flag to "true" could cause extra Stackdriver charge.
+ # If metrics.backend-destination is not Stackdriver, this is ignored.
+ metrics.allow-stackdriver-custom-metrics: "false"
+
+---
+# Copyright 2019 Tekton Authors LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubernetes.io/name: controller
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/version: "v0.31.0"
+ app.kubernetes.io/part-of: tekton-triggers
+ triggers.tekton.dev/release: "v0.31.0"
+ app: tekton-triggers-controller
+ version: "v0.31.0"
+ name: tekton-triggers-controller
+ namespace: tekton-pipelines
+spec:
+ ports:
+ - name: http-metrics
+ port: 9000
+ protocol: TCP
+ targetPort: 9000
+ selector:
+ app.kubernetes.io/name: controller
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+
+---
+# Copyright 2019 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: tekton-triggers-controller
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/name: controller
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/version: "v0.31.0"
+ app.kubernetes.io/part-of: tekton-triggers
+ # tekton.dev/release value replaced with inputs.params.versionTag in triggers/tekton/publish.yaml
+ triggers.tekton.dev/release: "v0.31.0"
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: controller
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: controller
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/version: "v0.31.0"
+ app.kubernetes.io/part-of: tekton-triggers
+ app: tekton-triggers-controller
+ triggers.tekton.dev/release: "v0.31.0"
+ # version value replaced with inputs.params.versionTag in triggers/tekton/publish.yaml
+ version: "v0.31.0"
+ spec:
+ serviceAccountName: tekton-triggers-controller
+ containers:
+ - name: tekton-triggers-controller
+ image: "ghcr.io/tektoncd/triggers/controller-f656ca31de179ab913fa76abc255c315:v0.31.0@sha256:ad0740dd693bbc41d6f0005ea90a10acecee28cfc8c67ea00d49ae95b039f41d"
+ args: ["-logtostderr", "-stderrthreshold", "INFO", "-el-image", "ghcr.io/tektoncd/triggers/eventlistenersink-7ad1faa98cddbcb0c24990303b220bb8:v0.31.0@sha256:b94edc60ca7722f148600541ea70031d6bdbf391c0a84576b505db10e799f112", "-el-port", "8080", "-el-security-context=true", "-el-read-only-root-filesystem=true", "-el-events", "disable", "-el-readtimeout", "5", "-el-writetimeout", "40", "-el-idletimeout", "120", "-el-timeouthandler", "30", "-el-httpclient-readtimeout", "30", "-el-httpclient-keep-alive", "30", "-el-httpclient-tlshandshaketimeout", "10", "-el-httpclient-responseheadertimeout", "10", "-el-httpclient-expectcontinuetimeout", "1", "-period-seconds", "10", "-failure-threshold", "3"]
+ env:
+ - name: SYSTEM_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: CONFIG_LOGGING_NAME
+ value: config-logging-triggers
+ - name: CONFIG_OBSERVABILITY_NAME
+ value: config-observability-triggers
+ - name: CONFIG_DEFAULTS_NAME
+ value: config-defaults-triggers
+ - name: METRICS_DOMAIN
+ value: tekton.dev/triggers
+ - name: METRICS_PROMETHEUS_PORT
+ value: "9000"
+ - name: CONFIG_LEADERELECTION_NAME
+ value: config-leader-election-triggers-controllers
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ capabilities:
+ drop:
+ - "ALL"
+ # User 65532 is the distroless nonroot user ID
+ runAsUser: 65532
+ runAsGroup: 65532
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
+
+---
+# Copyright 2019 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Service
+metadata:
+ name: tekton-triggers-webhook
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/version: "v0.31.0"
+ app.kubernetes.io/part-of: tekton-triggers
+ app: tekton-triggers-webhook
+ version: "v0.31.0"
+ triggers.tekton.dev/release: "v0.31.0"
+spec:
+ ports:
+ - name: https-webhook
+ port: 443
+ targetPort: 8443
+ selector:
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+
+---
+# Copyright 2019 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: tekton-triggers-webhook
+ namespace: tekton-pipelines
+ labels:
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/version: "v0.31.0"
+ app.kubernetes.io/part-of: tekton-triggers
+ # tekton.dev/release value replaced with inputs.params.versionTag in triggers/tekton/publish.yaml
+ triggers.tekton.dev/release: "v0.31.0"
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/version: "v0.31.0"
+ app.kubernetes.io/part-of: tekton-triggers
+ app: tekton-triggers-webhook
+ triggers.tekton.dev/release: "v0.31.0"
+ # version value replaced with inputs.params.versionTag in triggers/tekton/publish.yaml
+ version: "v0.31.0"
+ spec:
+ serviceAccountName: tekton-triggers-webhook
+ containers:
+ - name: webhook
+ # This is the Go import path for the binary that is containerized
+ # and substituted here.
+ image: "ghcr.io/tektoncd/triggers/webhook-dd1edc925ee1772a9f76e2c1bc291ef6:v0.31.0@sha256:bdf81868ee8ed86907477aa0e522f81e00e3bf3d7f194716988ffadc89839615"
+ env:
+ - name: SYSTEM_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: CONFIG_LOGGING_NAME
+ value: config-logging-triggers
+ - name: WEBHOOK_SERVICE_NAME
+ value: tekton-triggers-webhook
+ - name: WEBHOOK_SECRET_NAME
+ value: triggers-webhook-certs
+ - name: METRICS_DOMAIN
+ value: tekton.dev/triggers
+ - name: CONFIG_LEADERELECTION_NAME
+ value: config-leader-election-triggers-webhook
+ ports:
+ - name: metrics
+ containerPort: 9000
+ - name: profiling
+ containerPort: 8008
+ - name: https-webhook
+ containerPort: 8443
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ # User 65532 is the distroless nonroot user ID
+ runAsUser: 65532
+ runAsGroup: 65532
+ runAsNonRoot: true
+ capabilities:
+ drop:
+ - "ALL"
+ seccompProfile:
+ type: RuntimeDefault
+
+---
diff --git a/apps/k8s01/tekton/gitops-pipelines/gitlab-webhook-ingress.yaml b/apps/k8s01/tekton/gitops-pipelines/gitlab-webhook-ingress.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..a5bb07cec7d6f3025013bf58a5326dfb8f5a4ec2
--- /dev/null
+++ b/apps/k8s01/tekton/gitops-pipelines/gitlab-webhook-ingress.yaml
@@ -0,0 +1,76 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: gitlab-listener
+ namespace: gitops-pipelines
+ annotations:
+ cert-manager.io/cluster-issuer: letsencrypt
+spec:
+ ingressClassName: internet
+ rules:
+ - host: ENC[AES256_GCM,data:HtU5G6sC2tGPeHyMWQCm91oFj1E4oBugHA==,iv:AaGId95lo8UM9BEX14Nx/EFivKuoAzIDAcsC8EyBJQM=,tag:mSInMO9au+YbU9UUOG7Pcg==,type:str]
+ http:
+ paths:
+ - path: /
+ pathType: Prefix
+ backend:
+ service:
+ name: el-gitlab-listener
+ port:
+ name: http-listener
+ tls:
+ - hosts:
+ - ENC[AES256_GCM,data:5P4FYWeP5g59Gn6xL3ndBU/VjHeqkT/Alw==,iv:ATZv0XuWg1ugCJFFr4NJdz1hweyWUX1XjLsblmQPYRg=,tag:BFjpfMjsCmEpoaTvO+g6Rw==,type:str]
+ secretName: gitlab-tekton-tls-secret
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age: []
+ lastmodified: "2025-04-10T00:17:32Z"
+ mac: ENC[AES256_GCM,data:vuVnhI45NU67cVGBv15dJPkOKLJ4IYxGS5Yayg4Bb6lhCOIqBErWhgV46snEegssDDIQdAs4p1b+Cg+P54HRg3bnSnaW9EzCEAKrugVPlxjW1XZgRE3tffI4Biq9aHLY6BUY/2YiQtKW3T7IRRAFfi0GbbI6ZP9FxpuxI8tz8/A=,iv:hkErbhGDZd/cOYceUwSyGI0MuheaOiAXBKGipJftaAo=,tag:lhWRehjMJD5SStX6R5dC7Q==,type:str]
+ pgp:
+ - created_at: "2025-04-08T23:15:59Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA7kpg2bgzVHcARAAjK59RSqWKIg/6BpkzOH9/dsNbZE1fMFlMqYsuc+ZgHXC
+ nRmfrIfIc/QIY+WtuYXewRJee5H/NPQd9dCYC4vxtwtmUl43/JisPf9UPJdPBegD
+ Y8P8EdshBs0e5L7igxFDiNbNMsGflcgjAB7rB6LI6jYQ81XtmlSazqtvfcx8e/9a
+ pLL/IdO8thbJ49JrlspO+RYvlkIsa5Mgo9pmL8QtZ0HabQbOuJ/nzPqvmTqFmS1U
+ FdpV6FmwaVSjTSiA6xL9Ijs8ZZdGNjxCpS3QeyPMGnOqEAFYUTB4hYvVQmJYfq6i
+ VlP0IiXYcIAg5ndM3cxxKLcfZPqkS8byI/SYMUXfv8OdmrnFXiD+3v3MNOqTEqcq
+ zO5tl3KDaCrDJzykrUy5Na+RMjtZXL00JFQyLUskEBCqFACuSFgzTfOa99zUM+dN
+ jgwlit0dckOFiuztHsyRvfKBw7uZueC7QSNSTY2u2qvlgbk0wTfZdcSh6DUA3XUq
+ KlwALXDmfi4N1QN2LJULoUGDEC6epWfw+AWejfZuHSbhlni45BjgT1j1L5Weo8er
+ PfTsiMOLU6QegUaYvqLw0tA/OKTd+9Ox+u2et+HIwse9OnUVET2L74UtKng3h5di
+ oJwVeQy6OXB+EdtTDiraEATGC2vrbK2IMp1bKJuV7kUNAgJLPAU0WtsmtanJRSfS
+ XgHqKrUJH1kIN/sGf4VQPkbBh70AgWpVhd1gUzZqg20GXyMAUmjEC+VDD8o14hN3
+ jo3pvL6pgAMC9gvOtpvoFYT9XlThJWQD/aVIvE0M2GkYL9D1LQMLA2gCa/TAvqQ=
+ =Gk5I
+ -----END PGP MESSAGE-----
+ fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
+ - created_at: "2025-04-08T23:15:59Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA4oYbIHZIrAPARAAkvxloASrkkzQIwfYWdGsbhVy0FBIseYMxhr5QDtJBype
+ y8dFxTgLdB4Bj4I0bdWHkDAekEjDfF6ALZEGflv5G99r3RKRU5s63+SUfPah9rZi
+ dlFLsMJr0CIjxW/FKnWOdstKcyvmwCTYRfMtHQjqkMp+F3721m4qC4/P1QFafQnL
+ lgpHbvOn4udT6BxoCg/YtC/oMNolkltzHd/jsz8Y8YtPPZJfCoG4qx0HijwGHUIe
+ sMD0PPwIYws/qNQ396qPmv3ZGrlvxC0xA8MwDTGVbdAhJA18G0HeUipUXw/XTTNG
+ s/PM3RCIj02eDnruCQqCn7EO6Dr2CfU01z7QyksC21CU2j6XqUJAc2Lyjwpi/coP
+ +1dSgWSrl8oPVmedbKBxNYhWoTy1ugsZH26UtC137NKcQ4u+kx3zJw/jEZBbVn3P
+ dVEqwyiXBKP/ssX8cRHiLJYnJbIWlS91mXOWLElvmkfBj8KFtnsJTWpjvIVYranO
+ YP6B9G2k7/GEcgLQCe8/hvN8wvUpFgyO7MJHfWy4NxUdEtoCBp8KmDAgZ2T3HmJr
+ y+fkMWCNdSod6fKJ2gnxN4Z7/zjgsNNipIObl85ryNCyWxIW0t/gYZYvTmAV/Gky
+ MH+g3BFeejFK9kU4sSWRnWnXnHhGiTowrb9kF5PmSduRZh5a6dsN6A1t27AdG2nU
+ aAEJAhA6o3V2lYsNGI/0Cxjwq+VRzkOYLYfzrXYy8T4iD3v2XMdhbk71luZy4avt
+ JYIKe7caaDmnBphcfxlPBRNtirCN00rLWsoJLyJkAfaX2NQ0NqumLBno2BEZQvLl
+ SdLesRwj7qoU
+ =3XIq
+ -----END PGP MESSAGE-----
+ fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
+ encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|.*(H|h)osts?|tang|externalURL|.*-secret|.*Secrets?|.*-domain|password|subjects|node|apiURL|.*(S|s)erverNames?|.*SecretKey|externalName|url|static)$
+ version: 3.9.4
diff --git a/apps/k8s01/tekton/gitops-pipelines/gitlab-webhook-secret.yaml b/apps/k8s01/tekton/gitops-pipelines/gitlab-webhook-secret.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..fc21e3661a4064616747a99aeb49eb674e3293b0
--- /dev/null
+++ b/apps/k8s01/tekton/gitops-pipelines/gitlab-webhook-secret.yaml
@@ -0,0 +1,59 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: gitlab-webhook
+ namespace: gitops-pipelines
+stringData:
+ token: ENC[AES256_GCM,data:AOZQHsPZjs/zn1Namm38VOmbQ0ovyZfb6qhSxlX7dN6fvwtyn5/u4y6PBgGHrCiuNlDjr/JNxLn6G+FGtT+wweCbBirQknNjNBafWlYg859Vi5Bvkkw6TeoRtseOjtHJm84epHiGC/dwsTnA07nngLLZh6GpxHRFcgXHTc+mujw=,iv:MRrJOY2ugNWCi5FnRJMVLe3nUzsjPS9yEqNj5fjQ388=,tag:BkrSCzcbZtCWghqy2SikLQ==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age: []
+ lastmodified: "2025-04-10T00:17:22Z"
+ mac: ENC[AES256_GCM,data:rZSRlYBXV9B1SCQmYOmEePagxq3RlNYe6v3St3EQzUoLgDc9/KdPQv+5K1+Ap/uOiLQooN8Ko1yqNWz/yPgJt0T0uy5aK20vRb/QWbuM5PVeGXaG0YVlm8x6ZVHi7DHsWpyDzlp0gRsnWBFqyFK3XVdZX00DkTBb/8I3SzOpZEY=,iv:9rnlTpFZqucqDiz7XiQB36MvSb0D8EYlGhuTv482Dg8=,tag:OWsOB7szt1HHDi/0lAjkqw==,type:str]
+ pgp:
+ - created_at: "2025-04-08T22:03:36Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA7kpg2bgzVHcAQ//TIxpiWP+8+Mq5x3z0YmE8gpHdV5ox9+lMKt9umgeCsMo
+ l4cU3LDyBI9Y/6Rm+j83IZqD3PxnKQDDU194Nm1qqSOwJ44DtUz56lvCaxKNmRG4
+ I88bL8gSXMpIr/chyPUFY4Cx3un8baowHfBcQAt92rM4YjHNnChptOqZ6jc2rsoT
+ Cf2+yHVIq6aQjbbWO4RD8j6XUsRqc3eRF2GP3OFEAwWay5pQYYzbzUv8cAA/dGLA
+ hjm3TbEgvL1e0TbgS61sbexzeS8QEZXRUQr6XJy1XzNATEJZW4CFq+tNh1POyOao
+ 4Do3hp3712t6M96MuRigmQqUcUWTG5+v4SHgsOglZ0Oi/DXe6gfShjAvxj+YqnL5
+ 7+01JcpUzVn05hid61Da9j/NZp6JXc4u5E1OGIUA2TNnhVMTcNRENzjCzZKuPPdX
+ IBiSTg8Frz5vGoKUBSGgrCcZzBnhEgf4IeTNS57Mb3FWQWi8pUt19Ros+pnfOQSE
+ 1+9/0em7SmgbtcGbjuQWg4uvJAmw2FZS8ktKco/spmZyNI3Hrec0VNllv2Z5HirN
+ uvMaF/4wPzw/EYDmTOLWsloPBN5mAfOUVMVgGhHpGi3S4BAkj8K/PGUCa60QaWDE
+ L1DtjXDzq6fapHNdkxx4i54s35FQ/eKxkaPZdXJuJWs7vyNB9QNoKfPDz+pEyn/S
+ XgGznIeFwFJY++G+hWTpVdcE8Fvb61U2ln65f/gblSvJRDxM39otMNqlW8fLvoUY
+ L6d4bBe+JKN4Muf5oy5wy2OH2+9V5DRrDxb/+nYYicDt1KrBrMeJEdfYZ1Omb+g=
+ =h1sF
+ -----END PGP MESSAGE-----
+ fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
+ - created_at: "2025-04-08T22:03:36Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA4oYbIHZIrAPAQ//ZFU6pLLMGbE+O+adlw3Yh5Bnr8CV1Q4E5InSKQGVIskH
+ PQJe0vHFNAZwV12bFWsi+b4zNvF2zk/DaPwusyAP+fGeFdFJH/6CXWJIPNxp9i1W
+ oMgWWqVZzo5T4UZ/jVN8VHMfNDXr8WlkumTA3PrK8STnbuRDyERgGRClVYo1L5dj
+ bsJyjetKOwIW28h6DyI6g7WvSgtO2EQVVjMwKn3o/JNkATkD/Eve+hRt4+tpceub
+ lDiv5dfcedwH6o/QpLHLd9vVk6uOpCs2cIJskVRpU/USszP5vRiBTGDk2dZHB+Vp
+ 2gbp2G0GdMm+8rG9FFxZZ/BEQ7h07yihU6rQLo1OmS6aABy39VWLJ9wTIAWpxe9M
+ osmJn7H+dasBM+Zm2VVHIaGLf069p0OhMMlnViHTK3/LXoNYy2YW0vg7x2p6s3iF
+ 7KAwHENDsHZFAOAPa4j2adkJxB9cM0L5sa/6zEMEOj9/HHAfNqYKHj7x3CztaQv/
+ XGnABbqSguz08uE0eBnPde6eoXYjngJqY1iEHNRjX4yJcJkMyRxtjs7iV9i9Ylud
+ qFaMhT+78dsABw0e6L9OEiozQpcU7B/dJFkv4K3lbSTQ3UnT2s1GFRkBJMnlrXJu
+ yq7dWEEqdm514M7jC6BWtAzwqSbJ1TZzOY0dtDVqKGwJQEHZEM2T0Pk6yaJWPtnU
+ aAEJAhB88bclIrUrkoOSWhzQNvwueQ3hnTbz3PN9YsC2wjq/3tcfxMSe0HcDvQdn
+ XM0ejj9EQVvMFXrytfsHsoeLbfoWfH1TQAukwVXQVQFYD3UQYS9xwBRfcGucPzW4
+ rhXzwyEourVl
+ =FiBs
+ -----END PGP MESSAGE-----
+ fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
+ encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|.*(H|h)osts?|tang|externalURL|.*-secret|.*Secrets?|.*-domain|password|subjects|node|apiURL|.*(S|s)erverNames?|.*SecretKey|externalName|url|static)$
+ version: 3.9.4
diff --git a/apps/k8s01/tekton/gitops-pipelines/gitops-docs-secret.yaml b/apps/k8s01/tekton/gitops-pipelines/gitops-docs-secret.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..02e619aa99febb2724d34bca6667d505ce78cee8
--- /dev/null
+++ b/apps/k8s01/tekton/gitops-pipelines/gitops-docs-secret.yaml
@@ -0,0 +1,60 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: minio-gitops-docs
+ namespace: gitops-pipelines
+stringData:
+ username: ENC[AES256_GCM,data:5mzskakXqK/w4x3VWO3F0Hmtfw==,iv:Jd9ONH+SDgV9z70xb075CMbXOiyGN2S8dMOTrkWI+hI=,tag:7UQL4B/0DLmP474ccTvVPQ==,type:str]
+ password: ENC[AES256_GCM,data:Dn5WjKZEBJJA8roDAHI80h5CtNDD5DgcikPd9cB7W0CN3Eq+vL6qEg==,iv:E3a48d0JXDptso0V3L//mIFNsDBA5+wOTPCn4Z8Gs4Y=,tag:dVUqfzpMVOIsBtJADfq+9g==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age: []
+ lastmodified: "2025-04-10T00:17:10Z"
+ mac: ENC[AES256_GCM,data:P3h1eLA2S1uPmfEJWquCtObKc86P3oeVviZmj9X4+WxDbBtscbYrJsppCoFAgOZ8MHRp58pAQKLzviQibNsVzf1X8ud8ENZBsSH5VrxyFnufDfCsTHOMfaQeWfzIOdmjIbsT64GLiO9DbWIKUoUW3sKtH+ubAeGX5OF/FTbSlhQ=,iv:eJ5ar37UesiWpwWYqWfh4eWrARrSHwIn76ESZPPQjJo=,tag:5ab1VfiNpK4u1YYqFaxiFA==,type:str]
+ pgp:
+ - created_at: "2025-04-05T00:05:42Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA7kpg2bgzVHcAQ//UYbnt5CdTc/GiP0xEIQisHu5N7VF5avbX+CwAMzq6Tv0
+ 32KyLEQIDQx3xg0ydsMqayS5l8DvhH2HjtOXXl62+WhW7vjeNcFn0Pn6K8osfay8
+ 2gMhWzPcZtUZjERcr2MkGoAQL12XoEbEdgGhm0o3NhDKhBTXGQKgIxMAt1mBaMUw
+ 5hqBmR0534QZ+GyLFN345mxJH7hMjH44JEEh9O+zXMo1Z7ANJiqpcnMfSVKfB3oe
+ AJpVBaCbXLIrtLymIMVQhaxw/xftfjro+cZVEoVBG2b4gOkc7uLrIDb5h0i0l6ns
+ 9wzz3dLpJBwcJaQGPE6BrMBZc9Jdf6aj8T6Y/QlNObyCoH5n15OXQAXHC3iDvJW9
+ l4FAAjEvR6P4dmMpmTs1rcCgxKcZ7c/AuC1+9YMb1pxZDed0nJA/7NurNFXD5lBN
+ YQ0U7+oABgnH7tzaBOkKB3e/ozmdlcWHOcyuIS+QnqufcsTCPkgxZJDJwRlyjJBS
+ zQVxwdmbha5XKejpyvgQDGBPos0sAzdO9NRRgakO+tc9ENpXevOyy0T94CfBcxcb
+ 3MTLMax9wUWDOY001dP1p8aV81h6JiNxS7QzGYwPEr01+4plitUc5ngtIhdKRIef
+ L0HeTXWqfxr7urOEd/TjH6JRRg1plxU5xJ91FxltJ1l3sm4+t87HsObl7tXy1zHS
+ XgHYBOQoNgBcc58e8cka3iQd7LQIjfgMp7593o0dKKVvvm+f6rzlRTiouSp5goeX
+ MdJoUNs8UMFY46sgh4OFruYhxE6UWNwi1PBActNIg1vxIkatke0iKc7wvtj6SwU=
+ =tzMa
+ -----END PGP MESSAGE-----
+ fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
+ - created_at: "2025-04-05T00:05:42Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA4oYbIHZIrAPARAAjmeGhhQsRLNoGgdYNryVeacObC1hls3CCj6G2dSPge67
+ BoQEP3ruNMX39Z2aff6YkffoJHMxiZAW5H0RHPGIAyBMWURFnQhN0IP/kPrEx4cF
+ P3PRpl3isJ7POdeSfqVpKDWzZc2tQY1XC/wlny65iOl1TomV6bYUXPGdQg0doWjQ
+ fqwtdm2IBwZeeJEk12STh2FmrZu/RIr8+RqAeMUtsgyRh4PJk1A/Wu6A09cjnfKN
+ TzKT+VBg1P66eWKO0xhFf2z8RPWYvuDZINN1d7fsSanvVXhGis/wSx8IyOfAc070
+ 13N11LVnt1/eF7ABa28mc6bmyHcT0ye7RiiseFxoubj9Uyr9Gp2Lxk50egx5N7EP
+ SWS4h7NqBo9ck5WpsmjSYggvj1NcrVxrtlnlHoGhWMM7jSrHohs7wk9SytUhNJgg
+ vXCTNM2OGEqcHoPMz4tJKtcjkHf2Hq1jyUpUirel62Tzz1x2mjgMfJdKvg4xFvb4
+ iLCwydLyfE4799OIWZF4f2286TDbL0dx4m33pIkiLjqVto3M6B+SGMqfcfHJIoQs
+ xT2+WRVnn5E9vKzihTgYMmHncsN0J4cRoWV6A4UidggoFmIZxKbeyxODzzML+EZu
+ AquCWp8LLcXxhymy/d6naRV58G3vTi1Yi/3PdU+9Y43lOCa/ARqlfBZ2PX1bcz7U
+ aAEJAhAvaQ+/HqnucOgiughEnsXMpqk2PP39Z6p0tWpD3tYHeew3xS8LEGJAcv+7
+ Wilnn/kKAFRhxLVDA3RI3CX82NXQUWF/nji+AFiLfjP0h8hF3c+M+zoXrRX/Hsk1
+ 6VPwB7+gHlNK
+ =NrQQ
+ -----END PGP MESSAGE-----
+ fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
+ encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|.*(H|h)osts?|tang|externalURL|.*-secret|.*Secrets?|.*-domain|password|subjects|node|apiURL|.*(S|s)erverNames?|.*SecretKey|externalName|url|static)$
+ version: 3.9.4
diff --git a/apps/k8s01/tekton/gitops-pipelines/gitops-gitlab-token-secret.yaml b/apps/k8s01/tekton/gitops-pipelines/gitops-gitlab-token-secret.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..ae2d2c4a28abeed5e42b811ca25399f8f30d279a
--- /dev/null
+++ b/apps/k8s01/tekton/gitops-pipelines/gitops-gitlab-token-secret.yaml
@@ -0,0 +1,59 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: gitlab-gitops-token
+ namespace: gitops-pipelines
+stringData:
+ token: ENC[AES256_GCM,data:bKvP+530B0NiU36JAERtfkwtE9Vp1NS59OA=,iv:N0aI2ce8MhVQk8dueKniAM4xlZTBYjA0j50C+xSz1+Y=,tag:w1supEIv0PcbsPYIBZHvMQ==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age: []
+ lastmodified: "2025-04-10T00:16:59Z"
+ mac: ENC[AES256_GCM,data:1r3Ne89Jw3n+grJpAL0qu7a70wAXVLXoYFIKkM03YFUJzgb1iMLGWKRubavhBxxwuPN8jOqse9HPVJYHO+3KfjrSfdRUIv/NTi7dDG8GPuE1v/6RKt+DTgWn0XSm1HRl0SXCCLWYXxOaa6u9WrANeHFL7wZKDSE5BKIUTSu1Zww=,iv:B/4/wbIPz+TsBd1BlPoNtnGyry/euNFF8zqy2AbJE6I=,tag:8vaZ6Y8eG6cA/oDkH/0qrA==,type:str]
+ pgp:
+ - created_at: "2025-04-05T00:56:48Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA7kpg2bgzVHcAQ/9Fej8P9SX6N6YEa/4aNjcsuqMuKzVLK/poJ9UcqsuyJ5X
+ eW3PJrWEXY2zQyV+zRIEGczlzg52IIizLhkOZeaH55nx5A/GqOg1yikYHg2T6g0p
+ MWdhdjSquMAVX/Bu51otdVsFtX7c9sQRyT+rk8NgN2R1xWJ/VuKQjvoZzFJSgof2
+ ICgk5HSrWX5ucNZ7yq8tsZnJgXQyacBn7wt1nakv2T6l1ZdpT6N3J5gZHaAtG8wm
+ YapCWT6ON+7z70RbiNXze4cppPUaGm8PUD8WlmWYCUTPdG7xAoxuuhnT7FxJ30R5
+ 5ypSJPZN/S0XlO0GZzRean7iXX3IgKydLg3su5nYMtHmCr5Ayt40Z8vQJQNUTfuZ
+ ualBBmDRu8YXM/Rhp33snSLMVBoAYD2pC6mNnqQVklXOBwadtMnu5iYwOtRMk4BC
+ eEZIh1p16cYofLuX68Oqe7JxCX7+WGvupoZaiTpnYNL6Ly7uAjvROL8CPwvGwayo
+ 6FHEHgiTRgrKlLwOdMuLVlGBLub/+96VPjJzSO6BUiXXVYFgHQG88AJemX1cUBCh
+ DFEpAmHtmp06ulkeA8AxAoQSUcylVu/o4DxmG7/6tqCn9KhuV5SiwSJqhfcQmBGA
+ xDag2b5l7AoDUHJvYnY4Qe9rj7HNjWdEdECBvoiEnq99qDtZwBlH6Qj+LN9KQE7S
+ XgFTBH2vmBTEhfR5CX7KKaVAPWerXBrmJSSrYSjJpCqjsn6maggxVVAl2GycFxoX
+ /JtnQfUDNE/PLxdgU8stIWfq2IVty3h5UMWTF5DC3P0GSMXPmCQOuGqOxWvH7rU=
+ =+sKM
+ -----END PGP MESSAGE-----
+ fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
+ - created_at: "2025-04-05T00:56:48Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA4oYbIHZIrAPAQ//Z9G70/42I7bCxYcaTkv9OADHkBsoQcET4ozT9XX6//ve
+ 7jGKGXus0M0SPSxReFuDWt4jpugfmpGUivW3VI/CTiETYxuULDppKh8JEGFJ1oh2
+ Mdykydg2MpyrjrjPGe2Xzg8jx22iFu39tkC6XiAGHnSt8dIUgJqW/p3b2Ew4pei4
+ pXVhXqxj7b4X2zMhkKxFjJIksv0rtu7jM6nwIiIlhQzfKWwpkLPm4nrvxKCmjiRe
+ h7NxWY2yBeCMmkp2XzULbh2xh1zNxeRhUcbNAm2TWsbi8H9ijiSDozyTm67VwlpZ
+ JrnbZHx32ksE/gJJpdCH1DCbyDljcBqQOluDko4Usd496sPvSQbNPoVfRzG9OAtE
+ tnKkhk3PtV7g7JfcvwdATGN/4egzAzxZ5BB3qXDHaeCQ45MpxrROYvY3a/we1ub0
+ yUfiRCIrya57qu2atWDAtcJvOqzlD+beWPb/1Z/ikeAtoSnrO67S86P6EiPAyUbB
+ UBXWFFm41E0x1Ful0JUtEQFdTjbJaRPqOAdBEeWyllHmh2AOfU/p0BXaRBKFYbIL
+ y33lJeXgcU8EY+2lXMIlNKeU+jfiVlDUrE9rPIBSmVC89y9GCqzVV8VpQ+qS+L/o
+ TvxkXWAQScpTxlw/r7NMOoSzFTlBUMAygey+fXf6BT6H4qpF5SrkFvXrakzdWl/U
+ aAEJAhDjkuxMqQHw2SA4iRw2Ll7EBK57xjhL6n80ZtD954Z1gGKw6AhEHZK0cbqw
+ a9ow6A6B721ILG7XhYhryCE/1XRsBl6eREktAYPcb77uVdAJUBT7TgJFDerolLSI
+ +liruUKSrTOx
+ =+j5m
+ -----END PGP MESSAGE-----
+ fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
+ encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|.*(H|h)osts?|tang|externalURL|.*-secret|.*Secrets?|.*-domain|password|subjects|node|apiURL|.*(S|s)erverNames?|.*SecretKey|externalName|url|static)$
+ version: 3.9.4
diff --git a/apps/k8s01/tekton/gitops-pipelines/kustomization.yaml b/apps/k8s01/tekton/gitops-pipelines/kustomization.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..f7ad73308ed353f099e13ac7a79569392dd03d04
--- /dev/null
+++ b/apps/k8s01/tekton/gitops-pipelines/kustomization.yaml
@@ -0,0 +1,29 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: gitops-pipelines
+
+resources:
+ - namespace.yaml
+ - tekton-resources.yaml
+ - gitops-docs-secret.yaml
+ - gitops-gitlab-token-secret.yaml
+ - gitlab-webhook-secret.yaml
+ - gitlab-webhook-ingress.yaml
+ - ../../../../shared/networkpolicies/deny-by-default-ingress.yaml
+ - ../../../../shared/networkpolicies/deny-by-default-egress.yaml
+ - ../../../../shared/networkpolicies/allow-from-same-namespace.yaml
+ - ../../../../shared/networkpolicies/allow-from-ingress.yaml
+ - ../../../../shared/networkpolicies/allow-to-public-web.yaml
+ - ../../../../shared/networkpolicies/allow-to-s3-internal.yaml
+ - ../../../../shared/networkpolicies/allow-to-same-namespace.yaml
+ - ../../../../shared/networkpolicies/allow-to-kube-system.yaml
+ - ../../../../shared/networkpolicies/allow-to-kubedns.yaml
+ - networkpolicy.yaml
+
+patches:
+ - path: network-policy-patch.yaml
+
+components:
+ - ../../../../shared/components/resourcequota-default
+ - ../../../../shared/components/priority-tier-3
+ - ../../../../shared/components/namespace-restricted
\ No newline at end of file
diff --git a/apps/k8s01/tekton/gitops-pipelines/namespace.yaml b/apps/k8s01/tekton/gitops-pipelines/namespace.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..ed5d0741ddc076550cb8d0f9155bd730e15c2889
--- /dev/null
+++ b/apps/k8s01/tekton/gitops-pipelines/namespace.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: gitops-pipelines
+ labels: {}
diff --git a/apps/k8s01/tekton/gitops-pipelines/network-policy-patch.yaml b/apps/k8s01/tekton/gitops-pipelines/network-policy-patch.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..13821987ad59272108728bfa7110745c584d860c
--- /dev/null
+++ b/apps/k8s01/tekton/gitops-pipelines/network-policy-patch.yaml
@@ -0,0 +1,25 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: allow-to-kube-system
+spec:
+ podSelector:
+ matchExpressions:
+ - key: app.kubernetes.io/managed-by
+ operator: In
+ values:
+ - EventListener
+---
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: allow-to-s3-internal
+spec:
+ podSelector:
+ matchExpressions:
+ - key: tekton.dev/task
+ operator: In
+ values:
+ - mc-mirror
\ No newline at end of file
diff --git a/apps/k8s01/tekton/gitops-pipelines/networkpolicy.yaml b/apps/k8s01/tekton/gitops-pipelines/networkpolicy.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..27b9c6a420ba8c247447d60e063ac606834344ee
--- /dev/null
+++ b/apps/k8s01/tekton/gitops-pipelines/networkpolicy.yaml
@@ -0,0 +1,47 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: allow-to-tekton-interceptors
+spec:
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: tekton-pipelines
+ podSelector:
+ matchExpressions:
+ - key: app.kubernetes.io/component
+ operator: In
+ values:
+ - interceptors
+ - key: app.kubernetes.io/name
+ operator: In
+ values:
+ - core-interceptors
+ ports:
+ - protocol: TCP
+ port: 8443
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: kube-system
+ podSelector:
+ matchExpressions:
+ - key: k8s-app
+ operator: In
+ values:
+ - kube-dns
+ ports:
+ - port: 53
+ protocol: UDP
+ - port: 53
+ protocol: TCP
+ podSelector:
+ matchExpressions:
+ - key: app.kubernetes.io/managed-by
+ operator: In
+ values:
+ - EventListener
+ policyTypes:
+ - Egress
\ No newline at end of file
diff --git a/apps/k8s01/tekton/gitops-pipelines/tekton-resources.yaml b/apps/k8s01/tekton/gitops-pipelines/tekton-resources.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..ba0b49ff2c8c8e03546d94937b22c8b13e527eb3
--- /dev/null
+++ b/apps/k8s01/tekton/gitops-pipelines/tekton-resources.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+ name: tekton-resources
+spec:
+ targetNamespace: gitops-pipelines
+ interval: 60m0s
+ path: ./tekton
+ prune: true
+ sourceRef:
+ kind: GitRepository
+ name: flux-system
+ namespace: flux-system
diff --git a/apps/k8s01/tekton/kustomization.yaml b/apps/k8s01/tekton/kustomization.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..b6710a2dfff395af172bcaf2283e47ae60527232
--- /dev/null
+++ b/apps/k8s01/tekton/kustomization.yaml
@@ -0,0 +1,18 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+ - ../../base/tekton
+ - gitops-pipelines
+
+replicas:
+- name: tekton-triggers-core-interceptors
+ count: 2
+- name: tekton-pipelines-webhook
+ count: 2
+- name: tekton-triggers-webhook
+ count: 2
+
+components:
+ - ../../../shared/components/priority-tier-3
+ - ../../../shared/components/namespace-restricted
\ No newline at end of file
diff --git a/bin/Earthfile b/bin/Earthfile
index 8965cb7acc9631193a7da90d690fff5ec79dc6ed..283999f62e0cca70fd46a73de3c7357a5d84cc17 100644
--- a/bin/Earthfile
+++ b/bin/Earthfile
@@ -15,6 +15,7 @@ assemble:
COPY ../images/tools+clusterctl/clusterctl /usr/local/bin/clusterctl
COPY ../images/tools+talhelper/talhelper /usr/local/bin/talhelper
COPY ../images/tools+talosctl/talosctl /usr/local/bin/talosctl
+ COPY ../images/tools+tkn/tkn /usr/local/bin/tkn
RUN ls /usr/local/bin/ > /usr/local/bin/.gitignore
diff --git a/docs/.gitlab-ci.yaml b/docs/.gitlab-ci.yaml
index c5156c30d66a278ebe75929c7e2bdcf1c6397fbd..65855638a58a740732452c1ec952c150fdfd836e 100644
--- a/docs/.gitlab-ci.yaml
+++ b/docs/.gitlab-ci.yaml
@@ -24,42 +24,6 @@ lint-docs:
- images/**/README.md
- infrastructure/**/README.md
-build-docs:
- stage: build
- image: docker.io/library/rust
- variables:
- CARGO_HOME: $CI_PROJECT_DIR/cargo
- # renovate: datasource=github-releases depName=rust-lang/mdBook
- MDBOOK_VERSION: v0.4.48
- before_script:
- - export PATH="$PATH:$CARGO_HOME/bin"
- - mdbook --version | grep "$MDBOOK_VERSION" || cargo install --version "${MDBOOK_VERSION//v}" --force mdbook
- script:
- - mdbook build docs
- needs:
- - lint-docs
- rules:
- - if: '$FORCE_DOCS_BUILD == "true"'
- - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "push"'
- changes:
- paths:
- - docs/**/*
- - apps/**/README.md
- - bootstrap/**/README.md
- - charts/**/README.md
- - clusters/**/README.md
- - images/**/README.md
- - infrastructure/**/README.md
- artifacts:
- expire_in: 1 week
- paths:
- - docs/book
- cache:
- paths:
- - $CARGO_HOME/bin
- tags:
- - kubernetes
-
build-runbooks:
extends: .earthly-cloud
stage: build
@@ -99,29 +63,3 @@ upload-runbooks:
- docs/**/*
tags:
- kubernetes
-
-upload-docs:
- stage: release
- image:
- name: docker.io/minio/mc
- entrypoint: ['']
- before_script:
- - mc alias set minio $GITOPS_DOCS_MINIO_ENDPOINT $GITOPS_DOCS_MINIO_ACCESS_KEY $GITOPS_DOCS_MINIO_ACCESS_SECRET
- script:
- - mc mirror --remove --overwrite docs/book minio/gitops-docs
- needs:
- - build-docs
- rules:
- - if: '$FORCE_DOCS_BUILD == "true"'
- - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "push"'
- changes:
- paths:
- - docs/**/*
- - apps/**/README.md
- - bootstrap/**/README.md
- - charts/**/README.md
- - clusters/**/README.md
- - images/**/README.md
- - infrastructure/**/README.md
- tags:
- - kubernetes
diff --git a/images/tools/Earthfile b/images/tools/Earthfile
index 28a06c7dcfacb183fa9a54881af64bb3d6b1fa40..f5158919b3c3a1e29ad97f9c0a04e3ddeb9c3310 100644
--- a/images/tools/Earthfile
+++ b/images/tools/Earthfile
@@ -189,6 +189,18 @@ mdbook:
SAVE ARTIFACT /usr/local/bin/mdbook ./mdbook
SAVE IMAGE --cache-hint
+tkn:
+ FROM ../mirror+fedora
+
+ # renovate: datasource=github-releases depName=tektoncd/cli
+ ARG TKN_VERSION=v0.40.0
+ ENV TKN_VERSION=${TKN_VERSION}
+
+ RUN curl -L "https://github.com/tektoncd/cli/releases/download/${TKN_VERSION}/tkn_${TKN_VERSION#v}_Linux_x86_64.tar.gz" | tar xvzf - tkn \
+ && install -o root -g root -m 0755 tkn /usr/local/bin/tkn
+ SAVE ARTIFACT /usr/local/bin/tkn ./tkn
+ SAVE IMAGE --cache-hint
+
vale:
FROM docker.io/jdkato/vale:v3.11.2
SAVE ARTIFACT /bin/vale ./vale
diff --git a/tekton/eventlistener/gitlab/0.1/gitlab.yaml b/tekton/eventlistener/gitlab/0.1/gitlab.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..19b1738bdd6a33d6a9b03c34a049e9e8c91d7110
--- /dev/null
+++ b/tekton/eventlistener/gitlab/0.1/gitlab.yaml
@@ -0,0 +1,110 @@
+apiVersion: triggers.tekton.dev/v1beta1
+kind: EventListener
+metadata:
+ name: gitlab-listener
+spec:
+ serviceAccountName: tekton-triggers-gitlab
+ triggerGroups:
+ - name: gitlab-push-events-trigger
+ interceptors:
+ - ref:
+ name: "gitlab"
+ params:
+ - name: "secretRef"
+ value:
+ secretName: "gitlab-webhook"
+ secretKey: "token"
+ - name: "eventTypes"
+ value:
+ - "Push Hook"
+ - ref:
+ name: cel
+ params:
+ # Only allow default branch for execution
+ - name: "filter"
+ value: 'body.ref.replace("refs/heads/", "") == body.project.default_branch'
+ triggerSelector:
+ labelSelector:
+ matchLabels:
+ type: gitops-default
+---
+apiVersion: triggers.tekton.dev/v1beta1
+kind: Trigger
+metadata:
+ name: gitops-docs
+ labels:
+ type: gitops-default
+spec:
+ bindings:
+ - name: gitrevision
+ value: $(body.checkout_sha)
+ - name: gitrepositoryurl
+ value: $(body.repository.git_http_url)
+ - name: gitlab-project-path
+ value: $(body.project.path_with_namespace)
+ template:
+ spec:
+ params:
+ - name: gitrevision
+ - name: gitrepositoryurl
+ - name: gitlab-project-path
+ resourcetemplates:
+ - apiVersion: tekton.dev/v1beta1
+ kind: PipelineRun
+ metadata:
+ generateName: gitops-docs-
+ spec:
+ pipelineRef:
+ name: build-upload-gitops-docs
+ params:
+ - name: repo-url
+ value: "$(tt.params.gitrepositoryurl)"
+ - name: docs-path
+ value: "docs"
+ - name: s3-bucket
+ value: "gitops-docs"
+ - name: s3-endpoint
+ value: "https://fs03.s3.si-infra.de:9000"
+ podTemplate:
+ securityContext:
+ runAsUser: 65532
+ fsGroup: 65532
+ workspaces:
+ - name: git-repository
+ volumeClaimTemplate:
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 1Gi
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: tekton-triggers-gitlab
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: triggers-gitlab-eventlistener-binding
+subjects:
+- kind: ServiceAccount
+ name: tekton-triggers-gitlab
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: tekton-triggers-eventlistener-roles
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: triggers-gitlab-eventlistener-clusterbinding
+subjects:
+- kind: ServiceAccount
+ name: tekton-triggers-gitlab
+ namespace: default
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: tekton-triggers-eventlistener-clusterroles
\ No newline at end of file
diff --git a/tekton/eventlistener/kustomization.yaml b/tekton/eventlistener/kustomization.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..4ec327687ab5e27ce7574ea18fc250db722b4b25
--- /dev/null
+++ b/tekton/eventlistener/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+ - ./gitlab/0.1/gitlab.yaml
\ No newline at end of file
diff --git a/tekton/kustomization.yaml b/tekton/kustomization.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..aa999a3dd411c5d99760bd3da5ab29f8fd6af884
--- /dev/null
+++ b/tekton/kustomization.yaml
@@ -0,0 +1,28 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+ - ./task
+ - ./pipeline
+ - ./eventlistener
+
+configurations:
+ - tekton-images.yaml
+
+images:
+- name: ghcr.io/peaceiris/mdbook
+ newTag: v0.4.40
+- name: quay.io/git-chglog/git-chglog
+ newTag: 0.15.4
+- name: registry.access.redhat.com/ubi8/python-38
+ newName: quay.io/fedora/python-312
+ newTag: latest
+ digest: sha256:58a4a7028d1a15f98c0cfdbc4637f3d485ecfd9d15ceeba3d7c690ed073fe5ee
+
+patches:
+ - path: security-context-patch.yaml
+ target:
+ kind: Task
+ - path: security-context-patch.yaml
+ target:
+ kind: ClusterTask
diff --git a/tekton/pipeline/build-upload-gitops-docs/0.1/build-upload-gitops-docs.yaml b/tekton/pipeline/build-upload-gitops-docs/0.1/build-upload-gitops-docs.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..75a6dbe8eadccb57cbd72a295cc9fb111cf9004c
--- /dev/null
+++ b/tekton/pipeline/build-upload-gitops-docs/0.1/build-upload-gitops-docs.yaml
@@ -0,0 +1,67 @@
+apiVersion: tekton.dev/v1beta1
+kind: Pipeline
+metadata:
+ name: build-upload-gitops-docs
+spec:
+ params:
+ - name: repo-url
+ type: string
+ description: The git repository URL to clone from.
+ - name: docs-path
+ type: string
+ description: Path inside the git repository that contains the gitops-docs
+ - name: s3-endpoint
+ type: string
+ description: Target MINIO instance
+ - name: s3-bucket
+ type: string
+ description: Target S3 bucket
+ - name: s3-credentails-secret
+ type: string
+ description: Name of the Kubernetes secret hosting the minio credentails as `username` and `password`
+ default: minio-gitops-docs
+ workspaces:
+ - name: git-repository
+ description: |
+ This workspace contains the cloned repo files, so they can be read by the next task.
+ tasks:
+ - name: fetch-source
+ taskRef:
+ name: git-clone
+ workspaces:
+ - name: output
+ workspace: git-repository
+ params:
+ - name: url
+ value: "$(params.repo-url)"
+ - name: verbose
+ value: "false"
+ - name: build-docs
+ taskRef:
+ name: mdbook-build
+ params:
+ - name: content-dir
+ value: "$(params.docs-path)"
+ workspaces:
+ - name: source
+ workspace: git-repository
+ runAfter:
+ - fetch-source
+ - name: upload-docs
+ taskRef:
+ name: mc-mirror
+ params:
+ - name: source
+ value: "$(params.docs-path)/book"
+ - name: MINIO_ENDPOINT
+ value: "$(params.s3-endpoint)"
+ - name: MINIO_BUCKET
+ value: "$(params.s3-bucket)"
+ - name: MINIO_CREDENTIAL_SECRET
+ value: "$(params.s3-credentails-secret)"
+ runAfter:
+ - build-docs
+ workspaces:
+ - name: source
+ workspace: git-repository
+
diff --git a/tekton/pipeline/demo/0.1/demo.yaml b/tekton/pipeline/demo/0.1/demo.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..8e24546c5b68e314feb6f9bafca238cbd46e8fc0
--- /dev/null
+++ b/tekton/pipeline/demo/0.1/demo.yaml
@@ -0,0 +1,26 @@
+apiVersion: tekton.dev/v1beta1
+kind: Pipeline
+metadata:
+ name: clone-read
+spec:
+ description: |
+ This pipeline clones a git repo, then echoes the README file to the stdout.
+ params:
+ - name: repo-url
+ type: string
+ description: The git repo URL to clone from.
+ workspaces:
+ - name: shared-data
+ description: |
+ This workspace contains the cloned repo files, so they can be read by the
+ next task.
+ tasks:
+ - name: fetch-source
+ taskRef:
+ name: git-clone
+ workspaces:
+ - name: output
+ workspace: shared-data
+ params:
+ - name: url
+ value: $(params.repo-url)
\ No newline at end of file
diff --git a/tekton/pipeline/kustomization.yaml b/tekton/pipeline/kustomization.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..a6eebc4904d040ca4475d0d59e8c0d266dbb34fe
--- /dev/null
+++ b/tekton/pipeline/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+ - ./demo/0.1/demo.yaml
+ - ./build-upload-gitops-docs/0.1/build-upload-gitops-docs.yaml
+ - ./monthly-gitops-release/0.1/monthly-gitops-release.yaml
\ No newline at end of file
diff --git a/tekton/pipeline/monthly-gitops-release/0.1/monthly-gitops-release.yaml b/tekton/pipeline/monthly-gitops-release/0.1/monthly-gitops-release.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..fc4f15f56330eeeee511a2220c9a1b7a1bd77130
--- /dev/null
+++ b/tekton/pipeline/monthly-gitops-release/0.1/monthly-gitops-release.yaml
@@ -0,0 +1,106 @@
+apiVersion: tekton.dev/v1beta1
+kind: Pipeline
+metadata:
+ name: monthly-gitops-release
+spec:
+ params:
+ - name: repo-url
+ type: string
+ description: The git repository URL to clone from.
+ - name: revision
+ type: string
+ description: Git branch that is used to fetch
+ default: "main"
+ - name: git-chglog-template
+ description: Path to git-chglog template
+ type: string
+ default: ".chglog/unreleased.tpl.md"
+ - name: gitlab-base-url
+ description: URL of the GitLab instance where the release is created
+ type: string
+ default: "https://git.shivering-isles.com/"
+ - name: gitlab-project-id
+ description: Project ID from the GitLab project where the release is created
+ type: string
+ default: "233"
+ - name: gitlab-credentails-secret
+ description: Kuberentes Secret containing an access token for GitLab with scope API for the GitOps project. The token should be stored under a key called `token`.
+ default: gitlab-gitops-token
+ workspaces:
+ - name: git-repository
+ description: |
+ This workspace contains the cloned repo files, so they can be read by the next task.
+ tasks:
+ - name: fetch-source
+ taskRef:
+ name: git-clone
+ workspaces:
+ - name: output
+ workspace: git-repository
+ params:
+ - name: url
+ value: "$(params.repo-url)"
+ - name: revision
+ value: "FETCH_HEAD"
+ - name: refspec
+ value: '$(params.revision) +refs/tags/*:refs/tags/*'
+ - name: depth
+ value: "0"
+ - name: verbose
+ value: "false"
+ - name: generate-monthly-calver
+ taskSpec:
+ steps:
+ - image: quay.io/fedora/fedora-minimal:41
+ securityContext:
+ allowPrivilegeEscalation: false
+ runAsNonRoot: true
+ runAsUser: 65532
+ seccompProfile:
+ type: RuntimeDefault
+ capabilities:
+ drop:
+ - ALL
+ script: |
+ echo -n $(date +v%y.%m) > "$(results.version.path)"
+ results:
+ - name: version
+ description: Generated CalVer
+ - name: generate-changelog
+ taskRef:
+ name: git-chglog
+ params:
+ - name: template
+ value: "$(params.git-chglog-template)"
+ - name: next-tag
+ value: $(tasks.generate-monthly-calver.results.version)
+ workspaces:
+ - name: source
+ workspace: git-repository
+ runAfter:
+ - fetch-source
+ - generate-monthly-calver
+ - name: release-on-gitlab
+ taskRef:
+ name: create-gitlab-release
+ params:
+ - name: name
+ value: "GitOps Infrastructure $(tasks.generate-monthly-calver.results.version)"
+ - name: ref
+ value: "$(tasks.fetch-source.results.commit)"
+ - name: description
+ value: "$(tasks.generate-changelog.results.changelog)"
+ - name: tag-name
+ value: "$(tasks.generate-monthly-calver.results.version)"
+ - name: server-url
+ value: "$(params.gitlab-base-url)"
+ - name: project-id
+ value: "$(params.gitlab-project-id)"
+ - name: private-token-secret
+ value: "$(params.gitlab-credentails-secret)"
+ runAfter:
+ - generate-changelog
+ workspaces:
+ - name: source
+ workspace: git-repository
+
diff --git a/tekton/security-context-patch.yaml b/tekton/security-context-patch.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..cc6b2a37a916630e07a0273a727761cf58e76ec3
--- /dev/null
+++ b/tekton/security-context-patch.yaml
@@ -0,0 +1,11 @@
+- op: add
+ path: /spec/steps/0/securityContext
+ value:
+ allowPrivilegeEscalation: false
+ runAsNonRoot: true
+ runAsUser: 65532
+ seccompProfile:
+ type: RuntimeDefault
+ capabilities:
+ drop:
+ - ALL
\ No newline at end of file
diff --git a/tekton/task/create-gitlab-release/0.1/create-gitlab-release.yaml b/tekton/task/create-gitlab-release/0.1/create-gitlab-release.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..6eabfb13b03aceb81b6e333921538b33991c15f3
--- /dev/null
+++ b/tekton/task/create-gitlab-release/0.1/create-gitlab-release.yaml
@@ -0,0 +1,64 @@
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+ name: create-gitlab-release
+ labels:
+ app.kubernetes.io/version: "0.1"
+ annotations:
+ tekton.dev/pipelines.minVersion: "0.50.0"
+ tekton.dev/categories: Git
+ tekton.dev/tags: gitlab
+ tekton.dev/displayName: "create GitLab release"
+ tekton.dev/platforms: "linux/amd64"
+spec:
+ params:
+ - name: name
+ description: The release name.
+ type: string
+ - name: ref
+ type: string
+ description: The git reference for the release
+ - name: description
+ description: The description of the release. You can use Markdown.
+ type: string
+ - name: tag-name
+ description: The tag where the release is created from.
+ type: string
+ - name: server-url
+ description: The base URL of the GitLab instance, including protocol and port, for example https://gitlab.example.com:8080
+ type: string
+ - name: project-id
+ description: The current project's unique ID
+ type: string
+ - name: private-token-secret
+ description: Name of the secret holding the private token used for authenticating with the GitLab Releases API, requires api scope https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html
+ type: string
+ - name: private-token-secret-key
+ description: Name of the key inside the secret holding the private token.
+ type: string
+ default: token
+ steps:
+ - name: create-release
+ image: registry.gitlab.com/gitlab-org/release-cli:latest
+ workingDir: $(workspaces.source.path)
+ env:
+ - name: CI_SERVER_URL
+ value: $(params.server-url)
+ - name: CI_PROJECT_ID
+ value: $(params.project-id)
+ - name: GITLAB_PRIVATE_TOKEN
+ valueFrom:
+ secretKeyRef:
+ name: $(params.private-token-secret)
+ key: $(params.private-token-secret-key)
+ script: |
+ #!/bin/sh
+ set -e
+ release-cli create --name "$(params.name)" --description "$(params.description)" --tag-name "$(params.tag-name)" --ref "$(params.ref)"
+ echo -n "$(params.tag-name)" | tee $(results.tag.path)
+ results:
+ - name: tag
+ description: git tag created for the release
+ workspaces:
+ - name: source
+ description: The workspace containing all content
diff --git a/tekton/task/git-chglog/0.1/git-chglog.yaml b/tekton/task/git-chglog/0.1/git-chglog.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..8a95a3d35043d927d39cab0f033635861265e149
--- /dev/null
+++ b/tekton/task/git-chglog/0.1/git-chglog.yaml
@@ -0,0 +1,62 @@
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+ name: git-chglog
+ labels:
+ app.kubernetes.io/version: "0.1"
+ annotations:
+ tekton.dev/pipelines.minVersion: "0.50.0"
+ tekton.dev/categories: Publishing
+ tekton.dev/tags: build
+ tekton.dev/displayName: "Generate changelog with git-chglog"
+ tekton.dev/platforms: "linux/amd64"
+spec:
+ description: |
+ Uses git-chglog to generate a change log for any git repository.
+ params:
+ - name: template
+ description: specifies a template file to pick up. If not specified, use the one in config
+ type: string
+ default: ""
+ - name: next-tag
+ description: specifies a template file to pick up. If not specified, use the one in config
+ type: string
+ default: ""
+ - name: output
+ description: output path and filename for the changelogs. If not specified, use CHANGELOG.md
+ default: CHANGELOG.md
+ steps:
+ - name: generate-changelog
+ image: quay.io/git-chglog/git-chglog:0.15.4
+ workingDir: $(workspaces.source.path)
+ securityContext:
+ allowPrivilegeEscalation: false
+ runAsNonRoot: true
+ runAsUser: 65532
+ seccompProfile:
+ type: RuntimeDefault
+ capabilities:
+ drop:
+ - ALL
+ env:
+ - name: HOME
+ value: /home/git
+ script: |
+ #!/bin/sh
+ set -e
+ git config --global --add safe.directory "$(workspaces.source.path)"
+ git-chglog --template=$(params.template) --next-tag=$(params.next-tag) --output "$(params.output)"
+ echo -n "$(params.output)" > "$(results.changelog.path)"
+ volumeMounts:
+ - name: home
+ mountPath: /home/git
+ results:
+ - name: changelog
+ description: Path to the generated changelog
+ volumes:
+ - name: home
+ emptyDir:
+ medium: Memory
+ workspaces:
+ - name: source
+ description: The workspace containing all content
\ No newline at end of file
diff --git a/tekton/task/git-clone-alpine/0.1/git-clone-alpine.yaml b/tekton/task/git-clone-alpine/0.1/git-clone-alpine.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..7e1f0719e2a0df0a1c28dcde0d11927c71e4c673
--- /dev/null
+++ b/tekton/task/git-clone-alpine/0.1/git-clone-alpine.yaml
@@ -0,0 +1,60 @@
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+ name: git-clone-alpine
+ labels:
+ app.kubernetes.io/version: "0.1"
+ annotations:
+ tekton.dev/pipelines.minVersion: "0.50.0"
+ tekton.dev/categories: Git
+ tekton.dev/tags: git
+ tekton.dev/displayName: "git clone"
+ tekton.dev/platforms: "linux/amd64"
+spec:
+ params:
+ - name: url
+ description: Repository URL to clone from.
+ type: string
+ - name: revision
+ description: Revision to checkout. (branch, tag, sha, ref, etc...)
+ type: string
+ default: ""
+ steps:
+ - name: clone
+ image: docker.io/alpine/git
+ env:
+ - name: HOME
+ value: /home/git
+ script: |
+ #!/bin/sh
+ set -e
+ git config --add --global "safe.directory" "$(workspaces.output.path)"
+ git config --add --global "init.defaultBranch" "main"
+ # git clone "$(params.url)" "$(workspaces.output.path)"
+ # Workaround due to workspaces being volumes
+ cd $(workspaces.output.path)
+ git init
+ git remote add origin "$(params.url)"
+ git fetch origin
+ git checkout $(params.revision)
+ cd $(workspaces.output.path)
+ git log -1 --pretty=%ct > "$(results.committer-date.path)"
+ git rev-parse HEAD > "$(results.commit.path)"
+ echo -n "$(params.url)" > "$(results.url.path)"
+ volumeMounts:
+ - name: home
+ mountPath: /home/git
+ results:
+ - name: commit
+ description: The precise commit SHA that was fetched by this Task.
+ - name: url
+ description: The precise URL that was fetched by this Task.
+ - name: committer-date
+ description: The epoch timestamp of the commit that was fetched by this Task.
+ volumes:
+ - name: home
+ emptyDir:
+ medium: Memory
+ workspaces:
+ - name: output
+ description: The git repo will be cloned onto the volume backing this Workspace.
diff --git a/tekton/task/git-clone/0.9/git-clone.yaml b/tekton/task/git-clone/0.9/git-clone.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..364d622b10c14521795e1a2ca0782cff3bb295b8
--- /dev/null
+++ b/tekton/task/git-clone/0.9/git-clone.yaml
@@ -0,0 +1,241 @@
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+ name: git-clone
+ labels:
+ app.kubernetes.io/version: "0.9"
+ annotations:
+ tekton.dev/pipelines.minVersion: "0.50.0"
+ tekton.dev/categories: Git
+ tekton.dev/tags: git
+ tekton.dev/displayName: "git clone"
+ tekton.dev/platforms: "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64"
+spec:
+ description: >-
+ These Tasks are Git tasks to work with repositories used by other tasks
+ in your Pipeline.
+
+ The git-clone Task will clone a repo from the provided url into the
+ output Workspace. By default the repo will be cloned into the root of
+ your Workspace. You can clone into a subdirectory by setting this Task's
+ subdirectory param. This Task also supports sparse checkouts. To perform
+ a sparse checkout, pass a list of comma separated directory patterns to
+ this Task's sparseCheckoutDirectories param.
+ workspaces:
+ - name: output
+ description: The git repo will be cloned onto the volume backing this Workspace.
+ - name: ssh-directory
+ optional: true
+ description: |
+ A .ssh directory with private key, known_hosts, config, etc. Copied to
+ the user's home before git commands are executed. Used to authenticate
+ with the git remote when performing the clone. Binding a Secret to this
+ Workspace is strongly recommended over other volume types.
+ - name: basic-auth
+ optional: true
+ description: |
+ A Workspace containing a .gitconfig and .git-credentials file. These
+ will be copied to the user's home before any git commands are run. Any
+ other files in this Workspace are ignored. It is strongly recommended
+ to use ssh-directory over basic-auth whenever possible and to bind a
+ Secret to this Workspace over other volume types.
+ - name: ssl-ca-directory
+ optional: true
+ description: |
+ A workspace containing CA certificates, this will be used by Git to
+ verify the peer with when fetching or pushing over HTTPS.
+ params:
+ - name: url
+ description: Repository URL to clone from.
+ type: string
+ - name: revision
+ description: Revision to checkout. (branch, tag, sha, ref, etc...)
+ type: string
+ default: ""
+ - name: refspec
+ description: Refspec to fetch before checking out revision.
+ default: ""
+ - name: submodules
+ description: Initialize and fetch git submodules.
+ type: string
+ default: "true"
+ - name: depth
+ description: Perform a shallow clone, fetching only the most recent N commits.
+ type: string
+ default: "1"
+ - name: sslVerify
+ description: Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.
+ type: string
+ default: "true"
+ - name: crtFileName
+ description: file name of mounted crt using ssl-ca-directory workspace. default value is ca-bundle.crt.
+ type: string
+ default: "ca-bundle.crt"
+ - name: subdirectory
+ description: Subdirectory inside the `output` Workspace to clone the repo into.
+ type: string
+ default: ""
+ - name: sparseCheckoutDirectories
+ description: Define the directory patterns to match or exclude when performing a sparse checkout.
+ type: string
+ default: ""
+ - name: deleteExisting
+ description: Clean out the contents of the destination directory if it already exists before cloning.
+ type: string
+ default: "true"
+ - name: httpProxy
+ description: HTTP proxy server for non-SSL requests.
+ type: string
+ default: ""
+ - name: httpsProxy
+ description: HTTPS proxy server for SSL requests.
+ type: string
+ default: ""
+ - name: noProxy
+ description: Opt out of proxying HTTP/HTTPS requests.
+ type: string
+ default: ""
+ - name: verbose
+ description: Log the commands that are executed during `git-clone`'s operation.
+ type: string
+ default: "true"
+ - name: gitInitImage
+ description: The image providing the git-init binary that this Task runs.
+ type: string
+ default: "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.40.2"
+ - name: userHome
+ description: |
+ Absolute path to the user's home directory.
+ type: string
+ default: "/home/git"
+ results:
+ - name: commit
+ description: The precise commit SHA that was fetched by this Task.
+ - name: url
+ description: The precise URL that was fetched by this Task.
+ - name: committer-date
+ description: The epoch timestamp of the commit that was fetched by this Task.
+ steps:
+ - name: clone
+ image: "$(params.gitInitImage)"
+ env:
+ - name: HOME
+ value: "$(params.userHome)"
+ - name: PARAM_URL
+ value: $(params.url)
+ - name: PARAM_REVISION
+ value: $(params.revision)
+ - name: PARAM_REFSPEC
+ value: $(params.refspec)
+ - name: PARAM_SUBMODULES
+ value: $(params.submodules)
+ - name: PARAM_DEPTH
+ value: $(params.depth)
+ - name: PARAM_SSL_VERIFY
+ value: $(params.sslVerify)
+ - name: PARAM_CRT_FILENAME
+ value: $(params.crtFileName)
+ - name: PARAM_SUBDIRECTORY
+ value: $(params.subdirectory)
+ - name: PARAM_DELETE_EXISTING
+ value: $(params.deleteExisting)
+ - name: PARAM_HTTP_PROXY
+ value: $(params.httpProxy)
+ - name: PARAM_HTTPS_PROXY
+ value: $(params.httpsProxy)
+ - name: PARAM_NO_PROXY
+ value: $(params.noProxy)
+ - name: PARAM_VERBOSE
+ value: $(params.verbose)
+ - name: PARAM_SPARSE_CHECKOUT_DIRECTORIES
+ value: $(params.sparseCheckoutDirectories)
+ - name: PARAM_USER_HOME
+ value: $(params.userHome)
+ - name: WORKSPACE_OUTPUT_PATH
+ value: $(workspaces.output.path)
+ - name: WORKSPACE_SSH_DIRECTORY_BOUND
+ value: $(workspaces.ssh-directory.bound)
+ - name: WORKSPACE_SSH_DIRECTORY_PATH
+ value: $(workspaces.ssh-directory.path)
+ - name: WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND
+ value: $(workspaces.basic-auth.bound)
+ - name: WORKSPACE_BASIC_AUTH_DIRECTORY_PATH
+ value: $(workspaces.basic-auth.path)
+ - name: WORKSPACE_SSL_CA_DIRECTORY_BOUND
+ value: $(workspaces.ssl-ca-directory.bound)
+ - name: WORKSPACE_SSL_CA_DIRECTORY_PATH
+ value: $(workspaces.ssl-ca-directory.path)
+ securityContext:
+ runAsUser: 65532
+ script: |
+ #!/usr/bin/env sh
+ set -eu
+
+ if [ "${PARAM_VERBOSE}" = "true" ] ; then
+ set -x
+ fi
+
+ if [ "${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}" = "true" ] ; then
+ cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" "${PARAM_USER_HOME}/.git-credentials"
+ cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig" "${PARAM_USER_HOME}/.gitconfig"
+ chmod 400 "${PARAM_USER_HOME}/.git-credentials"
+ chmod 400 "${PARAM_USER_HOME}/.gitconfig"
+ fi
+
+ if [ "${WORKSPACE_SSH_DIRECTORY_BOUND}" = "true" ] ; then
+ cp -R "${WORKSPACE_SSH_DIRECTORY_PATH}" "${PARAM_USER_HOME}"/.ssh
+ chmod 700 "${PARAM_USER_HOME}"/.ssh
+ chmod -R 400 "${PARAM_USER_HOME}"/.ssh/*
+ fi
+
+ if [ "${WORKSPACE_SSL_CA_DIRECTORY_BOUND}" = "true" ] ; then
+ export GIT_SSL_CAPATH="${WORKSPACE_SSL_CA_DIRECTORY_PATH}"
+ if [ "${PARAM_CRT_FILENAME}" != "" ] ; then
+ export GIT_SSL_CAINFO="${WORKSPACE_SSL_CA_DIRECTORY_PATH}/${PARAM_CRT_FILENAME}"
+ fi
+ fi
+ CHECKOUT_DIR="${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}"
+
+ cleandir() {
+ # Delete any existing contents of the repo directory if it exists.
+ #
+ # We don't just "rm -rf ${CHECKOUT_DIR}" because ${CHECKOUT_DIR} might be "/"
+ # or the root of a mounted volume.
+ if [ -d "${CHECKOUT_DIR}" ] ; then
+ # Delete non-hidden files and directories
+ rm -rf "${CHECKOUT_DIR:?}"/*
+ # Delete files and directories starting with . but excluding ..
+ rm -rf "${CHECKOUT_DIR}"/.[!.]*
+ # Delete files and directories starting with .. plus any other character
+ rm -rf "${CHECKOUT_DIR}"/..?*
+ fi
+ }
+
+ if [ "${PARAM_DELETE_EXISTING}" = "true" ] ; then
+ cleandir || true
+ fi
+
+ test -z "${PARAM_HTTP_PROXY}" || export HTTP_PROXY="${PARAM_HTTP_PROXY}"
+ test -z "${PARAM_HTTPS_PROXY}" || export HTTPS_PROXY="${PARAM_HTTPS_PROXY}"
+ test -z "${PARAM_NO_PROXY}" || export NO_PROXY="${PARAM_NO_PROXY}"
+
+ git config --global --add safe.directory "${WORKSPACE_OUTPUT_PATH}"
+ /ko-app/git-init \
+ -url="${PARAM_URL}" \
+ -revision="${PARAM_REVISION}" \
+ -refspec="${PARAM_REFSPEC}" \
+ -path="${CHECKOUT_DIR}" \
+ -sslVerify="${PARAM_SSL_VERIFY}" \
+ -submodules="${PARAM_SUBMODULES}" \
+ -depth="${PARAM_DEPTH}" \
+ -sparseCheckoutDirectories="${PARAM_SPARSE_CHECKOUT_DIRECTORIES}"
+ cd "${CHECKOUT_DIR}"
+ RESULT_SHA="$(git rev-parse HEAD)"
+ EXIT_CODE="$?"
+ if [ "${EXIT_CODE}" != 0 ] ; then
+ exit "${EXIT_CODE}"
+ fi
+ RESULT_COMMITTER_DATE="$(git log -1 --pretty=%ct)"
+ printf "%s" "${RESULT_COMMITTER_DATE}" > "$(results.committer-date.path)"
+ printf "%s" "${RESULT_SHA}" > "$(results.commit.path)"
+ printf "%s" "${PARAM_URL}" > "$(results.url.path)"
diff --git a/tekton/task/gitlab-set-status/0.2/gitlab-set-status.yaml b/tekton/task/gitlab-set-status/0.2/gitlab-set-status.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..772baab0bd4183cf2ceb62eba810bc6c0796674d
--- /dev/null
+++ b/tekton/task/gitlab-set-status/0.2/gitlab-set-status.yaml
@@ -0,0 +1,163 @@
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+ name: gitlab-set-status
+ labels:
+ app.kubernetes.io/version: "0.2"
+ annotations:
+ tekton.dev/pipelines.minVersion: "0.12.1"
+ tekton.dev/categories: Git
+ tekton.dev/tags: gitlab, git
+ tekton.dev/displayName: "Set Gitlab commit status"
+ tekton.dev/platforms: "linux/amd64"
+spec:
+ description: >-
+ This task will set the status of the CI job to the specified value along
+ with a link to the specified target URL where developers can follow the
+ progress of the CI job.
+
+ The `gitlab-set-status` task allows external services to mark GitLab commits
+ with an `error`, `failure`, `pending`, or `success` state, which is then
+ reflected in merge requests involving those commits. Statuses include as well a
+ `description`, a `target_url` and a `coverage`, to give the user informations
+ about the CI statuses or a direct link to the full log.
+
+ params:
+ - name: GITLAB_HOST_URL
+ description: |
+ The GitLab host, adjust this if you run a GitLab enterprise.
+ default: "gitlab.com"
+ type: string
+
+ - name: API_PATH_PREFIX
+ description: |
+ The API path prefix, GitLab Enterprise has a prefix e.g. /api/v4
+ default: "/api/v4"
+ type: string
+
+ - name: REPO_FULL_NAME
+ description: |
+ The GitLab repository full name, e.g.: tektoncd/catalog
+ type: string
+
+ - name: GITLAB_TOKEN_SECRET_NAME
+ description: |
+ The name of the kubernetes secret that contains the GitLab token, default: gitlab-api-secret
+ type: string
+ default: gitlab-api-secret
+
+ - name: GITLAB_TOKEN_SECRET_KEY
+ description: |
+ The key within the kubernetes secret that contains the GitLab token, default: token
+ type: string
+ default: token
+
+ - name: SHA
+ description: |
+ Commit SHA to set the status for.
+ type: string
+
+ - name: TARGET_URL
+ description: |
+ The target URL to associate with this status. This URL will be linked
+ from the GitLab UI to allow users to easily see the source of the
+ status.
+ type: string
+
+ - name: DESCRIPTION
+ description: |
+ A short description of the status.
+ type: string
+
+ - name: CONTEXT
+ description: |
+ The GitLab context, A string label to differentiate this status from
+ the status of other systems. ie: "continuous-integration/tekton"
+ default: "continuous-integration/tekton"
+ type: string
+
+ - name: STATE
+ description: |
+ The state of the status. Can be one of the following `pending`,
+ `running`, `success`, `failed`, or `canceled`.
+ type: string
+
+ - name: COVERAGE
+ description: |
+ The total code coverage.
+ type: string
+ default: ""
+
+ steps:
+ - name: set-status
+ image: registry.access.redhat.com/ubi8/python-38@sha256:af6f93b81f9313de95966e8cd681edb9dbcb5fdbddc5a4cc365af8e4534096ef
+ script: |
+ #!/usr/libexec/platform-python
+
+ """This script will set the pipeline status of a commit on GitLab."""
+ import os
+ import sys
+ import json
+ import http.client
+ import urllib.parse
+
+ GITLAB_TOKEN = os.getenv("GITLAB_TOKEN")
+ GITLAB_HOST_URL = "$(params.GITLAB_HOST_URL)"
+ API_PATH_PREFIX = "$(params.API_PATH_PREFIX)"
+ REPO_FULL_NAME = "$(params.REPO_FULL_NAME)"
+ SHA = "$(params.SHA)"
+ STATE = "$(params.STATE)"
+ CONTEXT = "$(params.CONTEXT)"
+ TARGET_URL = "$(params.TARGET_URL)"
+ DESCRIPTION = "$(params.DESCRIPTION)"
+ COVERAGE = "$(params.COVERAGE)"
+
+ headers = {
+ "User-Agent": "TektonCD, the peaceful cat",
+ "Authorization": f"Bearer {GITLAB_TOKEN}",
+ }
+
+ URLENCODED_REPO_NAME = urllib.parse.quote(REPO_FULL_NAME, safe="")
+
+ params = {
+ "state": STATE,
+ "context": CONTEXT,
+ "target_url": TARGET_URL,
+ "description": DESCRIPTION
+ }
+
+ if COVERAGE:
+ params["coverage"] = float(COVERAGE)
+
+ encoded_params = urllib.parse.urlencode(params)
+
+ api_url = f"{API_PATH_PREFIX}/projects/{URLENCODED_REPO_NAME}/statuses/{SHA}?{encoded_params}"
+
+ print(f"POST to {GITLAB_HOST_URL}{api_url}")
+
+ if GITLAB_HOST_URL.startswith("http://"):
+ conn = http.client.HTTPConnection(GITLAB_HOST_URL[7:])
+ elif GITLAB_HOST_URL.startswith("https://"):
+ conn = http.client.HTTPSConnection(GITLAB_HOST_URL[8:])
+ else:
+ conn = http.client.HTTPSConnection(GITLAB_HOST_URL)
+ try:
+ conn.request("POST", api_url, headers=headers)
+
+ resp = conn.getresponse()
+ if not str(resp.status).startswith("2"):
+ print(f"{resp.status} | Unable to set status")
+ response_data = json.dumps(json.loads(resp.read()), indent=4)
+ print(response_data)
+ sys.exit(1)
+ else:
+ print(f"Just set status of {REPO_FULL_NAME}#{SHA} to {STATE}")
+ finally:
+ conn.close()
+
+ env:
+ - name: GITLAB_TOKEN
+ valueFrom:
+ secretKeyRef:
+ name: $(params.GITLAB_TOKEN_SECRET_NAME)
+ key: $(params.GITLAB_TOKEN_SECRET_KEY)
diff --git a/tekton/task/kustomization.yaml b/tekton/task/kustomization.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..7d6e71a872c199d9233fbca1c8cea2e18035a939
--- /dev/null
+++ b/tekton/task/kustomization.yaml
@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+ - ./git-clone/0.9/git-clone.yaml
+ - ./gitlab-set-status/0.2/gitlab-set-status.yaml
+ - ./git-clone-alpine/0.1/git-clone-alpine.yaml
+ - ./mc-mirror/0.1/mc-mirror.yaml
+ - ./mdbook-build/0.1/mdbook-build.yaml
+ - ./git-chglog/0.1/git-chglog.yaml
+ - ./create-gitlab-release/0.1/create-gitlab-release.yaml
\ No newline at end of file
diff --git a/tekton/task/mc-mirror/0.1/mc-mirror.yaml b/tekton/task/mc-mirror/0.1/mc-mirror.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..fbcc15e8c9309f87e0b544fcd4244c86eda01581
--- /dev/null
+++ b/tekton/task/mc-mirror/0.1/mc-mirror.yaml
@@ -0,0 +1,76 @@
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+ name: mc-mirror
+ labels:
+ app.kubernetes.io/version: "0.1"
+ annotations:
+ tekton.dev/pipelines.minVersion: "0.50.0"
+ tekton.dev/categories: Publishing
+ tekton.dev/tags: build
+ tekton.dev/displayName: "upload to s3"
+ tekton.dev/platforms: "linux/amd64"
+spec:
+ params:
+ - name: source
+ description: Path to mirror
+ type: string
+ - name: MINIO_ENDPOINT
+ description: Location of your MINIO instance e.g. https://minio.example.com:9000
+ type: string
+ - name: MINIO_BUCKET
+ description: Name of the MINIO Bucket that is targeted
+ - name: MINIO_CREDENTIAL_SECRET
+ description: Name of the secret containing the username & password used to upload to S3.
+ default: "mc-credentails"
+ type: string
+ - name: SECRET_USERNAME_KEY
+ description: Name of the secret key containing the minio access key.
+ default: "username"
+ type: string
+ - name: SECRET_PASSWORD_KEY
+ description: Name of the secret key containing the minio access secret.
+ default: "password"
+ type: string
+ steps:
+ - name: mc-mirror
+ image: docker.io/minio/mc
+ workingDir: $(workspaces.source.path)
+ env:
+ - name: MINIO_ENDPOINT
+ value: $(params.MINIO_ENDPOINT)
+ - name: MINIO_BUCKET
+ value: $(params.MINIO_BUCKET)
+ - name: MINIO_ACCESS_KEY
+ valueFrom:
+ secretKeyRef:
+ name: $(params.MINIO_CREDENTIAL_SECRET)
+ key: $(params.SECRET_USERNAME_KEY)
+ - name: MINIO_ACCESS_SECRET
+ valueFrom:
+ secretKeyRef:
+ name: $(params.MINIO_CREDENTIAL_SECRET)
+ key: $(params.SECRET_PASSWORD_KEY)
+ script: |
+ #!/bin/sh
+ set -e
+ mc alias set minio "${MINIO_ENDPOINT}" "${MINIO_ACCESS_KEY}" "${MINIO_ACCESS_SECRET}"
+ mc mirror --remove --overwrite "$(params.source)" minio/${MINIO_BUCKET}
+ securityContext:
+ allowPrivilegeEscalation: false
+ runAsNonRoot: true
+ runAsUser: 65532
+ seccompProfile:
+ type: RuntimeDefault
+ capabilities:
+ drop:
+ - ALL
+ volumeMounts:
+ - name: config
+ mountPath: /.mc
+ volumes:
+ - name: config
+ emptyDir: {}
+ workspaces:
+ - name: source
+ description: The workspace containing all content
\ No newline at end of file
diff --git a/tekton/task/mdbook-build/0.1/mdbook-build.yaml b/tekton/task/mdbook-build/0.1/mdbook-build.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..5845d7de40d7b53c92729efef043896c6272824e
--- /dev/null
+++ b/tekton/task/mdbook-build/0.1/mdbook-build.yaml
@@ -0,0 +1,40 @@
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+ name: mdbook-build
+ labels:
+ app.kubernetes.io/version: "0.1"
+ annotations:
+ tekton.dev/pipelines.minVersion: "0.50.0"
+ tekton.dev/categories: Build Tools
+ tekton.dev/tags: buildtools
+ tekton.dev/platforms: "linux/amd64,linux/arm64"
+ tekton.dev/displayName: mdbook-build
+spec:
+ params:
+ - name: content-dir
+ type: string
+ description: The directory where the content is located
+ default: ""
+ steps:
+ - name: build-mdbook
+ image: ghcr.io/peaceiris/mdbook:v0.4.40
+ workingDir: $(workspaces.source.path)
+ env:
+ - name: MDBOOK_CONTENT_DIR
+ value: $(params.content-dir)
+ script: |
+ #!/bin/sh
+ mdbook build ${MDBOOK_CONTENT_DIR}
+ securityContext:
+ allowPrivilegeEscalation: false
+ runAsNonRoot: true
+ runAsUser: 65532
+ seccompProfile:
+ type: RuntimeDefault
+ capabilities:
+ drop:
+ - ALL
+ workspaces:
+ - name: source
+ description: The workspace containing the documentation to build
\ No newline at end of file
diff --git a/tekton/tekton-images.yaml b/tekton/tekton-images.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..46ba6c094724e1125b9389b833d9941d6a624aa4
--- /dev/null
+++ b/tekton/tekton-images.yaml
@@ -0,0 +1,3 @@
+images:
+- kind: Task
+ path: spec/steps[]/image
\ No newline at end of file