Skip to content

Instantly share code, notes, and snippets.

@bryanl

bryanl/gist:1168b13b698b460c9d3d4ee0520cda53

Created August 28, 2020 12:21
Show Gist options
  • Save bryanl/1168b13b698b460c9d3d4ee0520cda53 to your computer and use it in GitHub Desktop.
Save bryanl/1168b13b698b460c9d3d4ee0520cda53 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
# Copyright 2018 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: images.caching.internal.knative.dev
labels:
knative.dev/crd-install: "true"
spec:
group: caching.internal.knative.dev
version: v1alpha1
names:
kind: Image
plural: images
singular: image
categories:
- knative-internal
- caching
shortNames:
- img
scope: Namespaced
subresources:
status: {}
---
# Copyright 2018 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: Namespace
metadata:
name: knative-serving
labels:
serving.knative.dev/release: "v0.17.0"
---
# Copyright 2018 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ServiceAccount
metadata:
name: controller
namespace: knative-serving
labels:
serving.knative.dev/release: "v0.17.0"
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: knative-serving-admin
labels:
serving.knative.dev/release: "v0.17.0"
aggregationRule:
clusterRoleSelectors:
- matchLabels:
serving.knative.dev/controller: "true"
rules: [] # Rules are automatically filled in by the controller manager.
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: knative-serving-controller-admin
labels:
serving.knative.dev/release: "v0.17.0"
subjects:
- kind: ServiceAccount
name: controller
namespace: knative-serving
roleRef:
kind: ClusterRole
name: knative-serving-admin
apiGroup: rbac.authorization.k8s.io
---
# Copyright 2018 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: caching.internal.knative.dev/v1alpha1
kind: Image
metadata:
name: queue-proxy
namespace: knative-serving
labels:
serving.knative.dev/release: "v0.17.0"
spec:
# This is the Go import path for the binary that is containerized
# and substituted here.
image: gcr.io/knative-releases/knative.dev/serving/cmd/queue@sha256:bba041b926e31e9d5da2cb799001b31fce4c519037334db3751eb5f69d0f227f
---
# Copyright 2018 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: config-autoscaler
namespace: knative-serving
labels:
serving.knative.dev/release: "v0.17.0"
annotations:
knative.dev/example-checksum: "7b6520ae"
data:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
# The Revision ContainerConcurrency field specifies the maximum number
# of requests the Container can handle at once. Container concurrency
# target percentage is how much of that maximum to use in a stable
# state. E.g. if a Revision specifies ContainerConcurrency of 10, then
# the Autoscaler will try to maintain 7 concurrent connections per pod
# on average.
# Note: this limit will be applied to container concurrency set at every
# level (ConfigMap, Revision Spec or Annotation).
# For legacy and backwards compatibility reasons, this value also accepts
# fractional values in (0, 1] interval (i.e. 0.7 ⇒ 70%).
# Thus minimal percentage value must be greater than 1.0, or it will be
# treated as a fraction.
# NOTE: that this value does not affect actual number of concurrent requests
# the user container may receive, but only the average number of requests
# that the revision pods will receive.
container-concurrency-target-percentage: "70"
# The container concurrency target default is what the Autoscaler will
# try to maintain when concurrency is used as the scaling metric for the
# Revision and the Revision specifies unlimited concurrency.
# When revision explicitly specifies container concurrency, that value
# will be used as a scaling target for autoscaler.
# When specifying unlimited concurrency, the autoscaler will
# horizontally scale the application based on this target concurrency.
# This is what we call "soft limit" in the documentation, i.e. it only
# affects number of pods and does not affect the number of requests
# individual pod processes.
# The value must be a positive number such that the value multiplied
# by container-concurrency-target-percentage is greater than 0.01.
# NOTE: that this value will be adjusted by application of
# container-concurrency-target-percentage, i.e. by default
# the system will target on average 70 concurrent requests
# per revision pod.
# NOTE: Only one metric can be used for autoscaling a Revision.
container-concurrency-target-default: "100"
# The requests per second (RPS) target default is what the Autoscaler will
# try to maintain when RPS is used as the scaling metric for a Revision and
# the Revision specifies unlimited RPS. Even when specifying unlimited RPS,
# the autoscaler will horizontally scale the application based on this
# target RPS.
# Must be greater than 1.0.
# NOTE: Only one metric can be used for autoscaling a Revision.
requests-per-second-target-default: "200"
# The target burst capacity specifies the size of burst in concurrent
# requests that the system operator expects the system will receive.
# Autoscaler will try to protect the system from queueing by introducing
# Activator in the request path if the current spare capacity of the
# service is less than this setting.
# If this setting is 0, then Activator will be in the request path only
# when the revision is scaled to 0.
# If this setting is > 0 and container-concurrency-target-percentage is
# 100% or 1.0, then activator will always be in the request path.
# -1 denotes unlimited target-burst-capacity and activator will always
# be in the request path.
# Other negative values are invalid.
target-burst-capacity: "200"
# When operating in a stable mode, the autoscaler operates on the
# average concurrency over the stable window.
# Stable window must be in whole seconds.
stable-window: "60s"
# When observed average concurrency during the panic window reaches
# panic-threshold-percentage the target concurrency, the autoscaler
# enters panic mode. When operating in panic mode, the autoscaler
# scales on the average concurrency over the panic window which is
# panic-window-percentage of the stable-window.
# Must be in the [1, 100] range.
# When computing the panic window it will be rounded to the closest
# whole second, at least 1s.
panic-window-percentage: "10.0"
# The percentage of the container concurrency target at which to
# enter panic mode when reached within the panic window.
panic-threshold-percentage: "200.0"
# Max scale up rate limits the rate at which the autoscaler will
# increase pod count. It is the maximum ratio of desired pods versus
# observed pods.
# Cannot be less or equal to 1.
# I.e with value of 2.0 the number of pods can at most go N to 2N
# over single Autoscaler period (2s), but at least N to
# N+1, if Autoscaler needs to scale up.
max-scale-up-rate: "1000.0"
# Max scale down rate limits the rate at which the autoscaler will
# decrease pod count. It is the maximum ratio of observed pods versus
# desired pods.
# Cannot be less or equal to 1.
# I.e. with value of 2.0 the number of pods can at most go N to N/2
# over single Autoscaler evaluation period (2s), but at
# least N to N-1, if Autoscaler needs to scale down.
max-scale-down-rate: "2.0"
# Scale to zero feature flag.
enable-scale-to-zero: "true"
# Scale to zero grace period is the time an inactive revision is left
# running before it is scaled to zero (min: 6s).
# This is the upper limit and is provided not to enforce timeout after
# the revision stopped receiving requests for stable window, but to
# ensure network reprogramming to put activator in the path has completed.
# If the system determines that a shorter period is satisfactory,
# then the system will only wait that amount of time before scaling to 0.
# NOTE: this period might actually be 0, if activator has been
# in the request path sufficiently long.
# If there is necessity for the last pod to linger longer use
# scale-to-zero-pod-retention-period flag.
scale-to-zero-grace-period: "30s"
# Scale to zero pod retention period defines the minimum amount
# of time the last pod will remain after Autoscaler has decided to
# scale to zero.
# This flag is for the situations where the pod starup is very expensive
# and the traffic is bursty (requiring smaller windows for fast action),
# but patchy.
# The larger of this flag and `scale-to-zero-grace-period` will effectively
# detemine how the last pod will hang around.
scale-to-zero-pod-retention-period: "0s"
# pod-autoscaler-class specifies the default pod autoscaler class
# that should be used if none is specified. If omitted, the Knative
# Horizontal Pod Autoscaler (KPA) is used by default.
pod-autoscaler-class: "kpa.autoscaling.knative.dev"
# The capacity of a single activator task.
# The `unit` is one concurrent request proxied by the activator.
# activator-capacity must be at least 1.
# This value is used for computation of the Activator subset size.
# See the algorithm here: http://bit.ly/38XiCZ3.
# TODO(vagababov): tune after actual benchmarking.
activator-capacity: "100.0"
# initial-scale is the cluster-wide default value for the initial target
# scale of a revision after creation, unless overridden by the
# "autoscaling.knative.dev/initialScale" annotation.
# This value must be greater than 0 unless allow-zero-initial-scale is true.
initial-scale: "1"
# allow-zero-initial-scale controls whether either the cluster-wide initial-scale flag,
# or the "autoscaling.knative.dev/initialScale" annotation, can be set to 0.
allow-zero-initial-scale: "false"
# max-scale is the cluster-wide default value for the max scale of a revision,
# unless overridden by the "autoscaling.knative.dev/maxScale" annotation.
# If set to 0, the revision has no maximum scale.
max-scale: "0"
---
# Copyright 2019 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: config-defaults
namespace: knative-serving
labels:
serving.knative.dev/release: "v0.17.0"
annotations:
knative.dev/example-checksum: "b44360b5"
data:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
# revision-timeout-seconds contains the default number of
# seconds to use for the revision's per-request timeout, if
# none is specified.
revision-timeout-seconds: "300" # 5 minutes
# max-revision-timeout-seconds contains the maximum number of
# seconds that can be used for revision-timeout-seconds.
# This value must be greater than or equal to revision-timeout-seconds.
# If omitted, the system default is used (600 seconds).
#
# If this value is increased, the activator's terminationGraceTimeSeconds
# should also be increased to prevent in-flight requests being disrupted.
max-revision-timeout-seconds: "600" # 10 minutes
# revision-cpu-request contains the cpu allocation to assign
# to revisions by default. If omitted, no value is specified
# and the system default is used.
revision-cpu-request: "400m" # 0.4 of a CPU (aka 400 milli-CPU)
# revision-memory-request contains the memory allocation to assign
# to revisions by default. If omitted, no value is specified
# and the system default is used.
revision-memory-request: "100M" # 100 megabytes of memory
# revision-ephemeral-storage-request contains the ephemeral storage
# allocation to assign to revisions by default. If omitted, no value is
# specified and the system default is used.
revision-ephemeral-storage-request: "500M" # 500 megabytes of storage
# revision-cpu-limit contains the cpu allocation to limit
# revisions to by default. If omitted, no value is specified
# and the system default is used.
revision-cpu-limit: "1000m" # 1 CPU (aka 1000 milli-CPU)
# revision-memory-limit contains the memory allocation to limit
# revisions to by default. If omitted, no value is specified
# and the system default is used.
revision-memory-limit: "200M" # 200 megabytes of memory
# revision-ephemeral-storage-limit contains the ephemeral storage
# allocation to limit revisions to by default. If omitted, no value is
# specified and the system default is used.
revision-ephemeral-storage-limit: "750M" # 750 megabytes of storage
# container-name-template contains a template for the default
# container name, if none is specified. This field supports
# Go templating and is supplied with the ObjectMeta of the
# enclosing Service or Configuration, so values such as
# {{.Name}} are also valid.
container-name-template: "user-container"
# container-concurrency specifies the maximum number
# of requests the Container can handle at once, and requests
# above this threshold are queued. Setting a value of zero
# disables this throttling and lets through as many requests as
# the pod receives.
container-concurrency: "0"
# The container concurrency max limit is an operator setting ensuring that
# the individual revisions cannot have arbitrary large concurrency
# values, or autoscaling targets. `container-concurrency` default setting
# must be at or below this value.
#
# Must be greater than 1.
#
# Note: even with this set, a user can choose a containerConcurrency
# of 0 (i.e. unbounded) unless allow-container-concurrency-zero is
# set to "false".
container-concurrency-max-limit: "1000"
# allow-container-concurrency-zero controls whether users can
# specify 0 (i.e. unbounded) for containerConcurrency.
allow-container-concurrency-zero: "true"
# enable-service-links specifies the default value used for the
# enableServiceLinks field of the PodSpec, when it is omitted by the user.
# See: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/#accessing-the-service
#
# In environments with large number of services it is suggested
# to set this value to `false`.
# See https://github.com/knative/serving/issues/8498.
enable-service-links: "default"
---
# Copyright 2019 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: config-deployment
namespace: knative-serving
labels:
serving.knative.dev/release: "v0.17.0"
annotations:
knative.dev/example-checksum: "a409bec7"
data:
# This is the Go import path for the binary that is containerized
# and substituted here.
queueSidecarImage: gcr.io/knative-releases/knative.dev/serving/cmd/queue@sha256:bba041b926e31e9d5da2cb799001b31fce4c519037334db3751eb5f69d0f227f
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
# List of repositories for which tag to digest resolving should be skipped
registriesSkippingTagResolving: "ko.local,dev.local"
# ProgressDeadline is the duration we wait for the deployment to
# be ready before considering it failed.
progressDeadline: "120s"
# queueSidecarCPURequest is the requests.cpu to set for the queue proxy sidecar container.
# If omitted, a default value (currently "25m"), is used.
queueSidecarCPURequest: "25m"
# queueSidecarCPULimit is the limits.cpu to set for the queue proxy sidecar container.
# If omitted, no value is specified and the system default is used.
queueSidecarCPULimit: "1000m"
# queueSidecarMemoryRequest is the requests.memory to set for the queue proxy container.
# If omitted, no value is specified and the system default is used.
queueSidecarMemoryRequest: "400Mi"
# queueSidecarMemoryLimit is the limits.memory to set for the queue proxy container.
# If omitted, no value is specified and the system default is used.
queueSidecarMemoryLimit: "800Mi"
# queueSidecarEphemeralStorageRequest is the requests.ephemeral-storage to
# set for the queue proxy sidecar container.
# If omitted, no value is specified and the system default is used.
queueSidecarEphemeralStorageRequest: "512Mi"
# queueSidecarEphemeralStorageLimit is the limits.ephemeral-storage to set
# for the queue proxy sidecar container.
# If omitted, no value is specified and the system default is used.
queueSidecarEphemeralStorageLimit: "1024Mi"
---
# Copyright 2018 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: config-domain
namespace: knative-serving
labels:
serving.knative.dev/release: "v0.17.0"
annotations:
knative.dev/example-checksum: "f8e5beb4"
data:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
# Default value for domain.
# Although it will match all routes, it is the least-specific rule so it
# will only be used if no other domain matches.
example.com: |
# These are example settings of domain.
# example.org will be used for routes having app=nonprofit.
example.org: |
selector:
app: nonprofit
# Routes having domain suffix of 'svc.cluster.local' will not be exposed
# through Ingress. You can define your own label selector to assign that
# domain suffix to your Route here, or you can set the label
# "serving.knative.dev/visibility=cluster-local"
# to achieve the same effect. This shows how to make routes having
# the label app=secret only exposed to the local cluster.
svc.cluster.local: |
selector:
app: secret
---
# Copyright 2020 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: config-features
namespace: knative-serving
labels:
serving.knative.dev/release: "v0.17.0"
annotations:
knative.dev/example-checksum: "dd011edb"
data:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
# Indicates whether multi container support is enabled
multi-container: "enabled"
# Indicates whether Kubernetes affinity support is enabled
kubernetes.podspec-affinity: "disabled"
# Indicates whether Kubernetes nodeSelector support is enabled
kubernetes.podspec-nodeselector: "disabled"
# Indicates whether Kubernetes tolerations support is enabled
kubernetes.podspec-tolerations: "disabled"
# Indicates whether Kubernetes FieldRef support is enabled
kubernetes.podspec-fieldref: "disabled"
# This feature validates PodSpecs from the validating webhook
# against the K8s API Server.
#
# When "enabled", the server will always run the extra validation.
# When "allowed", the server will not run the dry-run validation by default.
# However, clients may enable the behavior on an individual Service by
# attaching the following metadata annotation: "features.knative.dev/podspec-dryrun":"enabled".
kubernetes.podspec-dryrun: "allowed"
# This feature allows end-users to set a subset of fields on the Pod's SecurityContext
# in addition to expanding the allowable fields within a Container's SecurityContext.
#
# When set to "enabled" or "allowed" it allows the following
# PodSecurityContext properties:
# - FSGroup
# - RunAsGroup
# - RunAsNonRoot
# - SupplementalGroups
# - RunAsUser
#
# When set to "enabled" or "allowed" it allows the following
# Container SecurityContext properties:
# - RunAsNonRoot
# - RunAsGroup
# - RunAsUser (already allowed without this flag)
#
# This feature flag should be used with caution as the PodSecurityContext
# properties may have a side-effect on non-user sidecar containers that come
# from Knative or your service mesh
#
kubernetes.podspec-securitycontext: "disabled"
# Indicates whether new responsive garbage collection is enabled. This
# feature labels revisions in real-time as they become referenced and
# dereferenced by Routes. This allows us to reap revisions shortly after
# they are no longer active.
# ALPHA WARNING: This feature is not yet stable or complete. Enabling it
# should be used for testing purposes only.
responsive-revision-gc: "disabled"
---
# Copyright 2018 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: config-gc
namespace: knative-serving
labels:
serving.knative.dev/release: "v0.17.0"
annotations:
knative.dev/example-checksum: "4b89cfa0"
data:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
# Delay after revision creation before considering it for GC
stale-revision-create-delay: "48h"
# Duration since a route has pointed at the revision before it
# should be GC'd.
# This minus lastpinned-debounce must be longer than the controller
# resync period (10 hours).
stale-revision-timeout: "15h"
# Minimum number of generations of non-active revisions to keep before
# considering them for GC.
stale-revision-minimum-generations: "20"
# To avoid constant updates, we allow an existing annotation to be stale by this
# amount before we update the timestamp.
stale-revision-lastpinned-debounce: "5h"
# ---------------------------------------
# V2 Garbage Collector Settings
# ---------------------------------------
#
# These settings are enabled via the "responsive-revision-gc" feature flag.
# ALPHA NOTE: This feature is still experimental and under active development.
#
# Active
# * Revisions which are referenced by a Route are considered active.
# * Individual revisions may be marked with the annotation
# "knative.dev/no-gc":"true" to be permanently considered active.
# * Active revisions are not considered for GC.
# Retention
# * Revisions are retained if they are any of the following:
# 1. Active
# 2. Were created within "retain-since-create-time"
# 3. Were last referenced by a route within
# "retain-since-last-active-time"
# 4. There are fewer than "min-non-active-revisions"
# If none of these conditions are met, or if the count of revisions exceed
# "max-non-active-revisions", they will be deleted by GC.
# The special value "disabled" may be used to turn off these limits.
#
# Example config to immediately collect any inactive revision:
# min-non-active-revisions: "0"
# retain-since-create-time: "disabled"
# retain-since-last-active-time: "disabled"
#
# Example config to always keep around the last ten non-active revisions:
# retain-since-create-time: "disabled"
# retain-since-last-active-time: "disabled"
# max-non-active-revisions: "10"
#
# Example config to disable all GC:
# retain-since-create-time: "disabled"
# retain-since-last-active-time: "disabled"
# max-non-active-revisions: "disabled"
#
# Example config to keep recently deployed or active revisions,
# always maintain the last two in case of rollback, and prevent
# burst activity from exploding the count of old revisions:
# retain-since-create-time: "48h"
# retain-since-last-active-time: "15h"
# min-non-active-revisions: "2"
# max-non-active-revisions: "1000"
# Duration since creation before considering a revision for GC or "disabled".
retain-since-create-time: "48h"
# Duration since active before considering a revision for GC or "disabled".
retain-since-last-active-time: "15h"
# Minimum number of non-active revisions to retain.
min-non-active-revisions: "20"
# Maximum number of non-active revisions to retain
# or "disabled" to disable any maximum limit.
max-non-active-revisions: "1000"
---
# Copyright 2020 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: config-leader-election
namespace: knative-serving
labels:
serving.knative.dev/release: "v0.17.0"
annotations:
knative.dev/example-checksum: "a255a6cc"
data:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
# leaseDuration is how long non-leaders will wait to try to acquire the
# lock; 15 seconds is the value used by core kubernetes controllers.
leaseDuration: "15s"
# renewDeadline is how long a leader will try to renew the lease before
# giving up; 10 seconds is the value used by core kubernetes controllers.
renewDeadline: "10s"
# retryPeriod is how long the leader election client waits between tries of
# actions; 2 seconds is the value used by core kubernetes controllers.
retryPeriod: "2s"
---
# Copyright 2018 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: config-logging
namespace: knative-serving
labels:
serving.knative.dev/release: "v0.17.0"
annotations:
knative.dev/example-checksum: "23eed3d8"
data:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
# Common configuration for all Knative codebase
zap-logger-config: |
{
"level": "info",
"development": false,
"outputPaths": ["stdout"],
"errorOutputPaths": ["stderr"],
"encoding": "json",
"encoderConfig": {
"timeKey": "ts",
"levelKey": "level",
"nameKey": "logger",
"callerKey": "caller",
"messageKey": "msg",
"stacktraceKey": "stacktrace",
"lineEnding": "",
"levelEncoder": "",
"timeEncoder": "iso8601",
"durationEncoder": "",
"callerEncoder": ""
}
}
# Log level overrides
# For all components except the autoscaler and queue proxy,
# changes are be picked up immediately.
# For autoscaler and queue proxy, changes require recreation of the pods.
loglevel.controller: "info"
loglevel.autoscaler: "info"
loglevel.queueproxy: "info"
loglevel.webhook: "info"
loglevel.activator: "info"
loglevel.hpaautoscaler: "info"
loglevel.certcontroller: "info"
loglevel.istiocontroller: "info"
loglevel.nscontroller: "info"
---
# Copyright 2018 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: config-network
namespace: knative-serving
labels:
serving.knative.dev/release: "v0.17.0"
annotations:
knative.dev/example-checksum: "b22469ec"
data:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
# DEPRECATED:
# istio.sidecar.includeOutboundIPRanges is obsolete.
# The current versions have outbound network access enabled by default.
# If you need this option for some reason, please use global.proxy.includeIPRanges in Istio.
#
# istio.sidecar.includeOutboundIPRanges: "*"
# ingress.class specifies the default ingress class
# to use when not dictated by Route annotation.
#
# If not specified, will use the Istio ingress.
#
# Note that changing the Ingress class of an existing Route
# will result in undefined behavior. Therefore it is best to only
# update this value during the setup of Knative, to avoid getting
# undefined behavior.
ingress.class: "istio.ingress.networking.knative.dev"
# certificate.class specifies the default Certificate class
# to use when not dictated by Route annotation.
#
# If not specified, will use the Cert-Manager Certificate.
#
# Note that changing the Certificate class of an existing Route
# will result in undefined behavior. Therefore it is best to only
# update this value during the setup of Knative, to avoid getting
# undefined behavior.
certificate.class: "cert-manager.certificate.networking.knative.dev"
# domainTemplate specifies the golang text template string to use
# when constructing the Knative service's DNS name. The default
# value is "{{.Name}}.{{.Namespace}}.{{.Domain}}".
#
# Valid variables defined in the template include Name, Namespace, Domain,
# Labels, and Annotations. Name will be the result of the tagTemplate
# below, if a tag is specified for the route.
#
# Changing this value might be necessary when the extra levels in
# the domain name generated is problematic for wildcard certificates
# that only support a single level of domain name added to the
# certificate's domain. In those cases you might consider using a value
# of "{{.Name}}-{{.Namespace}}.{{.Domain}}", or removing the Namespace
# entirely from the template. When choosing a new value be thoughtful
# of the potential for conflicts - for example, when users choose to use
# characters such as `-` in their service, or namespace, names.
# {{.Annotations}} or {{.Labels}} can be used for any customization in the
# go template if needed.
# We strongly recommend keeping namespace part of the template to avoid
# domain name clashes:
# eg. '{{.Name}}-{{.Namespace}}.{{ index .Annotations "sub"}}.{{.Domain}}'
# and you have an annotation {"sub":"foo"}, then the generated template
# would be {Name}-{Namespace}.foo.{Domain}
domainTemplate: "{{.Name}}.{{.Namespace}}.{{.Domain}}"
# tagTemplate specifies the golang text template string to use
# when constructing the DNS name for "tags" within the traffic blocks
# of Routes and Configuration. This is used in conjunction with the
# domainTemplate above to determine the full URL for the tag.
tagTemplate: "{{.Tag}}-{{.Name}}"
# Controls whether TLS certificates are automatically provisioned and
# installed in the Knative ingress to terminate external TLS connection.
# 1. Enabled: enabling auto-TLS feature.
# 2. Disabled: disabling auto-TLS feature.
autoTLS: "Disabled"
# Controls the behavior of the HTTP endpoint for the Knative ingress.
# It requires autoTLS to be enabled.
# 1. Enabled: The Knative ingress will be able to serve HTTP connection.
# 2. Disabled: The Knative ingress will reject HTTP traffic.
# 3. Redirected: The Knative ingress will send a 302 redirect for all
# http connections, asking the clients to use HTTPS
httpProtocol: "Enabled"
# Controls whether tag header based routing feature are enabled or not.
# 1. Enabled: enabling tag header based routing
# 2. Disabled: disabling tag header based routing
tagHeaderBasedRouting: "Disabled"
---
# Copyright 2018 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: config-observability
namespace: knative-serving
labels:
serving.knative.dev/release: "v0.17.0"
annotations:
knative.dev/example-checksum: "11674c15"
data:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
# logging.enable-var-log-collection defaults to false.
# The fluentd daemon set will be set up to collect /var/log if
# this flag is true.
logging.enable-var-log-collection: "false"
# logging.revision-url-template provides a template to use for producing the
# logging URL that is injected into the status of each Revision.
# This value is what you might use the the Knative monitoring bundle, and provides
# access to Kibana after setting up kubectl proxy.
logging.revision-url-template: "http://localhost:8001/api/v1/namespaces/knative-monitoring/services/kibana-logging/proxy/app/kibana#/discover?_a=(query:(match:(kubernetes.labels.knative-dev%2FrevisionUID:(query:'${REVISION_UID}',type:phrase))))"
# If non-empty, this enables queue proxy writing user request logs to stdout, excluding probe
# requests.
# NB: after 0.18 release logging.enable-request-log must be explicitly set to true
# in order for request logging to be enabled.
#
# The value determines the shape of the request logs and it must be a valid go text/template.
# It is important to keep this as a single line. Multiple lines are parsed as separate entities
# by most collection agents and will split the request logs into multiple records.
#
# The following fields and functions are available to the template:
#
# Request: An http.Request (see https://golang.org/pkg/net/http/#Request)
# representing an HTTP request received by the server.
#
# Response:
# struct {
# Code int // HTTP status code (see https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml)
# Size int // An int representing the size of the response.
# Latency float64 // A float64 representing the latency of the response in seconds.
# }
#
# Revision:
# struct {
# Name string // Knative revision name
# Namespace string // Knative revision namespace
# Service string // Knative service name
# Configuration string // Knative configuration name
# PodName string // Name of the pod hosting the revision
# PodIP string // IP of the pod hosting the revision
# }
#
logging.request-log-template: '{"httpRequest": {"requestMethod": "{{.Request.Method}}", "requestUrl": "{{js .Request.RequestURI}}", "requestSize": "{{.Request.ContentLength}}", "status": {{.Response.Code}}, "responseSize": "{{.Response.Size}}", "userAgent": "{{js .Request.UserAgent}}", "remoteIp": "{{js .Request.RemoteAddr}}", "serverIp": "{{.Revision.PodIP}}", "referer": "{{js .Request.Referer}}", "latency": "{{.Response.Latency}}s", "protocol": "{{.Request.Proto}}"}, "traceId": "{{index .Request.Header "X-B3-Traceid"}}"}'
# If true, the request logging will be enabled.
# NB: up to and including Knative version 0.18 if logging.requst-log-template is non-empty, this value
# will be ignored.
logging.enable-request-log: "false"
# If true, this enables queue proxy writing request logs for probe requests to stdout.
# It uses the same template for user requests, i.e. logging.request-log-template.
logging.enable-probe-request-log: "false"
# metrics.backend-destination field specifies the system metrics destination.
# It supports either prometheus (the default) or stackdriver.
# Note: Using stackdriver will incur additional charges
metrics.backend-destination: prometheus
# metrics.request-metrics-backend-destination specifies the request metrics
# destination. It enables queue proxy to send request metrics.
# Currently supported values: prometheus (the default), stackdriver.
metrics.request-metrics-backend-destination: prometheus
# metrics.stackdriver-project-id field specifies the stackdriver project ID. This
# field is optional. When running on GCE, application default credentials will be
# used if this field is not provided.
metrics.stackdriver-project-id: "<your stackdriver project id>"
# metrics.allow-stackdriver-custom-metrics indicates whether it is allowed to send metrics to
# Stackdriver using "global" resource type and custom metric type if the
# metrics are not supported by "knative_revision" resource type. Setting this
# flag to "true" could cause extra Stackdriver charge.
# If metrics.backend-destination is not Stackdriver, this is ignored.
metrics.allow-stackdriver-custom-metrics: "false"
# profiling.enable indicates whether it is allowed to retrieve runtime profiling data from
# the pods via an HTTP server in the format expected by the pprof visualization tool. When
# enabled, the Knative Serving pods expose the profiling data on an alternate HTTP port 8008.
# The HTTP context root for profiling is then /debug/pprof/.
profiling.enable: "false"
---
# Copyright 2019 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: config-tracing
namespace: knative-serving
labels:
serving.knative.dev/release: "v0.17.0"
annotations:
knative.dev/example-checksum: "4002b4c2"
data:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
#
# This may be "zipkin" or "stackdriver", the default is "none"
backend: "none"
# URL to zipkin collector where traces are sent.
# This must be specified when backend is "zipkin"
zipkin-endpoint: "http://zipkin.istio-system.svc.cluster.local:9411/api/v2/spans"
# The GCP project into which stackdriver metrics will be written
# when backend is "stackdriver". If unspecified, the project-id
# is read from GCP metadata when running on GCP.
stackdriver-project-id: "my-project"
# Enable zipkin debug mode. This allows all spans to be sent to the server
# bypassing sampling.
debug: "false"
# Percentage (0-1) of requests to trace
sample-rate: "0.1"
---
# Copyright 2020 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: activator
namespace: knative-serving
labels:
serving.knative.dev/release: "v0.17.0"
spec:
minReplicas: 1
maxReplicas: 20
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: activator
metrics:
- type: Resource
resource:
name: cpu
# Percentage of the requested CPU
targetAverageUtilization: 100
---
# Copyright 2018 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apps/v1
kind: Deployment
metadata:
name: activator
namespace: knative-serving
labels:
serving.knative.dev/release: "v0.17.0"
spec:
selector:
matchLabels:
app: activator
role: activator
template:
metadata:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
labels:
app: activator
role: activator
serving.knative.dev/release: "v0.17.0"
spec:
serviceAccountName: controller
containers:
- name: activator
# This is the Go import path for the binary that is containerized
# and substituted here.
image: gcr.io/knative-releases/knative.dev/serving/cmd/activator@sha256:18aadbb4796d7b6316ae971be5233dac28cd794c517e220d127aa9e21d91df42
# The numbers are based on performance test results from
# https://github.com/knative/serving/issues/1625#issuecomment-511930023
resources:
requests:
cpu: 300m
memory: 60Mi
limits:
cpu: 1000m
memory: 600Mi
env:
- # Run Activator with GC collection when newly generated memory is 500%.
name: GOGC
value: "500"
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SYSTEM_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CONFIG_LOGGING_NAME
value: config-logging
- name: CONFIG_OBSERVABILITY_NAME
value: config-observability
- # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config
name: METRICS_DOMAIN
value: knative.dev/internal/serving
securityContext:
allowPrivilegeEscalation: false
ports:
- name: metrics
containerPort: 9090
- name: profiling
containerPort: 8008
- name: http1
containerPort: 8012
- name: h2c
containerPort: 8013
readinessProbe: &probe
httpGet:
port: 8012
httpHeaders:
- name: k-kubelet-probe
value: "activator"
failureThreshold: 12
livenessProbe: *probe
# The activator (often) sits on the dataplane, and may proxy long (e.g.
# streaming, websockets) requests. We give a long grace period for the
# activator to "lame duck" and drain outstanding requests before we
# forcibly terminate the pod (and outstanding connections). This value
# should be at least as large as the upper bound on the Revision's
# timeoutSeconds property to avoid servicing events disrupting
# connections.
terminationGracePeriodSeconds: 600
---
apiVersion: v1
kind: Service
metadata:
name: activator-service
namespace: knative-serving
labels:
app: activator
serving.knative.dev/release: "v0.17.0"
spec:
selector:
app: activator
ports:
- # Define metrics and profiling for them to be accessible within service meshes.
name: http-metrics
port: 9090
targetPort: 9090
- name: http-profiling
port: 8008
targetPort: 8008
- name: http
port: 80
targetPort: 8012
- name: http2
port: 81
targetPort: 8013
type: ClusterIP
---
# Copyright 2018 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apps/v1
kind: Deployment
metadata:
name: autoscaler
namespace: knative-serving
labels:
serving.knative.dev/release: "v0.17.0"
spec:
replicas: 1
selector:
matchLabels:
app: autoscaler
template:
metadata:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
labels:
app: autoscaler
serving.knative.dev/release: "v0.17.0"
spec:
# To avoid node becoming SPOF, spread our replicas to different nodes.
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app: autoscaler
topologyKey: kubernetes.io/hostname
weight: 100
serviceAccountName: controller
containers:
- name: autoscaler
# This is the Go import path for the binary that is containerized
# and substituted here.
image: gcr.io/knative-releases/knative.dev/serving/cmd/autoscaler@sha256:0af019e5d0b936468f85f5ca3c658b4913e5ac08734cf377bbbd8ba93eaa9db0
resources:
requests:
cpu: 30m
memory: 40Mi
limits:
cpu: 300m
memory: 400Mi
env:
- name: SYSTEM_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CONFIG_LOGGING_NAME
value: config-logging
- name: CONFIG_OBSERVABILITY_NAME
value: config-observability
- # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config
name: METRICS_DOMAIN
value: knative.dev/serving
securityContext:
allowPrivilegeEscalation: false
ports:
- name: metrics
containerPort: 9090
- name: profiling
containerPort: 8008
- name: websocket
containerPort: 8080
readinessProbe: &probe
httpGet:
port: 8080
httpHeaders:
- name: k-kubelet-probe
value: "autoscaler"
livenessProbe: *probe
---
apiVersion: v1
kind: Service
metadata:
labels:
app: autoscaler
serving.knative.dev/release: "v0.17.0"
name: autoscaler
namespace: knative-serving
spec:
ports:
- # Define metrics and profiling for them to be accessible within service meshes.
name: http-metrics
port: 9090
targetPort: 9090
- name: http-profiling
port: 8008
targetPort: 8008
- name: http
port: 8080
targetPort: 8080
selector:
app: autoscaler
---
# Copyright 2018 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller
namespace: knative-serving
labels:
serving.knative.dev/release: "v0.17.0"
spec:
selector:
matchLabels:
app: controller
template:
metadata:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
labels:
app: controller
serving.knative.dev/release: "v0.17.0"
spec:
# To avoid node becoming SPOF, spread our replicas to different nodes.
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app: controller
topologyKey: kubernetes.io/hostname
weight: 100
serviceAccountName: controller
containers:
- name: controller
# This is the Go import path for the binary that is containerized
# and substituted here.
image: gcr.io/knative-releases/knative.dev/serving/cmd/controller@sha256:5f118d434661a895096c69c036de20c962aee445e339cc9e1b1bf806895d6fa2
resources:
requests:
cpu: 100m
memory: 100Mi
limits:
cpu: 1000m
memory: 1000Mi
env:
- name: SYSTEM_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CONFIG_LOGGING_NAME
value: config-logging
- name: CONFIG_OBSERVABILITY_NAME
value: config-observability
- # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config
name: METRICS_DOMAIN
value: knative.dev/internal/serving
securityContext:
allowPrivilegeEscalation: false
ports:
- name: metrics
containerPort: 9090
- name: profiling
containerPort: 8008
---
apiVersion: v1
kind: Service
metadata:
labels:
app: controller
serving.knative.dev/release: "v0.17.0"
name: controller
namespace: knative-serving
spec:
ports:
- # Define metrics and profiling for them to be accessible within service meshes.
name: http-metrics
port: 9090
targetPort: 9090
- name: http-profiling
port: 8008
targetPort: 8008
selector:
app: controller
---
# Copyright 2018 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apps/v1
kind: Deployment
metadata:
name: webhook
namespace: knative-serving
labels:
serving.knative.dev/release: "v0.17.0"
spec:
selector:
matchLabels:
app: webhook
role: webhook
template:
metadata:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
labels:
app: webhook
role: webhook
serving.knative.dev/release: "v0.17.0"
spec:
# To avoid node becoming SPOF, spread our replicas to different nodes.
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app: webhook
topologyKey: kubernetes.io/hostname
weight: 100
serviceAccountName: controller
containers:
- name: webhook
# This is the Go import path for the binary that is containerized
# and substituted here.
image: gcr.io/knative-releases/knative.dev/serving/cmd/webhook@sha256:d36f460aea55b93cce222bcee129776dee356e6499db73f232bfdf482ce28f66
resources:
requests:
cpu: 100m
memory: 100Mi
limits:
cpu: 500m
memory: 500Mi
env:
- name: SYSTEM_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CONFIG_LOGGING_NAME
value: config-logging
- name: CONFIG_OBSERVABILITY_NAME
value: config-observability
- name: WEBHOOK_PORT
value: "8443"
- # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config
name: METRICS_DOMAIN
value: knative.dev/serving
securityContext:
allowPrivilegeEscalation: false
ports:
- name: metrics
containerPort: 9090
- name: profiling
containerPort: 8008
- name: https-webhook
containerPort: 8443
readinessProbe: &probe
periodSeconds: 1
httpGet:
scheme: HTTPS
port: 8443
httpHeaders:
- name: k-kubelet-probe
value: "webhook"
livenessProbe: *probe
# Our webhook should gracefully terminate by lame ducking first, set this to a sufficiently
# high value that we respect whatever value it has configured for the lame duck grace period.
terminationGracePeriodSeconds: 300
---
apiVersion: v1
kind: Service
metadata:
labels:
role: webhook
serving.knative.dev/release: "v0.17.0"
name: webhook
namespace: knative-serving
spec:
ports:
- # Define metrics and profiling for them to be accessible within service meshes.
name: http-metrics
port: 9090
targetPort: 9090
- name: http-profiling
port: 8008
targetPort: 8008
- name: https-webhook
port: 443
targetPort: 8443
selector:
role: webhook
---
# Copyright 2019 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: certificates.networking.internal.knative.dev
labels:
serving.knative.dev/release: "v0.17.0"
knative.dev/crd-install: "true"
spec:
group: networking.internal.knative.dev
versions:
- name: v1alpha1
served: true
storage: true
subresources:
status: {}
schema:
openAPIV3Schema:
type: object
# this is a work around so we don't need to flush out the
# schema for each version at this time
#
# see issue: https://github.com/knative/serving/issues/912
x-kubernetes-preserve-unknown-fields: true
additionalPrinterColumns:
- name: Ready
type: string
jsonPath: ".status.conditions[?(@.type==\"Ready\")].status"
- name: Reason
type: string
jsonPath: ".status.conditions[?(@.type==\"Ready\")].reason"
names:
kind: Certificate
plural: certificates
singular: certificate
categories:
- knative-internal
- networking
shortNames:
- kcert
scope: Namespaced
---
# Copyright 2019 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: configurations.serving.knative.dev
labels:
serving.knative.dev/release: "v0.17.0"
knative.dev/crd-install: "true"
duck.knative.dev/podspecable: "true"
spec:
group: serving.knative.dev
versions:
- &version
name: v1alpha1
served: true
storage: false
subresources:
status: {}
schema:
openAPIV3Schema:
type: object
# this is a work around so we don't need to flush out the
# schema for each version at this time
#
# see issue: https://github.com/knative/serving/issues/912
x-kubernetes-preserve-unknown-fields: true
additionalPrinterColumns:
- name: LatestCreated
type: string
jsonPath: .status.latestCreatedRevisionName
- name: LatestReady
type: string
jsonPath: .status.latestReadyRevisionName
- name: Ready
type: string
jsonPath: ".status.conditions[?(@.type=='Ready')].status"
- name: Reason
type: string
jsonPath: ".status.conditions[?(@.type=='Ready')].reason"
- !!merge <<: *version
name: v1beta1
- !!merge <<: *version
name: v1
storage: true
names:
kind: Configuration
plural: configurations
singular: configuration
categories:
- all
- knative
- serving
shortNames:
- config
- cfg
scope: Namespaced
conversion:
strategy: Webhook
webhook:
conversionReviewVersions: ["v1", "v1beta1"]
clientConfig:
service:
name: webhook
namespace: knative-serving
---
# Copyright 2019 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: ingresses.networking.internal.knative.dev
labels:
serving.knative.dev/release: "v0.17.0"
knative.dev/crd-install: "true"
spec:
group: networking.internal.knative.dev
versions:
- name: v1alpha1
served: true
storage: true
subresources:
status: {}
schema:
openAPIV3Schema:
type: object
# this is a work around so we don't need to flush out the
# schema for each version at this time
#
# see issue: https://github.com/knative/serving/issues/912
x-kubernetes-preserve-unknown-fields: true
additionalPrinterColumns:
- name: Ready
type: string
jsonPath: ".status.conditions[?(@.type=='Ready')].status"
- name: Reason
type: string
jsonPath: ".status.conditions[?(@.type=='Ready')].reason"
names:
kind: Ingress
plural: ingresses
singular: ingress
categories:
- knative-internal
- networking
shortNames:
- kingress
- king
scope: Namespaced
---
# Copyright 2019 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: metrics.autoscaling.internal.knative.dev
labels:
serving.knative.dev/release: "v0.17.0"
knative.dev/crd-install: "true"
spec:
group: autoscaling.internal.knative.dev
versions:
- name: v1alpha1
served: true
storage: true
subresources:
status: {}
schema:
openAPIV3Schema:
type: object
# this is a work around so we don't need to flush out the
# schema for each version at this time
#
# see issue: https://github.com/knative/serving/issues/912
x-kubernetes-preserve-unknown-fields: true
additionalPrinterColumns:
- name: Ready
type: string
jsonPath: ".status.conditions[?(@.type=='Ready')].status"
- name: Reason
type: string
jsonPath: ".status.conditions[?(@.type=='Ready')].reason"
names:
kind: Metric
plural: metrics
singular: metric
categories:
- knative-internal
- autoscaling
scope: Namespaced
---
# Copyright 2018 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: podautoscalers.autoscaling.internal.knative.dev
labels:
serving.knative.dev/release: "v0.17.0"
knative.dev/crd-install: "true"
spec:
group: autoscaling.internal.knative.dev
versions:
- name: v1alpha1
served: true
storage: true
subresources:
status: {}
schema:
openAPIV3Schema:
type: object
# this is a work around so we don't need to flush out the
# schema for each version at this time
#
# see issue: https://github.com/knative/serving/issues/912
x-kubernetes-preserve-unknown-fields: true
additionalPrinterColumns:
- name: DesiredScale
type: integer
jsonPath: ".status.desiredScale"
- name: ActualScale
type: integer
jsonPath: ".status.actualScale"
- name: Ready
type: string
jsonPath: ".status.conditions[?(@.type=='Ready')].status"
- name: Reason
type: string
jsonPath: ".status.conditions[?(@.type=='Ready')].reason"
names:
kind: PodAutoscaler
plural: podautoscalers
singular: podautoscaler
categories:
- knative-internal
- autoscaling
shortNames:
- kpa
- pa
scope: Namespaced
---
# Copyright 2019 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: revisions.serving.knative.dev
labels:
serving.knative.dev/release: "v0.17.0"
knative.dev/crd-install: "true"
spec:
group: serving.knative.dev
versions:
- &version
name: v1alpha1
served: true
storage: false
subresources:
status: {}
schema:
openAPIV3Schema:
type: object
# this is a work around so we don't need to flush out the
# schema for each version at this time
#
# see issue: https://github.com/knative/serving/issues/912
x-kubernetes-preserve-unknown-fields: true
additionalPrinterColumns:
- name: Config Name
type: string
jsonPath: ".metadata.labels['serving\\.knative\\.dev/configuration']"
- name: K8s Service Name
type: string
jsonPath: ".status.serviceName"
- name: Generation
type: string # int in string form :(
jsonPath: ".metadata.labels['serving\\.knative\\.dev/configurationGeneration']"
- name: Ready
type: string
jsonPath: ".status.conditions[?(@.type=='Ready')].status"
- name: Reason
type: string
jsonPath: ".status.conditions[?(@.type=='Ready')].reason"
- !!merge <<: *version
name: v1beta1
- !!merge <<: *version
name: v1
storage: true
names:
kind: Revision
plural: revisions
singular: revision
categories:
- all
- knative
- serving
shortNames:
- rev
scope: Namespaced
conversion:
strategy: Webhook
webhook:
conversionReviewVersions: ["v1", "v1beta1"]
clientConfig:
service:
name: webhook
namespace: knative-serving
---
# Copyright 2019 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: routes.serving.knative.dev
labels:
serving.knative.dev/release: "v0.17.0"
knative.dev/crd-install: "true"
duck.knative.dev/addressable: "true"
spec:
group: serving.knative.dev
versions:
- &version
name: v1alpha1
served: true
storage: false
subresources:
status: {}
schema:
openAPIV3Schema:
type: object
# this is a work around so we don't need to flush out the
# schema for each version at this time
#
# see issue: https://github.com/knative/serving/issues/912
x-kubernetes-preserve-unknown-fields: true
additionalPrinterColumns:
- name: URL
type: string
jsonPath: .status.url
- name: Ready
type: string
jsonPath: ".status.conditions[?(@.type=='Ready')].status"
- name: Reason
type: string
jsonPath: ".status.conditions[?(@.type=='Ready')].reason"
- !!merge <<: *version
name: v1beta1
- !!merge <<: *version
name: v1
storage: true
names:
kind: Route
plural: routes
singular: route
categories:
- all
- knative
- serving
shortNames:
- rt
scope: Namespaced
conversion:
strategy: Webhook
webhook:
conversionReviewVersions: ["v1", "v1beta1"]
clientConfig:
service:
name: webhook
namespace: knative-serving
---
# Copyright 2019 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: serverlessservices.networking.internal.knative.dev
labels:
serving.knative.dev/release: "v0.17.0"
knative.dev/crd-install: "true"
spec:
group: networking.internal.knative.dev
versions:
- name: v1alpha1
served: true
storage: true
subresources:
status: {}
schema:
openAPIV3Schema:
type: object
# this is a work around so we don't need to flush out the
# schema for each version at this time
#
# see issue: https://github.com/knative/serving/issues/912
x-kubernetes-preserve-unknown-fields: true
additionalPrinterColumns:
- name: Mode
type: string
jsonPath: ".spec.mode"
- name: Activators
type: integer
jsonPath: ".spec.numActivators"
- name: ServiceName
type: string
jsonPath: ".status.serviceName"
- name: PrivateServiceName
type: string
jsonPath: ".status.privateServiceName"
- name: Ready
type: string
jsonPath: ".status.conditions[?(@.type=='Ready')].status"
- name: Reason
type: string
jsonPath: ".status.conditions[?(@.type=='Ready')].reason"
names:
kind: ServerlessService
plural: serverlessservices
singular: serverlessservice
categories:
- knative-internal
- networking
shortNames:
- sks
scope: Namespaced
---
# Copyright 2019 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: services.serving.knative.dev
labels:
serving.knative.dev/release: "v0.17.0"
knative.dev/crd-install: "true"
duck.knative.dev/addressable: "true"
duck.knative.dev/podspecable: "true"
spec:
group: serving.knative.dev
versions:
- &version
name: v1alpha1
served: true
storage: false
subresources:
status: {}
schema:
openAPIV3Schema:
type: object
# this is a work around so we don't need to flush out the
# schema for each version at this time
#
# see issue: https://github.com/knative/serving/issues/912
x-kubernetes-preserve-unknown-fields: true
additionalPrinterColumns:
- name: URL
type: string
jsonPath: .status.url
- name: LatestCreated
type: string
jsonPath: .status.latestCreatedRevisionName
- name: LatestReady
type: string
jsonPath: .status.latestReadyRevisionName
- name: Ready
type: string
jsonPath: ".status.conditions[?(@.type=='Ready')].status"
- name: Reason
type: string
jsonPath: ".status.conditions[?(@.type=='Ready')].reason"
- !!merge <<: *version
name: v1beta1
- !!merge <<: *version
name: v1
storage: true
names:
kind: Service
plural: services
singular: service
categories:
- all
- knative
- serving
shortNames:
- kservice
- ksvc
scope: Namespaced
conversion:
strategy: Webhook
webhook:
conversionReviewVersions: ["v1", "v1beta1"]
clientConfig:
service:
name: webhook
namespace: knative-serving
---
# Copyright 2019 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: knative-serving-addressable-resolver
labels:
serving.knative.dev/release: "v0.17.0"
# Labeled to facilitate aggregated cluster roles that act on Addressables.
duck.knative.dev/addressable: "true"
# Do not use this role directly. These rules will be added to the "addressable-resolver" role.
rules:
- apiGroups:
- serving.knative.dev
resources:
- routes
- routes/status
- services
- services/status
verbs:
- get
- list
- watch
---
# Copyright 2019 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: knative-serving-namespaced-admin
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
serving.knative.dev/release: "v0.17.0"
rules:
- apiGroups: ["serving.knative.dev"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["networking.internal.knative.dev", "autoscaling.internal.knative.dev",
"caching.internal.knative.dev"]
resources: ["*"]
verbs: ["get", "list", "watch"]
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: knative-serving-namespaced-edit
labels:
rbac.authorization.k8s.io/aggregate-to-edit: "true"
serving.knative.dev/release: "v0.17.0"
rules:
- apiGroups: ["serving.knative.dev"]
resources: ["*"]
verbs: ["create", "update", "patch", "delete"]
- apiGroups: ["networking.internal.knative.dev", "autoscaling.internal.knative.dev",
"caching.internal.knative.dev"]
resources: ["*"]
verbs: ["get", "list", "watch"]
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: knative-serving-namespaced-view
labels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
serving.knative.dev/release: "v0.17.0"
rules:
- apiGroups: ["serving.knative.dev", "networking.internal.knative.dev", "autoscaling.internal.knative.dev",
"caching.internal.knative.dev"]
resources: ["*"]
verbs: ["get", "list", "watch"]
---
# Copyright 2019 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: knative-serving-core
labels:
serving.knative.dev/release: "v0.17.0"
serving.knative.dev/controller: "true"
rules:
- apiGroups: [""]
resources: ["pods", "namespaces", "secrets", "configmaps", "endpoints", "services",
"events", "serviceaccounts"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
- apiGroups: [""]
resources: ["endpoints/restricted"] # Permission for RestrictedEndpointsAdmission
verbs: ["create"]
- apiGroups: ["apps"]
resources: ["deployments", "deployments/finalizers"] # finalizers are needed for the owner reference of the webhook
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions", "customresourcedefinitions/status"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
- apiGroups: ["autoscaling"]
resources: ["horizontalpodautoscalers"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
- apiGroups: ["serving.knative.dev", "autoscaling.internal.knative.dev", "networking.internal.knative.dev"]
resources: ["*", "*/status", "*/finalizers"]
verbs: ["get", "list", "create", "update", "delete", "deletecollection", "patch",
"watch"]
- apiGroups: ["caching.internal.knative.dev"]
resources: ["images"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
---
# Copyright 2019 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: knative-serving-podspecable-binding
labels:
serving.knative.dev/release: "v0.17.0"
# Labeled to facilitate aggregated cluster roles that act on PodSpecables.
duck.knative.dev/podspecable: "true"
# Do not use this role directly. These rules will be added to the "podspecable-binder" role.
rules:
- apiGroups:
- serving.knative.dev
resources:
- configurations
- services
verbs:
- list
- watch
- patch
---
# Copyright 2020 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: config.webhook.serving.knative.dev
labels:
serving.knative.dev/release: "v0.17.0"
webhooks:
- admissionReviewVersions: ["v1", "v1beta1"]
clientConfig:
service:
name: webhook
namespace: knative-serving
failurePolicy: Fail
sideEffects: None
name: config.webhook.serving.knative.dev
namespaceSelector:
matchExpressions:
- key: serving.knative.dev/release
operator: Exists
timeoutSeconds: 10
---
# Copyright 2020 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: webhook.serving.knative.dev
labels:
serving.knative.dev/release: "v0.17.0"
webhooks:
- admissionReviewVersions: ["v1", "v1beta1"]
clientConfig:
service:
name: webhook
namespace: knative-serving
failurePolicy: Fail
sideEffects: None
name: webhook.serving.knative.dev
timeoutSeconds: 10
---
# Copyright 2020 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: validation.webhook.serving.knative.dev
labels:
serving.knative.dev/release: "v0.17.0"
webhooks:
- admissionReviewVersions: ["v1", "v1beta1"]
clientConfig:
service:
name: webhook
namespace: knative-serving
failurePolicy: Fail
sideEffects: None
name: validation.webhook.serving.knative.dev
timeoutSeconds: 10
---
# Copyright 2020 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: Secret
metadata:
name: webhook-certs
namespace: knative-serving
labels:
serving.knative.dev/release: "v0.17.0"
# The data is populated at install time.
---
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment