upstream/terraform-provider-kubernetes
1
0
Fork 0
mirror of https://github.com/hashicorp/terraform-provider-kubernetes.git synced 2025-12-18 23:06:07 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

[TF Plugin Docs] - Edit data source template files (#2529)

Browse source
This commit is contained in:
Sheneska Williams 2024-07-03 11:47:00 -04:00 committed by GitHub
parent ca45276d2e
commit 310648ca76
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
44 changed files with 819 additions and 986 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.markdownlint.yml
View file

@ -16,9 +16,11 @@ MD010: false
MD012: false
MD013: false
MD014: false
MD018: false
MD022: false
MD024: false
MD029: false
MD032: false
MD033: false
MD034: false
MD037: false

12
docs/data-sources/all_namespaces.md
View file

@ -7,9 +7,17 @@ description: |-
# kubernetes_all_namespaces
This data source provides a mechanism for listing the names of all available namespaces in a Kubernetes cluster. It can be used to check for existence of a specific namespaces or to apply another resource to all or a subset of existing namespaces in a cluster.
This data source provides a mechanism for listing the names of all available namespaces in a Kubernetes cluster. It can be used to check for existence of a specific namespaces or to apply another resource to all or a subset of existing namespaces in a cluster.In Kubernetes, namespaces provide a scope for names and are intended as a way to divide cluster resources between multiple users.
<!-- schema generated by tfplugindocs -->
## Schema
### Read-Only
- `id` (String) The ID of this resource.
- `namespaces` (List of String) List of all namespaces in a cluster.
In Kubernetes, namespaces provide a scope for names and are intended as a way to divide cluster resources between multiple users.
## Example Usage

38
docs/data-sources/config_map.md
View file

@ -5,10 +5,46 @@ description: |-
This data source reads configuration data from a config map.
---
# kubernetes_config map
# kubernetes_config_map
Config Maps are key-value pairs containing configuration data. The Config Map data source provides a mechanism for extracting these key-value pairs.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard config_map's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
### Optional
- `immutable` (Boolean) Immutable, if set to true, ensures that data stored in the ConfigMap cannot be updated (only object metadata can be modified). If not set to true, the field can be modified at any time. Defaulted to nil.
### Read-Only
- `binary_data` (Map of String) A map of the config map binary data.
- `data` (Map of String) A map of the config map data.
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the config_map that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the config_map. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the config_map, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the config_map must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this config_map that can be used by clients to determine when config_map has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this config_map. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
~> **Note:** All arguments including the config map data will be stored in the raw state as plain-text. [Read more about sensitive data in state](/docs/state/sensitive-data.html).
## Example Usage

64
docs/data-sources/config_map_v1.md
View file

@ -5,10 +5,46 @@ description: |-
This data source reads configuration data from a config map.
---
# kubernetes_config map
# kubernetes_config_map_v1
Config Maps are key-value pairs containing configuration data. The Config Map data source provides a mechanism for extracting these key-value pairs.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard config_map's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
### Optional
- `immutable` (Boolean) Immutable, if set to true, ensures that data stored in the ConfigMap cannot be updated (only object metadata can be modified). If not set to true, the field can be modified at any time. Defaulted to nil.
### Read-Only
- `binary_data` (Map of String) A map of the config map binary data.
- `data` (Map of String) A map of the config map data.
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the config_map that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the config_map. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the config_map, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the config_map must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this config_map that can be used by clients to determine when config_map has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this config_map. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
~> **Note:** All arguments including the config map data will be stored in the raw state as plain-text. [Read more about sensitive data in state](/docs/state/sensitive-data.html).
## Example Usage
@ -20,29 +56,3 @@ data "kubernetes_config_map_v1" "example" {
}
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard config map's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
## Nested Blocks
### `metadata`
#### Arguments
* `name` - (Required) Name of the config map, must be unique. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
* `namespace` - (Optional) Namespace defines the space within which name of the config map must be unique.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this config map that can be used by clients to determine when config map has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this config map. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
## Attribute Reference
* `data` - A map of the config map data.
* `binary_data` - A map of preserved non-UTF8 data. For more info see [Kubernetes API reference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#configmap-v1-core).

138
docs/data-sources/endpoints_v1.md
View file

@ -9,6 +9,90 @@ description: |-
An Endpoints resource is an abstraction, linked to a Service, which defines the list of endpoints that actually implement the service.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard endpoints's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
### Optional
- `subset` (Block Set) Set of addresses and ports that comprise a service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#services-without-selectors (see [below for nested schema](#nestedblock--subset))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the endpoints that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the endpoints. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the endpoints, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the endpoints must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this endpoints that can be used by clients to determine when endpoints has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this endpoints. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--subset"></a>
### Nested Schema for `subset`
Optional:
- `address` (Block Set) IP address which offers the related ports that are marked as ready. These endpoints should be considered safe for load balancers and clients to utilize. (see [below for nested schema](#nestedblock--subset--address))
- `not_ready_address` (Block Set) IP address which offers the related ports but is not currently marked as ready because it have not yet finished starting, have recently failed a readiness check, or have recently failed a liveness check. (see [below for nested schema](#nestedblock--subset--not_ready_address))
- `port` (Block Set) Port number available on the related IP addresses. (see [below for nested schema](#nestedblock--subset--port))
<a id="nestedblock--subset--address"></a>
### Nested Schema for `subset.address`
Required:
- `ip` (String) The IP of this endpoint. May not be loopback (127.0.0.0/8), link-local (169.254.0.0/16), or link-local multicast ((224.0.0.0/24).
Optional:
- `hostname` (String) The Hostname of this endpoint.
- `node_name` (String) Node hosting this endpoint. This can be used to determine endpoints local to a node.
<a id="nestedblock--subset--not_ready_address"></a>
### Nested Schema for `subset.not_ready_address`
Required:
- `ip` (String) The IP of this endpoint. May not be loopback (127.0.0.0/8), link-local (169.254.0.0/16), or link-local multicast ((224.0.0.0/24).
Optional:
- `hostname` (String) The Hostname of this endpoint.
- `node_name` (String) Node hosting this endpoint. This can be used to determine endpoints local to a node.
<a id="nestedblock--subset--port"></a>
### Nested Schema for `subset.port`
Required:
- `port` (Number) The port that will be exposed by this endpoint.
Optional:
- `name` (String) The name of this port within the endpoint. Must be a DNS_LABEL. Optional if only one Port is defined on this endpoint.
- `protocol` (String) The IP protocol for this port. Supports `TCP` and `UDP`. Default is `TCP`.
## Example Usage
```terraform
@ -20,57 +104,3 @@ data "kubernetes_endpoints_v1" "api_endpoints" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard endpoints' metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
## Nested Blocks
### `metadata`
#### Arguments
* `name` - (Required) Name of the endpoints resource.
* `namespace` - (Optional) Namespace defines the space within which name of the endpoints resource must be unique.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this endpoints resource that can be used by clients to determine when endpoints resource has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this endpoints resource. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
## Attribute Reference
### `subset`
#### Attributes
* `address` - (Optional) An IP address block which offers the related ports and is ready to accept traffic. These endpoints should be considered safe for load balancers and clients to utilize. Can be repeated multiple times.
* `not_ready_address` - (Optional) A IP address block which offers the related ports but is not currently marked as ready because it have not yet finished starting, have recently failed a readiness check, or have recently failed a liveness check. Can be repeated multiple times.
* `port` - (Optional) A port number block available on the related IP addresses. Can be repeated multiple times.
### `address`
#### Attributes
* `ip` - The IP of this endpoint. May not be loopback (127.0.0.0/8), link-local (169.254.0.0/16), or link-local multicast ((224.0.0.0/24).
* `hostname` - (Optional) The Hostname of this endpoint.
* `node_name` - (Optional) Node hosting this endpoint. This can be used to determine endpoints local to a node.
### `not_ready_address`
#### Attributes
* `ip` - The IP of this endpoint. May not be loopback (127.0.0.0/8), link-local (169.254.0.0/16), or link-local multicast ((224.0.0.0/24).
* `hostname` - (Optional) The Hostname of this endpoint.
* `node_name` - (Optional) Node hosting this endpoint. This can be used to determine endpoints local to a node.
### `port`
#### Attributes
* `name` - (Optional) The name of this port within the endpoint. All ports within the endpoint must have unique names. Optional if only one port is defined on this endpoint.
* `port` - (Required) The port that will be utilized by this endpoint.
* `protocol` - (Optional) The IP protocol for this port. Supports `TCP` and `UDP`. Default is `TCP`.

203
docs/data-sources/ingress.md
View file

@ -9,6 +9,127 @@ description: |-
Ingress is a collection of rules that allow inbound connections to reach the endpoints defined by a backend. An Ingress can be configured to give services externally-reachable urls, load balance traffic, terminate SSL, offer name based virtual hosting etc. This data source allows you to pull data about such ingress.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard ingress's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
### Read-Only
- `id` (String) The ID of this resource.
- `spec` (List of Object) spec is the desired state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status (see [below for nested schema](#nestedatt--spec))
- `status` (List of Object) (see [below for nested schema](#nestedatt--status))
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the ingress that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the ingress. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the ingress, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the ingress must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this ingress that can be used by clients to determine when ingress has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this ingress. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedatt--spec"></a>
### Nested Schema for `spec`
Read-Only:
- `backend` (List of Object) (see [below for nested schema](#nestedobjatt--spec--backend))
- `ingress_class_name` (String)
- `rule` (List of Object) (see [below for nested schema](#nestedobjatt--spec--rule))
- `tls` (List of Object) (see [below for nested schema](#nestedobjatt--spec--tls))
<a id="nestedobjatt--spec--backend"></a>
### Nested Schema for `spec.backend`
Read-Only:
- `service_name` (String)
- `service_port` (String)
<a id="nestedobjatt--spec--rule"></a>
### Nested Schema for `spec.rule`
Read-Only:
- `host` (String)
- `http` (List of Object) (see [below for nested schema](#nestedobjatt--spec--rule--http))
<a id="nestedobjatt--spec--rule--http"></a>
### Nested Schema for `spec.rule.http`
Read-Only:
- `path` (List of Object) (see [below for nested schema](#nestedobjatt--spec--rule--http--path))
<a id="nestedobjatt--spec--rule--http--path"></a>
### Nested Schema for `spec.rule.http.path`
Read-Only:
- `backend` (List of Object) (see [below for nested schema](#nestedobjatt--spec--rule--http--path--backend))
- `path` (String)
<a id="nestedobjatt--spec--rule--http--path--backend"></a>
### Nested Schema for `spec.rule.http.path.backend`
Read-Only:
- `service_name` (String)
- `service_port` (String)
<a id="nestedobjatt--spec--tls"></a>
### Nested Schema for `spec.tls`
Read-Only:
- `hosts` (List of String)
- `secret_name` (String)
<a id="nestedatt--status"></a>
### Nested Schema for `status`
Read-Only:
- `load_balancer` (List of Object) (see [below for nested schema](#nestedobjatt--status--load_balancer))
<a id="nestedobjatt--status--load_balancer"></a>
### Nested Schema for `status.load_balancer`
Read-Only:
- `ingress` (List of Object) (see [below for nested schema](#nestedobjatt--status--load_balancer--ingress))
<a id="nestedobjatt--status--load_balancer--ingress"></a>
### Nested Schema for `status.load_balancer.ingress`
Read-Only:
- `hostname` (String)
- `ip` (String)
## Example Usage
```terraform
@ -27,85 +148,3 @@ resource "aws_route53_record" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard service's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/e59e666e3464c7d4851136baa8835a311efdfb8e/contributors/devel/api-conventions.md#metadata)
## Nested Blocks
### `metadata`
#### Arguments
* `name` - (Required) Name of the service, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
* `namespace` - (Required) Namespace defines the space within which name of the service must be unique.
#### Attributes
* `annotations` - (Optional) An unstructured key value map stored with the service that may be used to store arbitrary metadata. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the service. May match selectors of replication controllers and services. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this service that can be used by clients to determine when service has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/e59e666e3464c7d4851136baa8835a311efdfb8e/contributors/devel/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this service. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
## Attribute Reference
### `spec`
#### Attributes
* `backend` - Backend defines the referenced service endpoint to which the traffic will be forwarded. See `backend` block attributes below.
* `rule` - A list of host rules used to configure the Ingress. If unspecified, or no rule matches, all traffic is sent to the default backend. See `rule` block attributes below.
* `tls` - TLS configuration. Currently the Ingress only supports a single TLS port, 443. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension, if the ingress controller fulfilling the ingress supports SNI. See `tls` block attributes below.
* `ingress_class_name` - The name of the IngressClass cluster resource. The associated IngressClass defines which controller will implement the resource. This replaces the deprecated `kubernetes.io/ingress.class` annotation. For backwards compatibility, when that annotation is set, it must be given precedence over this field.
### `backend`
#### Attributes
* `service_name` - Specifies the name of the referenced service.
* `service_port` - Specifies the port of the referenced service.
### `rule`
#### Attributes
* `host` - Host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the \"host\" part of the URI as defined in the RFC: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to the IP in the Spec of the parent Ingress. 2. The : delimiter is not respected because ports are not allowed. Currently the port of an Ingress is implicitly :80 for http and :443 for https. Both these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue.
* `http` - http is a list of http selectors pointing to backends. In the example: http:///? -> backend where parts of the url correspond to RFC 3986, this resource will be used to match against everything after the last '/' and before the first '?' or '#'. See `http` block attributes below.
#### `http`
* `path` - Path array of path regex associated with a backend. Incoming urls matching the path are forwarded to the backend, see below for `path` block structure.
#### `path`
* `path` - A string or an extended POSIX regular expression as defined by IEEE Std 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional \"path\" part of a URL as defined by RFC 3986. Paths must begin with a '/'. If unspecified, the path defaults to a catch all sending traffic to the backend.
* `backend` - Backend defines the referenced service endpoint to which the traffic will be forwarded to.
### `tls`
#### Attributes
* `hosts` - Hosts are a list of hosts included in the TLS certificate. The values in this list must match the name/s used in the tlsSecret. Defaults to the wildcard host setting for the loadbalancer controller fulfilling this Ingress, if left unspecified.
* `secret_name` - SecretName is the name of the secret used to terminate SSL traffic on 443. Field is left optional to allow SSL routing based on SNI hostname alone. If the SNI host in a listener conflicts with the \"Host\" header field used by an IngressRule, the SNI host is used for termination and value of the Host header is used for routing.
## Attributes
### `status`
* `status` - Status is the current state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
#### `load_balancer`
* LoadBalancer contains the current status of the load-balancer, if one is present.
##### `ingress`
* `ingress` - Ingress is a list containing ingress points for the load-balancer. Traffic intended for the service should be sent to these ingress points.
###### Attributes
* `ip` - IP is set for load-balancer ingress points that are IP based (typically GCE or OpenStack load-balancers).
* `hostname` - Hostname is set for load-balancer ingress points that are DNS based (typically AWS load-balancers).

274
docs/data-sources/ingress_v1.md
View file

@ -9,6 +9,184 @@ description: |-
Ingress is a collection of rules that allow inbound connections to reach the endpoints defined by a backend. An Ingress can be configured to give services externally-reachable urls, load balance traffic, terminate SSL, offer name based virtual hosting etc. This data source allows you to pull data about such ingress.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard ingress's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
### Read-Only
- `id` (String) The ID of this resource.
- `spec` (List of Object) spec is the desired state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status (see [below for nested schema](#nestedatt--spec))
- `status` (List of Object) (see [below for nested schema](#nestedatt--status))
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the ingress that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the ingress. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the ingress, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the ingress must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this ingress that can be used by clients to determine when ingress has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this ingress. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedatt--spec"></a>
### Nested Schema for `spec`
Read-Only:
- `default_backend` (List of Object) (see [below for nested schema](#nestedobjatt--spec--default_backend))
- `ingress_class_name` (String)
- `rule` (List of Object) (see [below for nested schema](#nestedobjatt--spec--rule))
- `tls` (List of Object) (see [below for nested schema](#nestedobjatt--spec--tls))
<a id="nestedobjatt--spec--default_backend"></a>
### Nested Schema for `spec.default_backend`
Read-Only:
- `resource` (List of Object) (see [below for nested schema](#nestedobjatt--spec--default_backend--resource))
- `service` (List of Object) (see [below for nested schema](#nestedobjatt--spec--default_backend--service))
<a id="nestedobjatt--spec--default_backend--resource"></a>
### Nested Schema for `spec.default_backend.resource`
Read-Only:
- `api_group` (String)
- `kind` (String)
- `name` (String)
<a id="nestedobjatt--spec--default_backend--service"></a>
### Nested Schema for `spec.default_backend.service`
Read-Only:
- `name` (String)
- `port` (List of Object) (see [below for nested schema](#nestedobjatt--spec--default_backend--service--port))
<a id="nestedobjatt--spec--default_backend--service--port"></a>
### Nested Schema for `spec.default_backend.service.port`
Read-Only:
- `name` (String)
- `number` (Number)
<a id="nestedobjatt--spec--rule"></a>
### Nested Schema for `spec.rule`
Read-Only:
- `host` (String)
- `http` (List of Object) (see [below for nested schema](#nestedobjatt--spec--rule--http))
<a id="nestedobjatt--spec--rule--http"></a>
### Nested Schema for `spec.rule.http`
Read-Only:
- `path` (List of Object) (see [below for nested schema](#nestedobjatt--spec--rule--http--path))
<a id="nestedobjatt--spec--rule--http--path"></a>
### Nested Schema for `spec.rule.http.path`
Read-Only:
- `backend` (List of Object) (see [below for nested schema](#nestedobjatt--spec--rule--http--path--backend))
- `path` (String)
- `path_type` (String)
<a id="nestedobjatt--spec--rule--http--path--backend"></a>
### Nested Schema for `spec.rule.http.path.backend`
Read-Only:
- `resource` (List of Object) (see [below for nested schema](#nestedobjatt--spec--rule--http--path--backend--resource))
- `service` (List of Object) (see [below for nested schema](#nestedobjatt--spec--rule--http--path--backend--service))
<a id="nestedobjatt--spec--rule--http--path--backend--resource"></a>
### Nested Schema for `spec.rule.http.path.backend.resource`
Read-Only:
- `api_group` (String)
- `kind` (String)
- `name` (String)
<a id="nestedobjatt--spec--rule--http--path--backend--service"></a>
### Nested Schema for `spec.rule.http.path.backend.service`
Read-Only:
- `name` (String)
- `port` (List of Object) (see [below for nested schema](#nestedobjatt--spec--rule--http--path--backend--service--port))
<a id="nestedobjatt--spec--rule--http--path--backend--service--port"></a>
### Nested Schema for `spec.rule.http.path.backend.service.port`
Read-Only:
- `name` (String)
- `number` (Number)
<a id="nestedobjatt--spec--tls"></a>
### Nested Schema for `spec.tls`
Read-Only:
- `hosts` (List of String)
- `secret_name` (String)
<a id="nestedatt--status"></a>
### Nested Schema for `status`
Read-Only:
- `load_balancer` (List of Object) (see [below for nested schema](#nestedobjatt--status--load_balancer))
<a id="nestedobjatt--status--load_balancer"></a>
### Nested Schema for `status.load_balancer`
Read-Only:
- `ingress` (List of Object) (see [below for nested schema](#nestedobjatt--status--load_balancer--ingress))
<a id="nestedobjatt--status--load_balancer--ingress"></a>
### Nested Schema for `status.load_balancer.ingress`
Read-Only:
- `hostname` (String)
- `ip` (String)
## Example Usage
```terraform
@ -26,99 +204,3 @@ resource "aws_route53_record" "example" {
records = [data.kubernetes_ingress_v1.example.status.0.load_balancer.0.ingress.0.hostname]
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard service's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/e59e666e3464c7d4851136baa8835a311efdfb8e/contributors/devel/api-conventions.md#metadata)
## Nested Blocks
### `metadata`
#### Arguments
* `name` - (Required) Name of the service, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
* `namespace` - (Required) Namespace defines the space within which name of the service must be unique.
#### Attributes
* `annotations` - (Optional) An unstructured key value map stored with the service that may be used to store arbitrary metadata. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the service. May match selectors of replication controllers and services. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this service that can be used by clients to determine when service has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/e59e666e3464c7d4851136baa8835a311efdfb8e/contributors/devel/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this service. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
## Attribute Reference
### `spec`
#### Attributes
* `default_backend` - Backend defines the referenced service endpoint to which the traffic will be forwarded. See `backend` block attributes below.
* `rule` - A list of host rules used to configure the Ingress. If unspecified, or no rule matches, all traffic is sent to the default backend. See `rule` block attributes below.
* `tls` - TLS configuration. Currently the Ingress only supports a single TLS port, 443. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension, if the ingress controller fulfilling the ingress supports SNI. See `tls` block attributes below.
* `ingress_class_name` - The name of the IngressClass cluster resource. The associated IngressClass defines which controller will implement the resource. This replaces the deprecated `kubernetes.io/ingress.class` annotation. For backwards compatibility, when that annotation is set, it must be given precedence over this field.
### `backend`
#### Arguments
* `resource` - Resource is an ObjectRef to another Kubernetes resource in the namespace of the Ingress object. If resource is specified, a `service.name` and `service.port` must not be specified.
* `service` - Service references a Service as a Backend.
### `service`
#### Arguments
* `name` - Specifies the name of the referenced service.
* `port` - Specifies the port of the referenced service.
### `port`
* `name` - Name is the name of the port on the Service.
* `number` - Number is the numerical port number (e.g. 80) on the Service.
### `rule`
#### Attributes
* `host` - Host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the \"host\" part of the URI as defined in the RFC: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to the IP in the Spec of the parent Ingress. 2. The : delimiter is not respected because ports are not allowed. Currently the port of an Ingress is implicitly :80 for http and :443 for https. Both these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue.
* `http` - http is a list of http selectors pointing to backends. In the example: http:///? -> backend where parts of the url correspond to RFC 3986, this resource will be used to match against everything after the last '/' and before the first '?' or '#'. See `http` block attributes below.
#### `http`
* `path` - Path array of path regex associated with a backend. Incoming urls matching the path are forwarded to the backend, see below for `path` block structure.
#### `path`
* `path` - (Required) A string or an extended POSIX regular expression as defined by IEEE Std 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional \"path\" part of a URL as defined by RFC 3986. Paths must begin with a '/'. If unspecified, the path defaults to a catch all sending traffic to the backend.
* `path_type` - PathType determines the interpretation of the Path matching. PathType can be one of the following values: `ImplementationSpecific`, `Exact`, or `Prefix`. See the [Kubernetes Ingress documentation](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) for details.
* `backend` - Backend defines the referenced service endpoint to which the traffic will be forwarded to.
### `tls`
#### Attributes
* `hosts` - Hosts are a list of hosts included in the TLS certificate. The values in this list must match the name/s used in the tlsSecret. Defaults to the wildcard host setting for the loadbalancer controller fulfilling this Ingress, if left unspecified.
* `secret_name` - SecretName is the name of the secret used to terminate SSL traffic on 443. Field is left optional to allow SSL routing based on SNI hostname alone. If the SNI host in a listener conflicts with the \"Host\" header field used by an IngressRule, the SNI host is used for termination and value of the Host header is used for routing.
## Attributes
### `status`
* `status` - Status is the current state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
#### `load_balancer`
* LoadBalancer contains the current status of the load-balancer, if one is present.
##### `ingress`
* `ingress` - Ingress is a list containing ingress points for the load-balancer. Traffic intended for the service should be sent to these ingress points.
###### Attributes
* `ip` - IP is set for load-balancer ingress points that are IP based (typically GCE or OpenStack load-balancers).
* `hostname` - Hostname is set for load-balancer ingress points that are DNS based (typically AWS load-balancers).

190
docs/data-sources/mutating_webhook_configuration_v1.md
View file

@ -9,6 +9,125 @@ description: |-
A Mutating Webhook Configuration configures a [mutating admission webhook](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#what-are-admission-webhooks). This data source allows you to pull data about a given mutating webhook configuration based on its name.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard mutating webhook configuration's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
### Read-Only
- `id` (String) The ID of this resource.
- `webhook` (List of Object) Webhooks is a list of webhooks and the affected resources and operations. (see [below for nested schema](#nestedatt--webhook))
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the mutating webhook configuration that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the mutating webhook configuration. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the mutating webhook configuration, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this mutating webhook configuration that can be used by clients to determine when mutating webhook configuration has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this mutating webhook configuration. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedatt--webhook"></a>
### Nested Schema for `webhook`
Read-Only:
- `admission_review_versions` (List of String)
- `client_config` (List of Object) (see [below for nested schema](#nestedobjatt--webhook--client_config))
- `failure_policy` (String)
- `match_policy` (String)
- `name` (String)
- `namespace_selector` (List of Object) (see [below for nested schema](#nestedobjatt--webhook--namespace_selector))
- `object_selector` (List of Object) (see [below for nested schema](#nestedobjatt--webhook--object_selector))
- `reinvocation_policy` (String)
- `rule` (List of Object) (see [below for nested schema](#nestedobjatt--webhook--rule))
- `side_effects` (String)
- `timeout_seconds` (Number)
<a id="nestedobjatt--webhook--client_config"></a>
### Nested Schema for `webhook.client_config`
Read-Only:
- `ca_bundle` (String)
- `service` (List of Object) (see [below for nested schema](#nestedobjatt--webhook--client_config--service))
- `url` (String)
<a id="nestedobjatt--webhook--client_config--service"></a>
### Nested Schema for `webhook.client_config.service`
Read-Only:
- `name` (String)
- `namespace` (String)
- `path` (String)
- `port` (Number)
<a id="nestedobjatt--webhook--namespace_selector"></a>
### Nested Schema for `webhook.namespace_selector`
Read-Only:
- `match_expressions` (List of Object) (see [below for nested schema](#nestedobjatt--webhook--namespace_selector--match_expressions))
- `match_labels` (Map of String)
<a id="nestedobjatt--webhook--namespace_selector--match_expressions"></a>
### Nested Schema for `webhook.namespace_selector.match_expressions`
Read-Only:
- `key` (String)
- `operator` (String)
- `values` (Set of String)
<a id="nestedobjatt--webhook--object_selector"></a>
### Nested Schema for `webhook.object_selector`
Read-Only:
- `match_expressions` (List of Object) (see [below for nested schema](#nestedobjatt--webhook--object_selector--match_expressions))
- `match_labels` (Map of String)
<a id="nestedobjatt--webhook--object_selector--match_expressions"></a>
### Nested Schema for `webhook.object_selector.match_expressions`
Read-Only:
- `key` (String)
- `operator` (String)
- `values` (Set of String)
<a id="nestedobjatt--webhook--rule"></a>
### Nested Schema for `webhook.rule`
Read-Only:
- `api_groups` (List of String)
- `api_versions` (List of String)
- `operations` (List of String)
- `resources` (List of String)
- `scope` (String)
## Example Usage
```terraform
@ -18,74 +137,3 @@ data "kubernetes_mutating_webhook_configuration_v1" "example" {
}
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard Mutating Webhook Configuration metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
## Attributes
`webhook` - A list of webhooks and the affected resources and operations.
## Nested Blocks
### `metadata`
#### Arguments
* `name` - Name of the Mutating Webhook Configuration, must be unique. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
#### Attributes
* `annotations` - An unstructured key value map stored with the namespace that may be used to store arbitrary metadata.
* `generation` - A sequence number representing a specific generation of the desired state.
* `labels` - Map of string keys and values that can be used to organize and categorize (scope and select) namespaces. May match selectors of replication controllers and services.
* `resource_version` - An opaque value that represents the internal version of this secret that can be used by clients to determine when secret has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this secret. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `webhook`
#### Arguments
* `admission_review_versions` - AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` versions the Webhook expects. API server will try to use first version in the list which it supports. If none of the versions specified in this list are supported by API server, validation will fail for this object. If a persisted webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail and be subject to the failure policy.
* `client_config` - ClientConfig defines how to communicate with the hook.
* `failure_policy` - FailurePolicy defines how unrecognized errors from the admission endpoint are handled - Allowed values are "Ignore" or "Fail". Defaults to "Fail".
* `match_policy` - matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent". - Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. Defaults to "Equivalent"
* `name` - The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where "imagepolicy" is the name of the webhook, and kubernetes.io is the name of the organization.
* `namespace_selector` - NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook. For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1"; you will set the selector as follows: "namespaceSelector": { "matchExpressions": [ { "key": "runlevel", "operator": "NotIn", "values": [ "0", "1" ] } ] } If instead you want to only run the webhook on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": { "matchExpressions": [ { "key": "environment", "operator": "In", "values": [ "prod", "staging" ] } ] } See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels for more examples of label selectors. Default to the empty LabelSelector, which matches everything.
* `object_selector` - ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.
* `reinvocation_policy` - reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation. Allowed values are "Never" and "IfNeeded". Never: the webhook will not be called more than once in a single admission evaluation. IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation if the object being admitted is modified by other admission plugins after the initial webhook call. Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted. Note: *the number of additional invocations is not guaranteed to be exactly one.* if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again. *webhooks that use this option may be reordered to minimize the number of additional invocations.* to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead. Defaults to "Never".
* `rule` - Describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches *any* Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
* `side_effects` - SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission change and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.
* `timeout_seconds` - TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.
### `client_config`
#### Arguments
* `ca_bundle` - A PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.
* `service` - A reference to the service for this webhook. Either `service` or `url` must be specified. If the webhook is running within the cluster, then you should use `service`.
* `url` - Gives the location of the webhook, in standard URL form (`scheme://host:port/path`). Exactly one of `url` or `service` must be specified. The `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.
~> Please note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster. The scheme must be "https"; the URL must begin with "https://". A path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier. Attempting to use a user or basic auth e.g. "user:password@" is not allowed. Fragments ("#...") and query parameters ("?...") are not allowed, either.
### `service`
#### Arguments
* `name` - The name of the service.
* `namespace` - The namespace of the service.
* `path` - The URL path which will be sent in any request to this service.
* `port` - If specified, the port on the service that hosting webhook. Default to 443 for backward compatibility. `port` should be a valid port number (1-65535, inclusive).
### `rule`
#### Arguments
* `api_groups` - The API groups the resources belong to. '\*' is all groups. If '\*' is present, the length of the list must be one.
* `api_versions` - The API versions the resources belong to. '\*' is all versions. If '\*' is present, the length of the list must be one.
* `operations` - The operations the admission hook cares about - CREATE, UPDATE, or * for all operations. If '\*' is present, the length of the list must be one.
* `resources` - A list of resources this rule applies to. For example: 'pods' means pods. 'pods/log' means the log subresource of pods. '\*' means all resources, but not subresources. 'pods/\*' means all subresources of pods. '\*/scale' means all scale subresources. '\*/\*' means all resources and their subresources. If wildcard is present, the validation rule will ensure resources do not overlap with each other. Depending on the enclosing object, subresources might not be allowed.
* `scope` - Specifies the scope of this rule. Valid values are "Cluster", "Namespaced", and "*" "Cluster" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. "Namespaced" means that only namespaced resources will match this rule. "*" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is "*".

72
docs/data-sources/namespace.md
View file

@ -9,6 +9,44 @@ description: |-
This data source provides a mechanism to query attributes of any specific namespace within a Kubernetes cluster. In Kubernetes, namespaces provide a scope for names and are intended as a way to divide cluster resources between multiple users.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard namespace's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
### Read-Only
- `id` (String) The ID of this resource.
- `spec` (List of Object) Spec defines the behavior of the Namespace. (see [below for nested schema](#nestedatt--spec))
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the namespace that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the namespace. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the namespace, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this namespace that can be used by clients to determine when namespace has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this namespace. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedatt--spec"></a>
### Nested Schema for `spec`
Read-Only:
- `finalizers` (List of String)
## Example Usage
```terraform
@ -18,37 +56,3 @@ data "kubernetes_namespace" "example" {
}
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard object metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
## Nested Blocks
### `metadata`
#### Arguments
* `name` - (Required) Name of the namespace, must be unique. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
#### Attributes
* `annotations` - (Optional) An unstructured key value map stored with the namespace that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generation` - A sequence number representing a specific generation of the desired state.
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) namespaces. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `resource_version` - An opaque value that represents the internal version of this namespace that can be used by clients to determine when namespaces have changed. Read more about [concurrency control and consistency](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency).
* `uid` - The unique in time and space value for this namespace. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `spec`
#### Attributes
* `finalizers` - An opaque list of values that must be empty to permanently remove object from storage. For more info: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/

38
docs/data-sources/namespace_v1.md
View file

@ -9,6 +9,44 @@ description: |-
This data source provides a mechanism to query attributes of any specific namespace within a Kubernetes cluster. In Kubernetes, namespaces provide a scope for names and are intended as a way to divide cluster resources between multiple users.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard namespace's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
### Read-Only
- `id` (String) The ID of this resource.
- `spec` (List of Object) Spec defines the behavior of the Namespace. (see [below for nested schema](#nestedatt--spec))
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the namespace that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the namespace. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the namespace, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this namespace that can be used by clients to determine when namespace has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this namespace. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedatt--spec"></a>
### Nested Schema for `spec`
Read-Only:
- `finalizers` (List of String)
## Example Usage
```terraform

183
docs/data-sources/nodes.md
View file

@ -7,11 +7,111 @@ description: |-
# kubernetes_nodes
This data source provides a mechanism for listing the names of nodes in a kubernetes cluster.
This data source provides a mechanism for listing the names of nodes in a kubernetes cluster.By default, all nodes in the cluster are returned, but queries by node label are also supported. It can be used to check for the existence of a specific node or to lookup a node to apply a taint with the `kubernetes_node_taint` resource.
By default, all nodes in the cluster are returned, but queries by node label are also supported.
<!-- schema generated by tfplugindocs -->
## Schema
It can be used to check for the existence of a specific node or to lookup a node to apply a taint with the `kubernetes_node_taint` resource.
### Optional
- `metadata` (Block List, Max: 1) Metadata fields to narrow node selection. (see [below for nested schema](#nestedblock--metadata))
### Read-Only
- `id` (String) The ID of this resource.
- `nodes` (List of Object) List of nodes in a cluster. (see [below for nested schema](#nestedatt--nodes))
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Required:
- `labels` (Map of String) Select nodes with these labels. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
<a id="nestedatt--nodes"></a>
### Nested Schema for `nodes`
Read-Only:
- `metadata` (List of Object) (see [below for nested schema](#nestedobjatt--nodes--metadata))
- `spec` (List of Object) (see [below for nested schema](#nestedobjatt--nodes--spec))
- `status` (List of Object) (see [below for nested schema](#nestedobjatt--nodes--status))
<a id="nestedobjatt--nodes--metadata"></a>
### Nested Schema for `nodes.metadata`
Read-Only:
- `annotations` (Map of String)
- `generation` (Number)
- `labels` (Map of String)
- `name` (String)
- `resource_version` (String)
- `uid` (String)
<a id="nestedobjatt--nodes--spec"></a>
### Nested Schema for `nodes.spec`
Read-Only:
- `pod_cidr` (String)
- `pod_cidrs` (List of String)
- `provider_id` (String)
- `taints` (List of Object) (see [below for nested schema](#nestedobjatt--nodes--spec--taints))
- `unschedulable` (Boolean)
<a id="nestedobjatt--nodes--spec--taints"></a>
### Nested Schema for `nodes.spec.taints`
Read-Only:
- `effect` (String)
- `key` (String)
- `value` (String)
<a id="nestedobjatt--nodes--status"></a>
### Nested Schema for `nodes.status`
Read-Only:
- `addresses` (List of Object) (see [below for nested schema](#nestedobjatt--nodes--status--addresses))
- `allocatable` (Map of String)
- `capacity` (Map of String)
- `node_info` (List of Object) (see [below for nested schema](#nestedobjatt--nodes--status--node_info))
<a id="nestedobjatt--nodes--status--addresses"></a>
### Nested Schema for `nodes.status.addresses`
Read-Only:
- `address` (String)
- `type` (String)
<a id="nestedobjatt--nodes--status--node_info"></a>
### Nested Schema for `nodes.status.node_info`
Read-Only:
- `architecture` (String)
- `boot_id` (String)
- `container_runtime_version` (String)
- `kernel_version` (String)
- `kube_proxy_version` (String)
- `kubelet_version` (String)
- `machine_id` (String)
- `operating_system` (String)
- `os_image` (String)
- `system_uuid` (String)
## Example usage
@ -40,80 +140,3 @@ output "linux-node-names" {
value = [for node in data.kubernetes_nodes.example.nodes : node.metadata.0.name]
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - Metadata describing which nodes to return.
### Attributes
* `metadata` - Metadata describing the node. See [metadata](#metadata) for more info.
* `spec` - Defines the behavior of the node. See [spec](#spec) for more info.
* `status` - Status information for the node. See [status](#status) for more info.
## Nested Blocks
### `metadata`
#### Arguments
* `labels` - (Required) Map of string keys and values that can be used to narrow the selection of nodes returned.
#### Attributes
* `name` - Name of the node, must be unique.
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the node.
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this node that can be used by clients to determine when the node has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this node . For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `spec`
#### Attributes
* `pod_cidr` - (Optional) The pod IP range assigned to the node
* `pod_cidrs` - (Optional) A list of IP address ranges assigned to the node for usage by pods on that node.
* `provider_id` - (Optional) ID of the node assigned by the cloud provider.
* `unschedulable` - Controls the schedulability of new pods on the node. By default, node is schedulable.
* `taints` - (Optional) Taints applied to the node. See [taints](#taints) for more info.
### `status`
### Attributes
* `addresses` - (Optional) A set of IP address(es) and/or Hostname assigned to the node. See [addresses](#addresses) and [Kubernetes reference](https://kubernetes.io/docs/concepts/architecture/nodes/#addresses/node/#info) for more info.
* `allocatable` - (Optional) The total resources of a node.
* `capacity` - (Optional) The resources of a node that are available for scheduling.
* `node_info` - (Optional) A set of ids/uuids to uniquely identify the node. See [node_info](#node_info) for more info. [Kubernetes reference](https://kubernetes.io/docs/concepts/nodes/node/#info)
### `addresses`
#### Attributes
* `type` - Type of the address: HostName, ExternalIP or InternalIP.
* `address` - The IP (if type is ExternalIP or InternalIP) or the hostname (if type is HostName).
### `node_info`
#### Attributes
* `machine_id` - Machine ID reported by the node see [main(5) machine-id](http://man7.org/linux/man-pages/man5/machine-id.5.html) for more info.
* `system_uuid` - System UUID reported by the node. This field is specific to Red Hat hosts.
* `boot_id` - Boot ID reported by the node.
* `kernel_version` - Kernel Version reported by the node from `uname -r`
* `os_image` - OS Image reported by the node from `/etc/os-release`
* `container_runtime_version` ContainerRuntime Version reported by the node through runtime remote API
* `kubelet_version` - Kubelet Version reported by the node.
* `kube_proxy_version` - KubeProxy Version reported by the node.
* `operating_system` - The Operating System reported by the node
* `architecture` - The Architecture reported by the node
### `taints`
#### Attributes
* `key` - The taint key to be applied to a node.
* `value` - (Optional) The taint value corresponding to the taint key.
* `effect` - The effect of the taint on pods that do not tolerate the taint. Valid effects are `NoSchedule`, `PreferNoSchedule` and `NoExecute`.

6
docs/data-sources/pod.md
View file

@ -338,9 +338,9 @@ resources {
#### Attributes
* `type` - Indicates which kind of seccomp profile will be applied. Valid options are:
* `Localhost` - a profile defined in a file on the node should be used.
* `RuntimeDefault` - the container runtime default profile should be used.
* `Unconfined` - (Default) no profile should be applied.
* `Localhost` - a profile defined in a file on the node should be used.
* `RuntimeDefault` - the container runtime default profile should be used.
* `Unconfined` - (Default) no profile should be applied.
* `localhost_profile` - Indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must only be set if `type` is `Localhost`.
### `se_linux_options`

6
docs/data-sources/pod_v1.md
View file

@ -338,9 +338,9 @@ resources {
#### Attributes
* `type` - Indicates which kind of seccomp profile will be applied. Valid options are:
* `Localhost` - a profile defined in a file on the node should be used.
* `RuntimeDefault` - the container runtime default profile should be used.
* `Unconfined` - (Default) no profile should be applied.
* `Localhost` - a profile defined in a file on the node should be used.
* `RuntimeDefault` - the container runtime default profile should be used.
* `Unconfined` - (Default) no profile should be applied.
* `localhost_profile` - Indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must only be set if `type` is `Localhost`.
### `se_linux_options`

8
docs/index.md
View file

@ -195,9 +195,9 @@ The following arguments are supported:
* `token` - (Optional) Token of your service account. Can be sourced from `KUBE_TOKEN`.
* `proxy_url` - (Optional) URL to the proxy to be used for all API requests. URLs with "http", "https", and "socks5" schemes are supported. Can be sourced from `KUBE_PROXY_URL`.
* `exec` - (Optional) Configuration block to use an [exec-based credential plugin] (https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins), e.g. call an external command to receive user credentials.
* `api_version` - (Required) API version to use when decoding the ExecCredentials resource, e.g. `client.authentication.k8s.io/v1beta1`.
* `command` - (Required) Command to execute.
* `args` - (Optional) List of arguments to pass when executing the plugin.
* `env` - (Optional) Map of environment variables to set when executing the plugin.
* `api_version` - (Required) API version to use when decoding the ExecCredentials resource, e.g. `client.authentication.k8s.io/v1beta1`.
* `command` - (Required) Command to execute.
* `args` - (Optional) List of arguments to pass when executing the plugin.
* `env` - (Optional) Map of environment variables to set when executing the plugin.
* `ignore_annotations` - (Optional) List of Kubernetes metadata annotations to ignore across all resources handled by this provider for situations where external systems are managing certain resource annotations. This option does not affect annotations within a template block. Each item is a regular expression.
* `ignore_labels` - (Optional) List of Kubernetes metadata labels to ignore across all resources handled by this provider for situations where external systems are managing certain resource labels. This option does not affect annotations within a template block. Each item is a regular expression.

5
docs/resources/certificate_signing_request_v1.md
View file

@ -18,7 +18,6 @@ Use this resource to generate TLS certificates using Kubernetes. This is a *logi
- `spec` (Block List, Min: 1, Max: 1) CertificateSigningRequest objects provide a mechanism to obtain x509 certificates by submitting a certificate signing request, and having it asynchronously approved and issued.
Kubelets use this API to obtain:
1. client certificates to authenticate to kube-apiserver (with the "kubernetes.io/kube-apiserver-client-kubelet" signerName).
2. serving certificates for TLS endpoints kube-apiserver can connect to securely (with the "kubernetes.io/kubelet-serving" signerName).
@ -36,7 +35,6 @@ This API can be used to request client certificates to authenticate to kube-apis
If the certificate signing request is denied, a condition of type "Denied" is added and this field remains empty. If the signer cannot issue the certificate, a condition of type "Failed" is added and this field remains empty.
Validation requirements:
1. certificate must contain one or more PEM blocks.
2. All PEM blocks must have the "CERTIFICATE" label, contain no headers, and the encoded data
must be a BER-encoded ASN.1 Certificate structure as described in section 4 of RFC5280.
@ -50,7 +48,6 @@ The certificate is encoded in PEM format.
When serialized as JSON or YAML, the data is additionally base64-encoded, so it consists of:
base64(
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
@ -81,7 +78,6 @@ Required:
List/watch requests for CertificateSigningRequests can filter on this field using a "spec.signerName=NAME" fieldSelector.
Well-known Kubernetes signers are:
1. "kubernetes.io/kube-apiserver-client": issues client certificates that can be used to authenticate to kube-apiserver.
Requests for this signer are never auto-approved by kube-controller-manager, can be issued by the "csrsigning" controller in kube-controller-manager.
2. "kubernetes.io/kube-apiserver-client-kubelet": issues client certificates that kubelets use to authenticate to kube-apiserver.
@ -92,7 +88,6 @@ Well-known Kubernetes signers are:
More details are available at https://k8s.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers
Custom signerNames can also be specified. The signer defines:
1. Trust distribution: how trust (CA bundles) are distributed.
2. Permitted subjects: and behavior when a disallowed subject is requested.
3. Required, permitted, or forbidden x509 extensions in the request (including whether subjectAltNames are allowed, which types, restrictions on allowed values) and behavior when a disallowed extension is requested.

1
docs/resources/ingress.md
View file

@ -74,7 +74,6 @@ Optional:
- `host` (String) host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the "host" part of the URI as defined in RFC 3986: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to
the IP in the Spec of the parent Ingress.
2. The `:` delimiter is not respected because ports are not allowed.
Currently the port of an Ingress is implicitly :80 for http and
:443 for https.

3
docs/resources/ingress_v1.md
View file

@ -99,14 +99,12 @@ Optional:
- `host` (String) host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the "host" part of the URI as defined in RFC 3986: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to
the IP in the Spec of the parent Ingress.
2. The `:` delimiter is not respected because ports are not allowed.
Currently the port of an Ingress is implicitly :80 for http and
:443 for https.
Both these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue.
host can be "precise" which is a domain name without the terminating dot of a network host (e.g. "foo.bar.com") or "wildcard", which is a domain name prefixed with a single wildcard label (e.g. "*.foo.com"). The wildcard character '*' must appear by itself as the first DNS label and matches only a single label. You cannot have a wildcard label by itself (e.g. Host == "*"). Requests will be matched against the Host field in the following way: 1. If host is precise, the request matches this rule if the http host header is equal to Host. 2. If host is a wildcard, then the request matches this rule if the http host header is to equal to the suffix (removing the first label) of the wildcard rule.
- `http` (Block List, Max: 1) http is a list of http selectors pointing to backends. In the example: http:///? -> backend where where parts of the url correspond to RFC 3986, this resource will be used to match against everything after the last '/' and before the first '?' or '#'. (see [below for nested schema](#nestedblock--spec--rule--http))
<a id="nestedblock--spec--rule--http"></a>
@ -130,7 +128,6 @@ Optional:
request path. Note that if the last element of the path is a substring
of the last element in request path, it is not a match (e.g. /foo/bar
matches /foo/bar/baz, but does not match /foo/barbaz).
* ImplementationSpecific: Interpretation of the Path matching is up to
the IngressClass. Implementations can treat this as a separate PathType
or treat it identically to Prefix or Exact path types.

4
docs/resources/mutating_webhook_configuration.md
View file

@ -57,7 +57,6 @@ Optional:
- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
Defaults to "Equivalent"
- `namespace_selector` (Block List, Max: 1) NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.
For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1"; you will set the selector as follows: "namespaceSelector": {
@ -89,7 +88,6 @@ If instead you want to only run the webhook on any objects whose namespace is as
See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.
Default to the empty LabelSelector, which matches everything. (see [below for nested schema](#nestedblock--webhook--namespace_selector))
- `object_selector` (Block List, Max: 1) ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything. (see [below for nested schema](#nestedblock--webhook--object_selector))
- `reinvocation_policy` (String) reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation. Allowed values are "Never" and "IfNeeded".
@ -98,7 +96,6 @@ Never: the webhook will not be called more than once in a single admission evalu
IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation if the object being admitted is modified by other admission plugins after the initial webhook call. Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted. Note: * the number of additional invocations is not guaranteed to be exactly one. * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again. * webhooks that use this option may be reordered to minimize the number of additional invocations. * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.
Defaults to "Never".
- `rule` (Block List) Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects. (see [below for nested schema](#nestedblock--webhook--rule))
- `side_effects` (String) SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission chain and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.
- `timeout_seconds` (Number) TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.
@ -112,7 +109,6 @@ Optional:
- `service` (Block List, Max: 1) `service` is a reference to the service for this webhook. Either `service` or `url` must be specified.
If the webhook is running within the cluster, then you should use `service`. (see [below for nested schema](#nestedblock--webhook--client_config--service))
- `url` (String) `url` gives the location of the webhook, in standard URL form (`scheme://host:port/path`). Exactly one of `url` or `service` must be specified.
The `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.

4
docs/resources/mutating_webhook_configuration_v1.md
View file

@ -57,7 +57,6 @@ Optional:
- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
Defaults to "Equivalent"
- `namespace_selector` (Block List, Max: 1) NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.
For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1"; you will set the selector as follows: "namespaceSelector": {
@ -89,7 +88,6 @@ If instead you want to only run the webhook on any objects whose namespace is as
See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.
Default to the empty LabelSelector, which matches everything. (see [below for nested schema](#nestedblock--webhook--namespace_selector))
- `object_selector` (Block List, Max: 1) ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything. (see [below for nested schema](#nestedblock--webhook--object_selector))
- `reinvocation_policy` (String) reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation. Allowed values are "Never" and "IfNeeded".
@ -98,7 +96,6 @@ Never: the webhook will not be called more than once in a single admission evalu
IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation if the object being admitted is modified by other admission plugins after the initial webhook call. Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted. Note: * the number of additional invocations is not guaranteed to be exactly one. * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again. * webhooks that use this option may be reordered to minimize the number of additional invocations. * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.
Defaults to "Never".
- `rule` (Block List) Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects. (see [below for nested schema](#nestedblock--webhook--rule))
- `side_effects` (String) SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission chain and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.
- `timeout_seconds` (Number) TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.
@ -112,7 +109,6 @@ Optional:
- `service` (Block List, Max: 1) `service` is a reference to the service for this webhook. Either `service` or `url` must be specified.
If the webhook is running within the cluster, then you should use `service`. (see [below for nested schema](#nestedblock--webhook--client_config--service))
- `url` (String) `url` gives the location of the webhook, in standard URL form (`scheme://host:port/path`). Exactly one of `url` or `service` must be specified.
The `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.

2
docs/resources/network_policy.md
View file

@ -98,7 +98,6 @@ Optional:
- `namespace_selector` (Block List, Max: 1) namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.
If podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector. (see [below for nested schema](#nestedblock--spec--egress--to--namespace_selector))
- `pod_selector` (Block List, Max: 1) podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods.
If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy's own namespace. (see [below for nested schema](#nestedblock--spec--egress--to--pod_selector))
@ -169,7 +168,6 @@ Optional:
- `namespace_selector` (Block List, Max: 1) namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.
If podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector. (see [below for nested schema](#nestedblock--spec--ingress--from--namespace_selector))
- `pod_selector` (Block List, Max: 1) podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods.
If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy's own namespace. (see [below for nested schema](#nestedblock--spec--ingress--from--pod_selector))

2
docs/resources/network_policy_v1.md
View file

@ -98,7 +98,6 @@ Optional:
- `namespace_selector` (Block List, Max: 1) namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.
If podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector. (see [below for nested schema](#nestedblock--spec--egress--to--namespace_selector))
- `pod_selector` (Block List, Max: 1) podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods.
If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy's own namespace. (see [below for nested schema](#nestedblock--spec--egress--to--pod_selector))
@ -169,7 +168,6 @@ Optional:
- `namespace_selector` (Block List, Max: 1) namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.
If podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector. (see [below for nested schema](#nestedblock--spec--ingress--from--namespace_selector))
- `pod_selector` (Block List, Max: 1) podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods.
If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy's own namespace. (see [below for nested schema](#nestedblock--spec--ingress--from--pod_selector))

2
docs/resources/persistent_volume_claim.md
View file

@ -134,7 +134,7 @@ resource "kubernetes_persistent_volume" "example" {
}
```
## Import
##Import
Persistent Volume Claim can be imported using its namespace and name, e.g.

2
docs/resources/pod_security_policy.md
View file

@ -56,13 +56,11 @@ Optional:
- `allowed_unsafe_sysctls` (List of String) allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to allowlist all allowed unsafe sysctls explicitly to avoid rejection.
Examples: e.g. "foo/*" allows "foo/bar", "foo/baz", etc. e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
- `default_add_capabilities` (List of String) defaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capability in both defaultAddCapabilities and requiredDropCapabilities. Capabilities added here are implicitly allowed, and need not be included in the allowedCapabilities list.
- `default_allow_privilege_escalation` (Boolean) defaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process.
- `forbidden_sysctls` (List of String) forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
Examples: e.g. "foo/*" forbids "foo/bar", "foo/baz", etc. e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
- `host_ipc` (Boolean) hostIPC determines if the policy allows the use of HostIPC in the pod spec.
- `host_network` (Boolean) hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
- `host_pid` (Boolean) hostPID determines if the policy allows the use of HostPID in the pod spec.

2
docs/resources/pod_security_policy_v1beta1.md
View file

@ -56,13 +56,11 @@ Optional:
- `allowed_unsafe_sysctls` (List of String) allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to allowlist all allowed unsafe sysctls explicitly to avoid rejection.
Examples: e.g. "foo/*" allows "foo/bar", "foo/baz", etc. e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
- `default_add_capabilities` (List of String) defaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capability in both defaultAddCapabilities and requiredDropCapabilities. Capabilities added here are implicitly allowed, and need not be included in the allowedCapabilities list.
- `default_allow_privilege_escalation` (Boolean) defaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process.
- `forbidden_sysctls` (List of String) forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
Examples: e.g. "foo/*" forbids "foo/bar", "foo/baz", etc. e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
- `host_ipc` (Boolean) hostIPC determines if the policy allows the use of HostIPC in the pod spec.
- `host_network` (Boolean) hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
- `host_pid` (Boolean) hostPID determines if the policy allows the use of HostPID in the pod spec.

5
docs/resources/validating_webhook_configuration.md
View file

@ -57,7 +57,6 @@ Optional:
- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
Defaults to "Equivalent"
- `namespace_selector` (Block List, Max: 1) NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.
For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1"; you will set the selector as follows: "namespaceSelector": {
@ -89,7 +88,6 @@ If instead you want to only run the webhook on any objects whose namespace is as
See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels for more examples of label selectors.
Default to the empty LabelSelector, which matches everything. (see [below for nested schema](#nestedblock--webhook--namespace_selector))
- `object_selector` (Block List, Max: 1) ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything. (see [below for nested schema](#nestedblock--webhook--object_selector))
- `rule` (Block List) Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects. (see [below for nested schema](#nestedblock--webhook--rule))
- `side_effects` (String) SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission chain and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.
@ -104,7 +102,6 @@ Optional:
- `service` (Block List, Max: 1) `service` is a reference to the service for this webhook. Either `service` or `url` must be specified.
If the webhook is running within the cluster, then you should use `service`. (see [below for nested schema](#nestedblock--webhook--client_config--service))
- `url` (String) `url` gives the location of the webhook, in standard URL form (`scheme://host:port/path`). Exactly one of `url` or `service` must be specified.
The `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.
@ -225,7 +222,7 @@ resource "kubernetes_validating_webhook_configuration" "example" {
The provider supports clusters running either `v1` or `v1beta1` of the Admission Registration API.
## Import
##Import
Validating Webhook Configuration can be imported using the name, e.g.

3
docs/resources/validating_webhook_configuration_v1.md
View file

@ -57,7 +57,6 @@ Optional:
- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
Defaults to "Equivalent"
- `namespace_selector` (Block List, Max: 1) NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.
For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1"; you will set the selector as follows: "namespaceSelector": {
@ -89,7 +88,6 @@ If instead you want to only run the webhook on any objects whose namespace is as
See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels for more examples of label selectors.
Default to the empty LabelSelector, which matches everything. (see [below for nested schema](#nestedblock--webhook--namespace_selector))
- `object_selector` (Block List, Max: 1) ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything. (see [below for nested schema](#nestedblock--webhook--object_selector))
- `rule` (Block List) Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects. (see [below for nested schema](#nestedblock--webhook--rule))
- `side_effects` (String) SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission chain and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.
@ -104,7 +102,6 @@ Optional:
- `service` (Block List, Max: 1) `service` is a reference to the service for this webhook. Either `service` or `url` must be specified.
If the webhook is running within the cluster, then you should use `service`. (see [below for nested schema](#nestedblock--webhook--client_config--service))
- `url` (String) `url` gives the location of the webhook, in standard URL form (`scheme://host:port/path`). Exactly one of `url` or `service` must be specified.
The `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.

4
kubernetes/data_source_kubernetes_all_namespaces.go
View file

@ -7,15 +7,17 @@ import (
"context"
"crypto/sha256"
"fmt"
"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
"log"
"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
func dataSourceKubernetesAllNamespaces() *schema.Resource {
return &schema.Resource{
Description: "This data source provides a mechanism for listing the names of all available namespaces in a Kubernetes cluster. It can be used to check for existence of a specific namespaces or to apply another resource to all or a subset of existing namespaces in a cluster.In Kubernetes, namespaces provide a scope for names and are intended as a way to divide cluster resources between multiple users.",
ReadContext: dataSourceKubernetesAllNamespacesRead,
Schema: map[string]*schema.Schema{
"namespaces": {

1
kubernetes/data_source_kubernetes_config_map_v1.go
View file

@ -15,6 +15,7 @@ import (
func dataSourceKubernetesConfigMapV1() *schema.Resource {
return &schema.Resource{
Description: "Config Maps are key-value pairs containing configuration data. The Config Map data source provides a mechanism for extracting these key-value pairs.",
ReadContext: dataSourceKubernetesConfigMapV1Read,
Schema: map[string]*schema.Schema{

1
kubernetes/data_source_kubernetes_endpoints_v1.go
View file

@ -15,6 +15,7 @@ import (
func dataSourceKubernetesEndpointsV1() *schema.Resource {
return &schema.Resource{
Description: "An Endpoints resource is an abstraction, linked to a Service, which defines the list of endpoints that actually implement the service.",
ReadContext: dataSourceKubernetesEndpointsV1Read,
Schema: map[string]*schema.Schema{
"metadata": namespacedMetadataSchema("endpoints", true),

1
kubernetes/data_source_kubernetes_ingress.go
View file

@ -23,6 +23,7 @@ func dataSourceKubernetesIngress() *schema.Resource {
docIngressSpec := networking.IngressSpec{}.SwaggerDoc()
return &schema.Resource{
Description: "Ingress is a collection of rules that allow inbound connections to reach the endpoints defined by a backend. An Ingress can be configured to give services externally-reachable urls, load balance traffic, terminate SSL, offer name based virtual hosting etc. This data source allows you to pull data about such ingress.",
ReadContext: dataSourceKubernetesIngressRead,
Schema: map[string]*schema.Schema{
"metadata": namespacedMetadataSchema("ingress", false),

1
kubernetes/data_source_kubernetes_ingress_v1.go
View file

@ -24,6 +24,7 @@ func dataSourceKubernetesIngressV1() *schema.Resource {
docIngressSpec := networking.IngressSpec{}.SwaggerDoc()
return &schema.Resource{
Description: "Ingress is a collection of rules that allow inbound connections to reach the endpoints defined by a backend. An Ingress can be configured to give services externally-reachable urls, load balance traffic, terminate SSL, offer name based virtual hosting etc. This data source allows you to pull data about such ingress.",
ReadContext: dataSourceKubernetesIngressV1Read,
Schema: map[string]*schema.Schema{
"metadata": namespacedMetadataSchema("ingress", false),

1
kubernetes/data_source_kubernetes_mutating_webhook_configuration_v1.go
View file

@ -19,6 +19,7 @@ func dataSourceKubernetesMutatingWebhookConfigurationV1() *schema.Resource {
apiDoc := admissionregistrationv1.MutatingWebhookConfiguration{}.SwaggerDoc()
webhookDoc := admissionregistrationv1.MutatingWebhook{}.SwaggerDoc()
return &schema.Resource{
Description: "A Mutating Webhook Configuration configures a [mutating admission webhook](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#what-are-admission-webhooks). This data source allows you to pull data about a given mutating webhook configuration based on its name.",
ReadContext: dataSourceKubernetesMutatingWebhookConfigurationV1Read,
Schema: map[string]*schema.Schema{
"metadata": metadataSchema("mutating webhook configuration", false),

1
kubernetes/data_source_kubernetes_namespace_v1.go
View file

@ -16,6 +16,7 @@ import (
func dataSourceKubernetesNamespaceV1() *schema.Resource {
return &schema.Resource{
Description: "This data source provides a mechanism to query attributes of any specific namespace within a Kubernetes cluster. In Kubernetes, namespaces provide a scope for names and are intended as a way to divide cluster resources between multiple users.",
ReadContext: dataSourceKubernetesNamespaceV1Read,
Schema: map[string]*schema.Schema{

1
kubernetes/data_source_kubernetes_nodes.go
View file

@ -19,6 +19,7 @@ import (
func dataSourceKubernetesNodes() *schema.Resource {
return &schema.Resource{
Description: "This data source provides a mechanism for listing the names of nodes in a kubernetes cluster.By default, all nodes in the cluster are returned, but queries by node label are also supported. It can be used to check for the existence of a specific node or to lookup a node to apply a taint with the `kubernetes_node_taint` resource.",
ReadContext: dataSourceKubernetesNodesRead,
Schema: map[string]*schema.Schema{
"metadata": {

10
templates/data-sources/all_namespaces.md.tmpl
View file

@ -5,15 +5,11 @@ description: |-
Lists all namespaces within a cluster.
---
{{/* This template serves as a starting point for documentation generation, and can be customized with hardcoded values and/or doc gen templates.
# {{ .Name }}
For example, the {{ .SchemaMarkdown }} template can be used to replace manual schema documentation if descriptions of schema attributes are added in the provider source code. */ -}}
{{ .Description }}
# kubernetes_all_namespaces
This data source provides a mechanism for listing the names of all available namespaces in a Kubernetes cluster. It can be used to check for existence of a specific namespaces or to apply another resource to all or a subset of existing namespaces in a cluster.
In Kubernetes, namespaces provide a scope for names and are intended as a way to divide cluster resources between multiple users.
{{ .SchemaMarkdown }}
## Example Usage

8
templates/data-sources/config_map.md.tmpl
View file

@ -5,13 +5,11 @@ description: |-
This data source reads configuration data from a config map.
---
{{/* This template serves as a starting point for documentation generation, and can be customized with hardcoded values and/or doc gen templates.
# {{ .Name }}
For example, the {{ .SchemaMarkdown }} template can be used to replace manual schema documentation if descriptions of schema attributes are added in the provider source code. */ -}}
{{ .Description }}
# kubernetes_config map
Config Maps are key-value pairs containing configuration data. The Config Map data source provides a mechanism for extracting these key-value pairs.
{{ .SchemaMarkdown }}
~> **Note:** All arguments including the config map data will be stored in the raw state as plain-text. [Read more about sensitive data in state](/docs/state/sensitive-data.html).

33
templates/data-sources/config_map_v1.md.tmpl
View file

@ -5,42 +5,15 @@ description: |-
This data source reads configuration data from a config map.
---
{{/* This template serves as a starting point for documentation generation, and can be customized with hardcoded values and/or doc gen templates.
# {{ .Name }}
For example, the {{ .SchemaMarkdown }} template can be used to replace manual schema documentation if descriptions of schema attributes are added in the provider source code. */ -}}
{{ .Description }}
# kubernetes_config map
{{ .SchemaMarkdown }}
Config Maps are key-value pairs containing configuration data. The Config Map data source provides a mechanism for extracting these key-value pairs.
~> **Note:** All arguments including the config map data will be stored in the raw state as plain-text. [Read more about sensitive data in state](/docs/state/sensitive-data.html).
## Example Usage
{{tffile "examples/data-sources/config_map_v1/example_1.tf"}}
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard config map's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
## Nested Blocks
### `metadata`
#### Arguments
* `name` - (Required) Name of the config map, must be unique. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
* `namespace` - (Optional) Namespace defines the space within which name of the config map must be unique.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this config map that can be used by clients to determine when config map has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this config map. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
## Attribute Reference
* `data` - A map of the config map data.
* `binary_data` - A map of preserved non-UTF8 data. For more info see [Kubernetes API reference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#configmap-v1-core).

62
templates/data-sources/endpoints_v1.md.tmpl
View file

@ -5,69 +5,13 @@ description: |-
An Endpoints resource is an abstraction, linked to a Service, which defines the list of endpoints that actually implement the service.
---
{{/* This template serves as a starting point for documentation generation, and can be customized with hardcoded values and/or doc gen templates.
# {{ .Name }}
For example, the {{ .SchemaMarkdown }} template can be used to replace manual schema documentation if descriptions of schema attributes are added in the provider source code. */ -}}
{{ .Description }}
# kubernetes_endpoints_v1
An Endpoints resource is an abstraction, linked to a Service, which defines the list of endpoints that actually implement the service.
{{ .SchemaMarkdown }}
## Example Usage
{{tffile "examples/data-sources/endpoints_v1/example_1.tf"}}
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard endpoints' metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
## Nested Blocks
### `metadata`
#### Arguments
* `name` - (Required) Name of the endpoints resource.
* `namespace` - (Optional) Namespace defines the space within which name of the endpoints resource must be unique.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this endpoints resource that can be used by clients to determine when endpoints resource has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this endpoints resource. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
## Attribute Reference
### `subset`
#### Attributes
* `address` - (Optional) An IP address block which offers the related ports and is ready to accept traffic. These endpoints should be considered safe for load balancers and clients to utilize. Can be repeated multiple times.
* `not_ready_address` - (Optional) A IP address block which offers the related ports but is not currently marked as ready because it have not yet finished starting, have recently failed a readiness check, or have recently failed a liveness check. Can be repeated multiple times.
* `port` - (Optional) A port number block available on the related IP addresses. Can be repeated multiple times.
### `address`
#### Attributes
* `ip` - The IP of this endpoint. May not be loopback (127.0.0.0/8), link-local (169.254.0.0/16), or link-local multicast ((224.0.0.0/24).
* `hostname` - (Optional) The Hostname of this endpoint.
* `node_name` - (Optional) Node hosting this endpoint. This can be used to determine endpoints local to a node.
### `not_ready_address`
#### Attributes
* `ip` - The IP of this endpoint. May not be loopback (127.0.0.0/8), link-local (169.254.0.0/16), or link-local multicast ((224.0.0.0/24).
* `hostname` - (Optional) The Hostname of this endpoint.
* `node_name` - (Optional) Node hosting this endpoint. This can be used to determine endpoints local to a node.
### `port`
#### Attributes
* `name` - (Optional) The name of this port within the endpoint. All ports within the endpoint must have unique names. Optional if only one port is defined on this endpoint.
* `port` - (Required) The port that will be utilized by this endpoint.
* `protocol` - (Optional) The IP protocol for this port. Supports `TCP` and `UDP`. Default is `TCP`.

90
templates/data-sources/ingress.md.tmpl
View file

@ -5,97 +5,13 @@ description: |-
Ingress is a collection of rules that allow inbound connections to reach the endpoints defined by a backend. An Ingress can be configured to give services externally-reachable urls, load balance traffic, terminate SSL, offer name based virtual hosting etc.
---
{{/* This template serves as a starting point for documentation generation, and can be customized with hardcoded values and/or doc gen templates.
# {{ .Name }}
For example, the {{ .SchemaMarkdown }} template can be used to replace manual schema documentation if descriptions of schema attributes are added in the provider source code. */ -}}
{{ .Description }}
# kubernetes_ingress
Ingress is a collection of rules that allow inbound connections to reach the endpoints defined by a backend. An Ingress can be configured to give services externally-reachable urls, load balance traffic, terminate SSL, offer name based virtual hosting etc. This data source allows you to pull data about such ingress.
{{ .SchemaMarkdown }}
## Example Usage
{{tffile "examples/data-sources/ingress/example_1.tf"}}
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard service's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/e59e666e3464c7d4851136baa8835a311efdfb8e/contributors/devel/api-conventions.md#metadata)
## Nested Blocks
### `metadata`
#### Arguments
* `name` - (Required) Name of the service, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
* `namespace` - (Required) Namespace defines the space within which name of the service must be unique.
#### Attributes
* `annotations` - (Optional) An unstructured key value map stored with the service that may be used to store arbitrary metadata. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the service. May match selectors of replication controllers and services. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this service that can be used by clients to determine when service has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/e59e666e3464c7d4851136baa8835a311efdfb8e/contributors/devel/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this service. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
## Attribute Reference
### `spec`
#### Attributes
* `backend` - Backend defines the referenced service endpoint to which the traffic will be forwarded. See `backend` block attributes below.
* `rule` - A list of host rules used to configure the Ingress. If unspecified, or no rule matches, all traffic is sent to the default backend. See `rule` block attributes below.
* `tls` - TLS configuration. Currently the Ingress only supports a single TLS port, 443. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension, if the ingress controller fulfilling the ingress supports SNI. See `tls` block attributes below.
* `ingress_class_name` - The name of the IngressClass cluster resource. The associated IngressClass defines which controller will implement the resource. This replaces the deprecated `kubernetes.io/ingress.class` annotation. For backwards compatibility, when that annotation is set, it must be given precedence over this field.
### `backend`
#### Attributes
* `service_name` - Specifies the name of the referenced service.
* `service_port` - Specifies the port of the referenced service.
### `rule`
#### Attributes
* `host` - Host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the \"host\" part of the URI as defined in the RFC: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to the IP in the Spec of the parent Ingress. 2. The : delimiter is not respected because ports are not allowed. Currently the port of an Ingress is implicitly :80 for http and :443 for https. Both these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue.
* `http` - http is a list of http selectors pointing to backends. In the example: http:///? -> backend where parts of the url correspond to RFC 3986, this resource will be used to match against everything after the last '/' and before the first '?' or '#'. See `http` block attributes below.
#### `http`
* `path` - Path array of path regex associated with a backend. Incoming urls matching the path are forwarded to the backend, see below for `path` block structure.
#### `path`
* `path` - A string or an extended POSIX regular expression as defined by IEEE Std 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional \"path\" part of a URL as defined by RFC 3986. Paths must begin with a '/'. If unspecified, the path defaults to a catch all sending traffic to the backend.
* `backend` - Backend defines the referenced service endpoint to which the traffic will be forwarded to.
### `tls`
#### Attributes
* `hosts` - Hosts are a list of hosts included in the TLS certificate. The values in this list must match the name/s used in the tlsSecret. Defaults to the wildcard host setting for the loadbalancer controller fulfilling this Ingress, if left unspecified.
* `secret_name` - SecretName is the name of the secret used to terminate SSL traffic on 443. Field is left optional to allow SSL routing based on SNI hostname alone. If the SNI host in a listener conflicts with the \"Host\" header field used by an IngressRule, the SNI host is used for termination and value of the Host header is used for routing.
## Attributes
### `status`
* `status` - Status is the current state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
#### `load_balancer`
* LoadBalancer contains the current status of the load-balancer, if one is present.
##### `ingress`
* `ingress` - Ingress is a list containing ingress points for the load-balancer. Traffic intended for the service should be sent to these ingress points.
###### Attributes
* `ip` - IP is set for load-balancer ingress points that are IP based (typically GCE or OpenStack load-balancers).
* `hostname` - Hostname is set for load-balancer ingress points that are DNS based (typically AWS load-balancers).

104
templates/data-sources/ingress_v1.md.tmpl
View file

@ -5,110 +5,12 @@ description: |-
Ingress is a collection of rules that allow inbound connections to reach the endpoints defined by a backend. An Ingress can be configured to give services externally-reachable urls, load balance traffic, terminate SSL, offer name based virtual hosting etc.
---
{{/* This template serves as a starting point for documentation generation, and can be customized with hardcoded values and/or doc gen templates.
# {{ .Name }}
For example, the {{ .SchemaMarkdown }} template can be used to replace manual schema documentation if descriptions of schema attributes are added in the provider source code. */ -}}
{{ .Description }}
# kubernetes_ingress_v1
Ingress is a collection of rules that allow inbound connections to reach the endpoints defined by a backend. An Ingress can be configured to give services externally-reachable urls, load balance traffic, terminate SSL, offer name based virtual hosting etc. This data source allows you to pull data about such ingress.
{{ .SchemaMarkdown }}
## Example Usage
{{tffile "examples/data-sources/ingress_v1/example_1.tf"}}
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard service's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/e59e666e3464c7d4851136baa8835a311efdfb8e/contributors/devel/api-conventions.md#metadata)
## Nested Blocks
### `metadata`
#### Arguments
* `name` - (Required) Name of the service, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
* `namespace` - (Required) Namespace defines the space within which name of the service must be unique.
#### Attributes
* `annotations` - (Optional) An unstructured key value map stored with the service that may be used to store arbitrary metadata. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the service. May match selectors of replication controllers and services. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this service that can be used by clients to determine when service has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/e59e666e3464c7d4851136baa8835a311efdfb8e/contributors/devel/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this service. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
## Attribute Reference
### `spec`
#### Attributes
* `default_backend` - Backend defines the referenced service endpoint to which the traffic will be forwarded. See `backend` block attributes below.
* `rule` - A list of host rules used to configure the Ingress. If unspecified, or no rule matches, all traffic is sent to the default backend. See `rule` block attributes below.
* `tls` - TLS configuration. Currently the Ingress only supports a single TLS port, 443. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension, if the ingress controller fulfilling the ingress supports SNI. See `tls` block attributes below.
* `ingress_class_name` - The name of the IngressClass cluster resource. The associated IngressClass defines which controller will implement the resource. This replaces the deprecated `kubernetes.io/ingress.class` annotation. For backwards compatibility, when that annotation is set, it must be given precedence over this field.
### `backend`
#### Arguments
* `resource` - Resource is an ObjectRef to another Kubernetes resource in the namespace of the Ingress object. If resource is specified, a `service.name` and `service.port` must not be specified.
* `service` - Service references a Service as a Backend.
### `service`
#### Arguments
* `name` - Specifies the name of the referenced service.
* `port` - Specifies the port of the referenced service.
### `port`
* `name` - Name is the name of the port on the Service.
* `number` - Number is the numerical port number (e.g. 80) on the Service.
### `rule`
#### Attributes
* `host` - Host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the \"host\" part of the URI as defined in the RFC: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to the IP in the Spec of the parent Ingress. 2. The : delimiter is not respected because ports are not allowed. Currently the port of an Ingress is implicitly :80 for http and :443 for https. Both these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue.
* `http` - http is a list of http selectors pointing to backends. In the example: http:///? -> backend where parts of the url correspond to RFC 3986, this resource will be used to match against everything after the last '/' and before the first '?' or '#'. See `http` block attributes below.
#### `http`
* `path` - Path array of path regex associated with a backend. Incoming urls matching the path are forwarded to the backend, see below for `path` block structure.
#### `path`
* `path` - (Required) A string or an extended POSIX regular expression as defined by IEEE Std 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional \"path\" part of a URL as defined by RFC 3986. Paths must begin with a '/'. If unspecified, the path defaults to a catch all sending traffic to the backend.
* `path_type` - PathType determines the interpretation of the Path matching. PathType can be one of the following values: `ImplementationSpecific`, `Exact`, or `Prefix`. See the [Kubernetes Ingress documentation](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) for details.
* `backend` - Backend defines the referenced service endpoint to which the traffic will be forwarded to.
### `tls`
#### Attributes
* `hosts` - Hosts are a list of hosts included in the TLS certificate. The values in this list must match the name/s used in the tlsSecret. Defaults to the wildcard host setting for the loadbalancer controller fulfilling this Ingress, if left unspecified.
* `secret_name` - SecretName is the name of the secret used to terminate SSL traffic on 443. Field is left optional to allow SSL routing based on SNI hostname alone. If the SNI host in a listener conflicts with the \"Host\" header field used by an IngressRule, the SNI host is used for termination and value of the Host header is used for routing.
## Attributes
### `status`
* `status` - Status is the current state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
#### `load_balancer`
* LoadBalancer contains the current status of the load-balancer, if one is present.
##### `ingress`
* `ingress` - Ingress is a list containing ingress points for the load-balancer. Traffic intended for the service should be sent to these ingress points.
###### Attributes
* `ip` - IP is set for load-balancer ingress points that are IP based (typically GCE or OpenStack load-balancers).
* `hostname` - Hostname is set for load-balancer ingress points that are DNS based (typically AWS load-balancers).

79
templates/data-sources/mutating_webhook_configuration_v1.md.tmpl
View file

@ -5,85 +5,12 @@ description: |-
Mutating Webhook Configuration configures a mutating admission webhook
---
{{/* This template serves as a starting point for documentation generation, and can be customized with hardcoded values and/or doc gen templates.
# {{ .Name }}
For example, the {{ .SchemaMarkdown }} template can be used to replace manual schema documentation if descriptions of schema attributes are added in the provider source code. */ -}}
{{ .Description }}
# kubernetes_mutating_webhook_configuration_v1
A Mutating Webhook Configuration configures a [mutating admission webhook](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#what-are-admission-webhooks). This data source allows you to pull data about a given mutating webhook configuration based on its name.
{{ .SchemaMarkdown }}
## Example Usage
{{tffile "examples/data-sources/mutating_webhook_configuration_v1/example_1.tf"}}
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard Mutating Webhook Configuration metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
## Attributes
`webhook` - A list of webhooks and the affected resources and operations.
## Nested Blocks
### `metadata`
#### Arguments
* `name` - Name of the Mutating Webhook Configuration, must be unique. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
#### Attributes
* `annotations` - An unstructured key value map stored with the namespace that may be used to store arbitrary metadata.
* `generation` - A sequence number representing a specific generation of the desired state.
* `labels` - Map of string keys and values that can be used to organize and categorize (scope and select) namespaces. May match selectors of replication controllers and services.
* `resource_version` - An opaque value that represents the internal version of this secret that can be used by clients to determine when secret has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this secret. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `webhook`
#### Arguments
* `admission_review_versions` - AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` versions the Webhook expects. API server will try to use first version in the list which it supports. If none of the versions specified in this list are supported by API server, validation will fail for this object. If a persisted webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail and be subject to the failure policy.
* `client_config` - ClientConfig defines how to communicate with the hook.
* `failure_policy` - FailurePolicy defines how unrecognized errors from the admission endpoint are handled - Allowed values are "Ignore" or "Fail". Defaults to "Fail".
* `match_policy` - matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent". - Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. Defaults to "Equivalent"
* `name` - The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where "imagepolicy" is the name of the webhook, and kubernetes.io is the name of the organization.
* `namespace_selector` - NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook. For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1"; you will set the selector as follows: "namespaceSelector": { "matchExpressions": [ { "key": "runlevel", "operator": "NotIn", "values": [ "0", "1" ] } ] } If instead you want to only run the webhook on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": { "matchExpressions": [ { "key": "environment", "operator": "In", "values": [ "prod", "staging" ] } ] } See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels for more examples of label selectors. Default to the empty LabelSelector, which matches everything.
* `object_selector` - ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.
* `reinvocation_policy` - reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation. Allowed values are "Never" and "IfNeeded". Never: the webhook will not be called more than once in a single admission evaluation. IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation if the object being admitted is modified by other admission plugins after the initial webhook call. Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted. Note: *the number of additional invocations is not guaranteed to be exactly one.* if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again. *webhooks that use this option may be reordered to minimize the number of additional invocations.* to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead. Defaults to "Never".
* `rule` - Describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches *any* Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
* `side_effects` - SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission change and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.
* `timeout_seconds` - TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.
### `client_config`
#### Arguments
* `ca_bundle` - A PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.
* `service` - A reference to the service for this webhook. Either `service` or `url` must be specified. If the webhook is running within the cluster, then you should use `service`.
* `url` - Gives the location of the webhook, in standard URL form (`scheme://host:port/path`). Exactly one of `url` or `service` must be specified. The `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.
~> Please note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster. The scheme must be "https"; the URL must begin with "https://". A path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier. Attempting to use a user or basic auth e.g. "user:password@" is not allowed. Fragments ("#...") and query parameters ("?...") are not allowed, either.
### `service`
#### Arguments
* `name` - The name of the service.
* `namespace` - The namespace of the service.
* `path` - The URL path which will be sent in any request to this service.
* `port` - If specified, the port on the service that hosting webhook. Default to 443 for backward compatibility. `port` should be a valid port number (1-65535, inclusive).
### `rule`
#### Arguments
* `api_groups` - The API groups the resources belong to. '\*' is all groups. If '\*' is present, the length of the list must be one.
* `api_versions` - The API versions the resources belong to. '\*' is all versions. If '\*' is present, the length of the list must be one.
* `operations` - The operations the admission hook cares about - CREATE, UPDATE, or * for all operations. If '\*' is present, the length of the list must be one.
* `resources` - A list of resources this rule applies to. For example: 'pods' means pods. 'pods/log' means the log subresource of pods. '\*' means all resources, but not subresources. 'pods/\*' means all subresources of pods. '\*/scale' means all scale subresources. '\*/\*' means all resources and their subresources. If wildcard is present, the validation rule will ensure resources do not overlap with each other. Depending on the enclosing object, subresources might not be allowed.
* `scope` - Specifies the scope of this rule. Valid values are "Cluster", "Namespaced", and "*" "Cluster" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. "Namespaced" means that only namespaced resources will match this rule. "*" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is "*".

42
templates/data-sources/namespace.md.tmpl
View file

@ -5,48 +5,12 @@ description: |-
Queries attributes of a Namespace within the cluster.
---
{{/* This template serves as a starting point for documentation generation, and can be customized with hardcoded values and/or doc gen templates.
# {{ .Name }}
For example, the {{ .SchemaMarkdown }} template can be used to replace manual schema documentation if descriptions of schema attributes are added in the provider source code. */ -}}
{{ .Description }}
# kubernetes_namespace
This data source provides a mechanism to query attributes of any specific namespace within a Kubernetes cluster. In Kubernetes, namespaces provide a scope for names and are intended as a way to divide cluster resources between multiple users.
{{ .SchemaMarkdown }}
## Example Usage
{{tffile "examples/data-sources/namespace/example_1.tf"}}
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard object metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
## Nested Blocks
### `metadata`
#### Arguments
* `name` - (Required) Name of the namespace, must be unique. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
#### Attributes
* `annotations` - (Optional) An unstructured key value map stored with the namespace that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generation` - A sequence number representing a specific generation of the desired state.
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) namespaces. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `resource_version` - An opaque value that represents the internal version of this namespace that can be used by clients to determine when namespaces have changed. Read more about [concurrency control and consistency](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency).
* `uid` - The unique in time and space value for this namespace. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `spec`
#### Attributes
* `finalizers` - An opaque list of values that must be empty to permanently remove object from storage. For more info: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/

8
templates/data-sources/namespace_v1.md.tmpl
View file

@ -5,13 +5,11 @@ description: |-
Queries attributes of a Namespace within the cluster.
---
{{/* This template serves as a starting point for documentation generation, and can be customized with hardcoded values and/or doc gen templates.
# {{ .Name }}
For example, the {{ .SchemaMarkdown }} template can be used to replace manual schema documentation if descriptions of schema attributes are added in the provider source code. */ -}}
{{ .Description }}
# kubernetes_namespace_v1
This data source provides a mechanism to query attributes of any specific namespace within a Kubernetes cluster. In Kubernetes, namespaces provide a scope for names and are intended as a way to divide cluster resources between multiple users.
{{ .SchemaMarkdown }}
## Example Usage

89
templates/data-sources/nodes.md.tmpl
View file

@ -5,17 +5,11 @@ description: |-
Gets nodes within a cluster.
---
{{/* This template serves as a starting point for documentation generation, and can be customized with hardcoded values and/or doc gen templates.
# {{ .Name }}
For example, the {{ .SchemaMarkdown }} template can be used to replace manual schema documentation if descriptions of schema attributes are added in the provider source code. */ -}}
{{ .Description }}
# kubernetes_nodes
This data source provides a mechanism for listing the names of nodes in a kubernetes cluster.
By default, all nodes in the cluster are returned, but queries by node label are also supported.
It can be used to check for the existence of a specific node or to lookup a node to apply a taint with the `kubernetes_node_taint` resource.
{{ .SchemaMarkdown }}
## Example usage
@ -26,80 +20,3 @@ It can be used to check for the existence of a specific node or to lookup a node
### By label
{{tffile "examples/data-sources/nodes/example_2.tf"}}
## Argument Reference
The following arguments are supported:
* `metadata` - Metadata describing which nodes to return.
### Attributes
* `metadata` - Metadata describing the node. See [metadata](#metadata) for more info.
* `spec` - Defines the behavior of the node. See [spec](#spec) for more info.
* `status` - Status information for the node. See [status](#status) for more info.
## Nested Blocks
### `metadata`
#### Arguments
* `labels` - (Required) Map of string keys and values that can be used to narrow the selection of nodes returned.
#### Attributes
* `name` - Name of the node, must be unique.
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the node.
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this node that can be used by clients to determine when the node has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this node . For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `spec`
#### Attributes
* `pod_cidr` - (Optional) The pod IP range assigned to the node
* `pod_cidrs` - (Optional) A list of IP address ranges assigned to the node for usage by pods on that node.
* `provider_id` - (Optional) ID of the node assigned by the cloud provider.
* `unschedulable` - Controls the schedulability of new pods on the node. By default, node is schedulable.
* `taints` - (Optional) Taints applied to the node. See [taints](#taints) for more info.
### `status`
### Attributes
* `addresses` - (Optional) A set of IP address(es) and/or Hostname assigned to the node. See [addresses](#addresses) and [Kubernetes reference](https://kubernetes.io/docs/concepts/architecture/nodes/#addresses/node/#info) for more info.
* `allocatable` - (Optional) The total resources of a node.
* `capacity` - (Optional) The resources of a node that are available for scheduling.
* `node_info` - (Optional) A set of ids/uuids to uniquely identify the node. See [node_info](#node_info) for more info. [Kubernetes reference](https://kubernetes.io/docs/concepts/nodes/node/#info)
### `addresses`
#### Attributes
* `type` - Type of the address: HostName, ExternalIP or InternalIP.
* `address` - The IP (if type is ExternalIP or InternalIP) or the hostname (if type is HostName).
### `node_info`
#### Attributes
* `machine_id` - Machine ID reported by the node see [main(5) machine-id](http://man7.org/linux/man-pages/man5/machine-id.5.html) for more info.
* `system_uuid` - System UUID reported by the node. This field is specific to Red Hat hosts.
* `boot_id` - Boot ID reported by the node.
* `kernel_version` - Kernel Version reported by the node from `uname -r`
* `os_image` - OS Image reported by the node from `/etc/os-release`
* `container_runtime_version` ContainerRuntime Version reported by the node through runtime remote API
* `kubelet_version` - Kubelet Version reported by the node.
* `kube_proxy_version` - KubeProxy Version reported by the node.
* `operating_system` - The Operating System reported by the node
* `architecture` - The Architecture reported by the node
### `taints`
#### Attributes
* `key` - The taint key to be applied to a node.
* `value` - (Optional) The taint value corresponding to the taint key.
* `effect` - The effect of the taint on pods that do not tolerate the taint. Valid effects are `NoSchedule`, `PreferNoSchedule` and `NoExecute`.