upstream/terraform-provider-kubernetes
1
0
Fork 0
mirror of https://github.com/hashicorp/terraform-provider-kubernetes.git synced 2025-12-18 23:06:07 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

Edit Template Files - TFPluginDocs (#2477)

Browse source
This commit is contained in:
Sheneska Williams 2024-05-22 12:59:44 -04:00 committed by GitHub
parent d7cefb3f74
commit 72041db21b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
396 changed files with 39097 additions and 21282 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.copywrite.hcl
View file

@ -11,5 +11,6 @@ project {
".markdownlint.yml",
".release/**",
"vendor/**",
"examples/**"
]
}

4
.markdownlint.yml
View file

@ -18,7 +18,11 @@ MD013: false
MD014: false
MD022: false
MD024: false
MD029: false
MD033: false
MD034: false
MD037: false
MD038: false
MD040: false
MD046: false
MD047: false

57
docs/resources/annotations.md
View file

@ -9,6 +9,40 @@ description: |-
This resource allows Terraform to manage the annotations for a resource that already exists. This resource uses [field management](https://kubernetes.io/docs/reference/using-api/server-side-apply/#field-management) and [server-side apply](https://kubernetes.io/docs/reference/using-api/server-side-apply/) to manage only the annotations that are defined in the Terraform configuration. Existing annotations not specified in the configuration will be ignored. If an annotation specified in the config and is already managed by another client it will cause a conflict which can be overridden by setting `force` to true.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `api_version` (String) The apiVersion of the resource to annotate.
- `kind` (String) The kind of the resource to annotate.
- `metadata` (Block List, Min: 1, Max: 1) (see [below for nested schema](#nestedblock--metadata))
### Optional
- `annotations` (Map of String) A map of annotations to apply to the resource.
- `field_manager` (String) Set the name of the field manager for the specified labels.
- `force` (Boolean) Force overwriting annotations that were created or edited outside of Terraform.
- `template_annotations` (Map of String) A map of annotations to apply to the resource template.
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Required:
- `name` (String) The name of the resource.
Optional:
- `namespace` (String) The namespace of the resource.
## Example Usage
```terraform
@ -44,29 +78,6 @@ resource "kubernetes_annotations" "example" {
}
```
## Argument Reference
The following arguments are supported:
~> NOTE: At least one of `annotations` or `template_annotations` is required.
* `api_version` - (Required) The apiVersion of the resource to be annotated.
* `kind` - (Required) The kind of the resource to be annotated.
* `metadata` - (Required) Standard metadata of the resource to be annotated.
* `annotations` - (Optional) A map of annotations to apply to the resource.
* `template_annotations` - (Optional) A map of annotations to apply to the pod template within the resource.
* `force` - (Optional) Force management of annotations if there is a conflict. Defaults to `false`.
* `field_manager` - (Optional) The name of the [field manager](https://kubernetes.io/docs/reference/using-api/server-side-apply/#field-management). Defaults to `Terraform`.
## Nested Blocks
### `metadata`
#### Arguments
* `name` - (Required) Name of the resource to be annotated.
* `namespace` - (Optional) Namespace of the resource to be annotated.
## Import
This resource does not support the `import` command. As this resource operates on Kubernetes resources that already exist, creating the resource is equivalent to importing it.

111
docs/resources/api_service.md
View file

@ -9,6 +9,67 @@ description: |-
An API Service is an abstraction which defines for locating and communicating with servers.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard api_service's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `spec` (Block List, Min: 1, Max: 1) Spec contains information for locating and communicating with a server. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status (see [below for nested schema](#nestedblock--spec))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the api_service that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the api_service. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the api_service, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this api_service that can be used by clients to determine when api_service has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this api_service. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--spec"></a>
### Nested Schema for `spec`
Required:
- `group` (String) Group is the API group name this server hosts.
- `group_priority_minimum` (Number) GroupPriorityMinimum is the priority this group should have at least. Higher priority means that the group is preferred by clients over lower priority ones. Note that other versions of this group might specify even higher GroupPriorityMininum values such that the whole group gets a higher priority. The primary sort is based on GroupPriorityMinimum, ordered highest number to lowest (20 before 10). The secondary sort is based on the alphabetical comparison of the name of the object. (v1.bar before v1.foo) We'd recommend something like: *.k8s.io (except extensions) at 18000 and PaaSes (OpenShift, Deis) are recommended to be in the 2000s.
- `version` (String) Version is the API version this server hosts. For example, `v1`.
- `version_priority` (Number) VersionPriority controls the ordering of this API version inside of its group. Must be greater than zero. The primary sort is based on VersionPriority, ordered highest to lowest (20 before 10). Since it's inside of a group, the number can be small, probably in the 10s. In case of equal version priorities, the version string will be used to compute the order inside a group. If the version string is `kube-like`, it will sort above non `kube-like` version strings, which are ordered lexicographically. `Kube-like` versions start with a `v`, then are followed by a number (the major version), then optionally the string `alpha` or `beta` and another number (the minor version). These are sorted first by GA > `beta` > `alpha` (where GA is a version with no suffix such as `beta` or `alpha`), and then by comparing major version, then minor version. An example sorted list of versions: `v10`, `v2`, `v1`, `v11beta2`, `v10beta3`, `v3beta1`, `v12alpha1`, `v11alpha2`, `foo1`, `foo10`.
Optional:
- `ca_bundle` (String) CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate. If unspecified, system trust roots on the apiserver are used.
- `insecure_skip_tls_verify` (Boolean) InsecureSkipTLSVerify disables TLS certificate verification when communicating with this server. This is strongly discouraged. You should use the CABundle instead.
- `service` (Block List, Max: 1) Service is a reference to the service for this API server. It must communicate on port 443. If the Service is nil, that means the handling for the API groupversion is handled locally on this server. The call will simply delegate to the normal handler chain to be fulfilled. (see [below for nested schema](#nestedblock--spec--service))
<a id="nestedblock--spec--service"></a>
### Nested Schema for `spec.service`
Required:
- `name` (String) Name is the name of the service.
- `namespace` (String) Namespace is the namespace of the service.
Optional:
- `port` (Number) If specified, the port on the service that is hosting the service. Defaults to 443 for backward compatibility. Should be a valid port number (1-65535, inclusive).
## Example Usage
```terraform
@ -31,56 +92,6 @@ resource "kubernetes_api_service" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard API service's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `spec` - (Required) Spec contains information for locating and communicating with a server. [Kubernetes reference](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status)
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the API service that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the API service.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the API service, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this API service that can be used by clients to determine when API service has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this API service. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `spec`
#### Arguments
* `ca_bundle` - (Optional) CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate. If unspecified, system trust roots on the apiserver are used.
* `group` - (Required) Group is the API group name this server hosts.
* `group_priority_minimum` - (Required) GroupPriorityMininum is the priority this group should have at least. Higher priority means that the group is preferred by clients over lower priority ones. Note that other versions of this group might specify even higher GroupPriorityMininum values such that the whole group gets a higher priority. The primary sort is based on GroupPriorityMinimum, ordered highest number to lowest (20 before 10). The secondary sort is based on the alphabetical comparison of the name of the object. (v1.bar before v1.foo) We'd recommend something like: *.k8s.io (except extensions) at 18000 and PaaSes (OpenShift, Deis) are recommended to be in the 2000s.
* `insecure_skip_tls_verify` - (Required) InsecureSkipTLSVerify disables TLS certificate verification when communicating with this server. This is strongly discouraged. You should use the CABundle instead.
* `service` - (Optional) Service is a reference to the service for this API server. It must communicate on port 443. If the Service is nil, that means the handling for the API groupversion is handled locally on this server. The call will simply delegate to the normal handler chain to be fulfilled. See `service` block attributes below.
* `version` - (Required) Version is the API version this server hosts. For example, `v1`.
* `version_priority` - (Required) VersionPriority controls the ordering of this API version inside of its group. Must be greater than zero. The primary sort is based on VersionPriority, ordered highest to lowest (20 before 10). Since it's inside of a group, the number can be small, probably in the 10s. In case of equal version priorities, the version string will be used to compute the order inside a group. If the version string is `kube-like`, it will sort above non `kube-like` version strings, which are ordered lexicographically. `Kube-like` versions start with a `v`, then are followed by a number (the major version), then optionally the string `alpha` or `beta` and another number (the minor version). These are sorted first by GA > `beta` > `alpha` (where GA is a version with no suffix such as `beta` or `alpha`), and then by comparing major version, then minor version. An example sorted list of versions: `v10`, `v2`, `v1`, `v11beta2`, `v10beta3`, `v3beta1`, `v12alpha1`, `v11alpha2`, `foo1`, `foo10`..
### `service`
#### Arguments
* `name` - (Required) Name is the name of the service.
* `namespace` - (Required) Namespace is the namespace of the service.
* `port` - (Optional) If specified, the port on the service that is hosting the service. Defaults to 443 for backward compatibility. Should be a valid port number (1-65535, inclusive).
## Import
API service can be imported using its name, e.g.

111
docs/resources/api_service_v1.md
View file

@ -9,6 +9,67 @@ description: |-
An API Service is an abstraction which defines for locating and communicating with servers.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard api_service's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `spec` (Block List, Min: 1, Max: 1) Spec contains information for locating and communicating with a server. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status (see [below for nested schema](#nestedblock--spec))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the api_service that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the api_service. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the api_service, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this api_service that can be used by clients to determine when api_service has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this api_service. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--spec"></a>
### Nested Schema for `spec`
Required:
- `group` (String) Group is the API group name this server hosts.
- `group_priority_minimum` (Number) GroupPriorityMinimum is the priority this group should have at least. Higher priority means that the group is preferred by clients over lower priority ones. Note that other versions of this group might specify even higher GroupPriorityMininum values such that the whole group gets a higher priority. The primary sort is based on GroupPriorityMinimum, ordered highest number to lowest (20 before 10). The secondary sort is based on the alphabetical comparison of the name of the object. (v1.bar before v1.foo) We'd recommend something like: *.k8s.io (except extensions) at 18000 and PaaSes (OpenShift, Deis) are recommended to be in the 2000s.
- `version` (String) Version is the API version this server hosts. For example, `v1`.
- `version_priority` (Number) VersionPriority controls the ordering of this API version inside of its group. Must be greater than zero. The primary sort is based on VersionPriority, ordered highest to lowest (20 before 10). Since it's inside of a group, the number can be small, probably in the 10s. In case of equal version priorities, the version string will be used to compute the order inside a group. If the version string is `kube-like`, it will sort above non `kube-like` version strings, which are ordered lexicographically. `Kube-like` versions start with a `v`, then are followed by a number (the major version), then optionally the string `alpha` or `beta` and another number (the minor version). These are sorted first by GA > `beta` > `alpha` (where GA is a version with no suffix such as `beta` or `alpha`), and then by comparing major version, then minor version. An example sorted list of versions: `v10`, `v2`, `v1`, `v11beta2`, `v10beta3`, `v3beta1`, `v12alpha1`, `v11alpha2`, `foo1`, `foo10`.
Optional:
- `ca_bundle` (String) CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate. If unspecified, system trust roots on the apiserver are used.
- `insecure_skip_tls_verify` (Boolean) InsecureSkipTLSVerify disables TLS certificate verification when communicating with this server. This is strongly discouraged. You should use the CABundle instead.
- `service` (Block List, Max: 1) Service is a reference to the service for this API server. It must communicate on port 443. If the Service is nil, that means the handling for the API groupversion is handled locally on this server. The call will simply delegate to the normal handler chain to be fulfilled. (see [below for nested schema](#nestedblock--spec--service))
<a id="nestedblock--spec--service"></a>
### Nested Schema for `spec.service`
Required:
- `name` (String) Name is the name of the service.
- `namespace` (String) Namespace is the namespace of the service.
Optional:
- `port` (Number) If specified, the port on the service that is hosting the service. Defaults to 443 for backward compatibility. Should be a valid port number (1-65535, inclusive).
## Example Usage
```terraform
@ -31,56 +92,6 @@ resource "kubernetes_api_service_v1" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard API service's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `spec` - (Required) Spec contains information for locating and communicating with a server. [Kubernetes reference](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status)
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the API service that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the API service.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the API service, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this API service that can be used by clients to determine when API service has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this API service. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `spec`
#### Arguments
* `ca_bundle` - (Optional) CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate. If unspecified, system trust roots on the apiserver are used.
* `group` - (Required) Group is the API group name this server hosts.
* `group_priority_minimum` - (Required) GroupPriorityMininum is the priority this group should have at least. Higher priority means that the group is preferred by clients over lower priority ones. Note that other versions of this group might specify even higher GroupPriorityMininum values such that the whole group gets a higher priority. The primary sort is based on GroupPriorityMinimum, ordered highest number to lowest (20 before 10). The secondary sort is based on the alphabetical comparison of the name of the object. (v1.bar before v1.foo) We'd recommend something like: *.k8s.io (except extensions) at 18000 and PaaSes (OpenShift, Deis) are recommended to be in the 2000s.
* `insecure_skip_tls_verify` - (Required) InsecureSkipTLSVerify disables TLS certificate verification when communicating with this server. This is strongly discouraged. You should use the CABundle instead.
* `service` - (Optional) Service is a reference to the service for this API server. It must communicate on port 443. If the Service is nil, that means the handling for the API groupversion is handled locally on this server. The call will simply delegate to the normal handler chain to be fulfilled. See `service` block attributes below.
* `version` - (Required) Version is the API version this server hosts. For example, `v1`.
* `version_priority` - (Required) VersionPriority controls the ordering of this API version inside of its group. Must be greater than zero. The primary sort is based on VersionPriority, ordered highest to lowest (20 before 10). Since it's inside of a group, the number can be small, probably in the 10s. In case of equal version priorities, the version string will be used to compute the order inside a group. If the version string is `kube-like`, it will sort above non `kube-like` version strings, which are ordered lexicographically. `Kube-like` versions start with a `v`, then are followed by a number (the major version), then optionally the string `alpha` or `beta` and another number (the minor version). These are sorted first by GA > `beta` > `alpha` (where GA is a version with no suffix such as `beta` or `alpha`), and then by comparing major version, then minor version. An example sorted list of versions: `v10`, `v2`, `v1`, `v11beta2`, `v10beta3`, `v3beta1`, `v12alpha1`, `v11alpha2`, `foo1`, `foo10`..
### `service`
#### Arguments
* `name` - (Required) Name is the name of the service.
* `namespace` - (Required) Namespace is the namespace of the service.
* `port` - (Optional) If specified, the port on the service that is hosting the service. Defaults to 443 for backward compatibility. Should be a valid port number (1-65535, inclusive).
## Import
API service can be imported using its name, e.g.

127
docs/resources/certificate_signing_request.md
View file

@ -7,11 +7,92 @@ description: |-
# kubernetes_certificate_signing_request
Use this resource to generate TLS certificates using Kubernetes.
Use this resource to generate TLS certificates using Kubernetes. This is a *logical resource*, so it contributes only to the current Terraform state and does not persist any external managed resources. This resource enables automation of [X.509](https://www.itu.int/rec/T-REC-X.509) credential provisioning (including TLS/SSL certificates). It does this by creating a CertificateSigningRequest using the Kubernetes API, which generates a certificate from the Certificate Authority (CA) configured in the Kubernetes cluster. The CSR can be approved automatically by Terraform, or it can be approved by a custom controller running in Kubernetes. See [Kubernetes reference](https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/) for all available options pertaining to CertificateSigningRequests.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard certificate signing request's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `spec` (Block List, Min: 1, Max: 1) Describes a certificate signing request (see [below for nested schema](#nestedblock--spec))
### Optional
- `auto_approve` (Boolean) Automatically approve the CertificateSigningRequest
- `timeouts` (Block, Optional) (see [below for nested schema](#nestedblock--timeouts))
### Read-Only
- `certificate` (String) If request was approved, the controller will place the issued certificate here.
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the certificate signing request that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the certificate signing request. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the certificate signing request, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this certificate signing request that can be used by clients to determine when certificate signing request has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this certificate signing request. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--spec"></a>
### Nested Schema for `spec`
Required:
- `request` (String) Base64-encoded PKCS#10 CSR data
Optional:
- `signer_name` (String) Requested signer for the request. It is a qualified name in the form: `scope-hostname.io/name`.If empty, it will be defaulted: 1. If it's a kubelet client certificate, it is assigned `kubernetes.io/kube-apiserver-client-kubelet`.2. If it's a kubelet serving certificate, it is assigned `kubernetes.io/kubelet-serving`.3. Otherwise, it is assigned `kubernetes.io/legacy-unknown`. Distribution of trust for signers happens out of band.You can select on this field using `spec.signerName`.
- `usages` (Set of String) allowedUsages specifies a set of usage contexts the key will be valid for. See:
https://tools.ietf.org/html/rfc5280#section-4.2.1.3
https://tools.ietf.org/html/rfc5280#section-4.2.1.12
Valid values are:
"signing",
"digital signature",
"content commitment",
"key encipherment",
"key agreement",
"data encipherment",
"cert sign",
"crl sign",
"encipher only",
"decipher only",
"any",
"server auth",
"client auth",
"code signing",
"email protection",
"s/mime",
"ipsec end system",
"ipsec tunnel",
"ipsec user",
"timestamping",
"ocsp signing",
"microsoft sgc",
"netscape sgc"
<a id="nestedblock--timeouts"></a>
### Nested Schema for `timeouts`
Optional:
- `create` (String)
This is a *logical resource*, so it contributes only to the current Terraform state and does not persist any external managed resources.
This resource enables automation of [X.509](https://www.itu.int/rec/T-REC-X.509) credential provisioning (including TLS/SSL certificates). It does this by creating a CertificateSigningRequest using the Kubernetes API, which generates a certificate from the Certificate Authority (CA) configured in the Kubernetes cluster. The CSR can be approved automatically by Terraform, or it can be approved by a custom controller running in Kubernetes. See [Kubernetes reference](https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/) for all available options pertaining to CertificateSigningRequests.
## Example Usage
@ -48,46 +129,6 @@ resource "kubernetes_secret" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `auto_approve` - (Optional) Automatically approve the CertificateSigningRequest. Defaults to 'true'.
* `metadata` - (Required) Standard certificate signing request's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `spec` - (Required) Spec defines the specification of the desired behavior of the deployment. For more info see [Kubernetes reference](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status)
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the certificate signing request that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the certificate signing request. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the certificate signing request, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
#### Attributes
* `certificate` - The signed certificate PEM data.
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this certificate signing request that can be used by clients to determine when certificate signing request has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this certificate signing request. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `spec`
#### Arguments
* `request` - (Required) Base64-encoded PKCS#10 CSR data.
* `signer_name` - (Optional) Requested signer for the request. It is a qualified name in the form: `scope-hostname.io/name`. If empty, it will be defaulted: 1. If it's a kubelet client certificate, it is assigned "kubernetes.io/kube-apiserver-client-kubelet". 2. If it's a kubelet serving certificate, it is assigned "kubernetes.io/kubelet-serving". 3. Otherwise, it is assigned "kubernetes.io/legacy-unknown". Distribution of trust for signers happens out of band.
* `usages` - (Required) Specifies a set of usage contexts the key will be valid for. See https://godoc.org/k8s.io/api/certificates/v1beta1#KeyUsage
## Generating a New Certificate
Since the certificate is a logical resource that lives only in the Terraform state, it will persist until it is explicitly destroyed by the user.

161
docs/resources/certificate_signing_request_v1.md
View file

@ -7,11 +7,126 @@ description: |-
# kubernetes_certificate_signing_request_v1
Use this resource to generate TLS certificates using Kubernetes.
Use this resource to generate TLS certificates using Kubernetes. This is a *logical resource*, so it contributes only to the current Terraform state and does not persist any external managed resources. This resource enables automation of [X.509](https://www.itu.int/rec/T-REC-X.509) credential provisioning (including TLS/SSL certificates). It does this by creating a CertificateSigningRequest using the Kubernetes API, which generates a certificate from the Certificate Authority (CA) configured in the Kubernetes cluster. The CSR can be approved automatically by Terraform, or it can be approved by a custom controller running in Kubernetes. See [Kubernetes reference](https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/) for all available options pertaining to CertificateSigningRequests.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard certificate signing request's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `spec` (Block List, Min: 1, Max: 1) CertificateSigningRequest objects provide a mechanism to obtain x509 certificates by submitting a certificate signing request, and having it asynchronously approved and issued.
Kubelets use this API to obtain:
1. client certificates to authenticate to kube-apiserver (with the "kubernetes.io/kube-apiserver-client-kubelet" signerName).
2. serving certificates for TLS endpoints kube-apiserver can connect to securely (with the "kubernetes.io/kubelet-serving" signerName).
This API can be used to request client certificates to authenticate to kube-apiserver (with the "kubernetes.io/kube-apiserver-client" signerName), or to obtain certificates from custom non-Kubernetes signers. (see [below for nested schema](#nestedblock--spec))
### Optional
- `auto_approve` (Boolean) Automatically approve the CertificateSigningRequest
- `timeouts` (Block, Optional) (see [below for nested schema](#nestedblock--timeouts))
### Read-Only
- `certificate` (String) certificate is populated with an issued certificate by the signer after an Approved condition is present. This field is set via the /status subresource. Once populated, this field is immutable.
If the certificate signing request is denied, a condition of type "Denied" is added and this field remains empty. If the signer cannot issue the certificate, a condition of type "Failed" is added and this field remains empty.
Validation requirements:
1. certificate must contain one or more PEM blocks.
2. All PEM blocks must have the "CERTIFICATE" label, contain no headers, and the encoded data
must be a BER-encoded ASN.1 Certificate structure as described in section 4 of RFC5280.
3. Non-PEM content may appear before or after the "CERTIFICATE" PEM blocks and is unvalidated,
to allow for explanatory text as described in section 5.2 of RFC7468.
If more than one PEM block is present, and the definition of the requested spec.signerName does not indicate otherwise, the first block is the issued certificate, and subsequent blocks should be treated as intermediate certificates and presented in TLS handshakes.
The certificate is encoded in PEM format.
When serialized as JSON or YAML, the data is additionally base64-encoded, so it consists of:
base64(
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the certificate signing request that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the certificate signing request. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the certificate signing request, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this certificate signing request that can be used by clients to determine when certificate signing request has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this certificate signing request. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--spec"></a>
### Nested Schema for `spec`
Required:
- `request` (String) request contains an x509 certificate signing request encoded in a "CERTIFICATE REQUEST" PEM block. When serialized as JSON or YAML, the data is additionally base64-encoded.
- `signer_name` (String) signerName indicates the requested signer, and is a qualified name.
List/watch requests for CertificateSigningRequests can filter on this field using a "spec.signerName=NAME" fieldSelector.
Well-known Kubernetes signers are:
1. "kubernetes.io/kube-apiserver-client": issues client certificates that can be used to authenticate to kube-apiserver.
Requests for this signer are never auto-approved by kube-controller-manager, can be issued by the "csrsigning" controller in kube-controller-manager.
2. "kubernetes.io/kube-apiserver-client-kubelet": issues client certificates that kubelets use to authenticate to kube-apiserver.
Requests for this signer can be auto-approved by the "csrapproving" controller in kube-controller-manager, and can be issued by the "csrsigning" controller in kube-controller-manager.
3. "kubernetes.io/kubelet-serving" issues serving certificates that kubelets use to serve TLS endpoints, which kube-apiserver can connect to securely.
Requests for this signer are never auto-approved by kube-controller-manager, and can be issued by the "csrsigning" controller in kube-controller-manager.
More details are available at https://k8s.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers
Custom signerNames can also be specified. The signer defines:
1. Trust distribution: how trust (CA bundles) are distributed.
2. Permitted subjects: and behavior when a disallowed subject is requested.
3. Required, permitted, or forbidden x509 extensions in the request (including whether subjectAltNames are allowed, which types, restrictions on allowed values) and behavior when a disallowed extension is requested.
4. Required, permitted, or forbidden key usages / extended key usages.
5. Expiration/certificate lifetime: whether it is fixed by the signer, configurable by the admin.
6. Whether or not requests for CA certificates are allowed.
Optional:
- `usages` (Set of String) usages specifies a set of key usages requested in the issued certificate.
Requests for TLS client certificates typically request: "digital signature", "key encipherment", "client auth".
Requests for TLS serving certificates typically request: "key encipherment", "digital signature", "server auth".
Valid values are:
"signing", "digital signature", "content commitment",
"key encipherment", "key agreement", "data encipherment",
"cert sign", "crl sign", "encipher only", "decipher only", "any",
"server auth", "client auth",
"code signing", "email protection", "s/mime",
"ipsec end system", "ipsec tunnel", "ipsec user",
"timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"
<a id="nestedblock--timeouts"></a>
### Nested Schema for `timeouts`
Optional:
- `create` (String)
This is a *logical resource*, so it contributes only to the current Terraform state and does not persist any external managed resources.
This resource enables automation of [X.509](https://www.itu.int/rec/T-REC-X.509) credential provisioning (including TLS/SSL certificates). It does this by creating a CertificateSigningRequest using the Kubernetes API, which generates a certificate from the Certificate Authority (CA) configured in the Kubernetes cluster. The CSR can be approved automatically by Terraform, or it can be approved by a custom controller running in Kubernetes. See [Kubernetes reference](https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/) for all available options pertaining to CertificateSigningRequests.
## Example Usage
@ -51,46 +166,6 @@ resource "kubernetes_secret" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `auto_approve` - (Optional) Automatically approve the CertificateSigningRequest. Defaults to 'true'.
* `metadata` - (Required) Standard certificate signing request's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `spec` - (Required) Spec defines the specification of the desired behavior of the deployment. For more info see [Kubernetes reference](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status)
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the certificate signing request that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the certificate signing request. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the certificate signing request, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
#### Attributes
* `certificate` - The signed certificate PEM data.
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this certificate signing request that can be used by clients to determine when certificate signing request has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this certificate signing request. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `spec`
#### Arguments
* `request` - (Required) Base64-encoded PKCS#10 CSR data.
* `signer_name` - (Required) Indicates the requested signer, and is a qualified name. See https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers
* `usages` - (Required) Specifies a set of usage contexts the key will be valid for. See https://godoc.org/k8s.io/api/certificates/v1#KeyUsage
## Generating a New Certificate
Since the certificate is a logical resource that lives only in the Terraform state, it will persist until it is explicitly destroyed by the user.

131
docs/resources/cluster_role.md
View file

@ -9,6 +9,83 @@ description: |-
A ClusterRole creates a role at the cluster level and in all namespaces.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard clusterRole's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
### Optional
- `aggregation_rule` (Block List, Max: 1) Describes how to build the Rules for this ClusterRole. (see [below for nested schema](#nestedblock--aggregation_rule))
- `rule` (Block List) List of PolicyRules for this ClusterRole (see [below for nested schema](#nestedblock--rule))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the clusterRole that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the clusterRole. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the clusterRole, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this clusterRole that can be used by clients to determine when clusterRole has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this clusterRole. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--aggregation_rule"></a>
### Nested Schema for `aggregation_rule`
Optional:
- `cluster_role_selectors` (Block List) A list of selectors which will be used to find ClusterRoles and create the rules. (see [below for nested schema](#nestedblock--aggregation_rule--cluster_role_selectors))
<a id="nestedblock--aggregation_rule--cluster_role_selectors"></a>
### Nested Schema for `aggregation_rule.cluster_role_selectors`
Optional:
- `match_expressions` (Block List) A list of label selector requirements. The requirements are ANDed. (see [below for nested schema](#nestedblock--aggregation_rule--cluster_role_selectors--match_expressions))
- `match_labels` (Map of String) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
<a id="nestedblock--aggregation_rule--cluster_role_selectors--match_expressions"></a>
### Nested Schema for `aggregation_rule.cluster_role_selectors.match_expressions`
Optional:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
<a id="nestedblock--rule"></a>
### Nested Schema for `rule`
Required:
- `verbs` (List of String) Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule. VerbAll represents all kinds.
Optional:
- `api_groups` (List of String) APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.
- `non_resource_urls` (List of String) NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both.
- `resource_names` (List of String) ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.
- `resources` (List of String) Resources is a list of resources this rule applies to. ResourceAll represents all resources.
## Example Usage
```terraform
@ -49,60 +126,6 @@ resource "kubernetes_cluster_role" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard kubernetes metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `rule` - (Optional) The PolicyRoles for this ClusterRole. For more info see [Kubernetes reference](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole)
* `aggregation_rule` - (Optional) Describes how to build the Rules for this ClusterRole. If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be overwritten by the controller. . For more info see [Kubernetes reference](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles)
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the cluster role binding that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the cluster role binding.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the cluster role binding, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this object that can be used by clients to determine when the object has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this cluster role binding. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `rule`
#### Arguments
* `api_groups` - (Optional) APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.
* `non_resource_urls` - (Optional) NonResourceURLs is a set of partial urls that a user should have access to. \*s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both.
* `resource_names` - (Optional) ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.
* `resources` - (Optional) Resources is a list of resources this rule applies to. ResourceAll represents all resources.
* `verbs` - (Required) Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule. VerbAll represents all kinds.
### `aggregation_rule`
#### Arguments
* `cluster_role_selectors` - (Optional) A list of selectors which will be used to find ClusterRoles and create the rules.
### `cluster_role_selectors`
#### Arguments
* `match_expressions` - (Optional) A list of label selector requirements. The requirements are ANDed.
* `match_labels` - (Optional) A map of `{key,value}` pairs. A single `{key,value}` in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
## Import
ClusterRole can be imported using the name, e.g.

106
docs/resources/cluster_role_binding.md
View file

@ -7,7 +7,63 @@ description: |-
# kubernetes_cluster_role_binding
A ClusterRoleBinding may be used to grant permission at the cluster level and in all namespaces
A ClusterRoleBinding may be used to grant permission at the cluster level and in all namespaces.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard clusterRoleBinding's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `role_ref` (Block List, Min: 1, Max: 1) RoleRef references the Cluster Role for this binding (see [below for nested schema](#nestedblock--role_ref))
- `subject` (Block List, Min: 1) Subjects defines the entities to bind a ClusterRole to. (see [below for nested schema](#nestedblock--subject))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the clusterRoleBinding that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the clusterRoleBinding. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the clusterRoleBinding, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this clusterRoleBinding that can be used by clients to determine when clusterRoleBinding has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this clusterRoleBinding. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--role_ref"></a>
### Nested Schema for `role_ref`
Required:
- `api_group` (String) The API group of the user. The only value possible at the moment is `rbac.authorization.k8s.io`.
- `kind` (String) The kind of resource.
- `name` (String) The name of the User to bind to.
<a id="nestedblock--subject"></a>
### Nested Schema for `subject`
Required:
- `kind` (String) The kind of resource.
- `name` (String) The name of the resource to bind to.
Optional:
- `api_group` (String) The API group of the subject resource.
- `namespace` (String) The Namespace of the subject resource.
## Example Usage
@ -39,54 +95,6 @@ resource "kubernetes_cluster_role_binding" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard kubernetes metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `role_ref` - (Required) The ClusterRole to bind Subjects to. For more info see [Kubernetes reference](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding)
* `subject` - (Required) The Users, Groups, or ServiceAccounts to grant permissions to. For more info see [Kubernetes reference](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-subjects)
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the cluster role binding that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the cluster role binding.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the cluster role binding, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this object that can be used by clients to determine when the object has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this cluster role binding. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `role_ref`
#### Arguments
* `name` - (Required) The name of this ClusterRole to bind Subjects to.
* `kind` - (Required) The type of binding to use. This value must be and defaults to `ClusterRole`
* `api_group` - (Required) The API group to drive authorization decisions. This value must be and defaults to `rbac.authorization.k8s.io`
### `subject`
#### Arguments
* `name` - (Required) The name of this ClusterRole to bind Subjects to.
* `namespace` - (Optional) Namespace defines the namespace of the ServiceAccount to bind to. This value only applies to kind `ServiceAccount`
* `kind` - (Required) The type of binding to use. This value must be `ServiceAccount`, `User` or `Group`
* `api_group` - (Required) The API group to drive authorization decisions. This value only applies to kind `User` and `Group`. It must be `rbac.authorization.k8s.io`
## Import
ClusterRoleBinding can be imported using the name, e.g.

104
docs/resources/cluster_role_binding_v1.md
View file

@ -9,6 +9,62 @@ description: |-
A ClusterRoleBinding may be used to grant permission at the cluster level and in all namespaces
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard clusterRoleBinding's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `role_ref` (Block List, Min: 1, Max: 1) RoleRef references the Cluster Role for this binding (see [below for nested schema](#nestedblock--role_ref))
- `subject` (Block List, Min: 1) Subjects defines the entities to bind a ClusterRole to. (see [below for nested schema](#nestedblock--subject))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the clusterRoleBinding that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the clusterRoleBinding. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the clusterRoleBinding, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this clusterRoleBinding that can be used by clients to determine when clusterRoleBinding has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this clusterRoleBinding. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--role_ref"></a>
### Nested Schema for `role_ref`
Required:
- `api_group` (String) The API group of the user. The only value possible at the moment is `rbac.authorization.k8s.io`.
- `kind` (String) The kind of resource.
- `name` (String) The name of the User to bind to.
<a id="nestedblock--subject"></a>
### Nested Schema for `subject`
Required:
- `kind` (String) The kind of resource.
- `name` (String) The name of the resource to bind to.
Optional:
- `api_group` (String) The API group of the subject resource.
- `namespace` (String) The Namespace of the subject resource.
## Example Usage
```terraform
@ -39,54 +95,6 @@ resource "kubernetes_cluster_role_binding_v1" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard kubernetes metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `role_ref` - (Required) The ClusterRole to bind Subjects to. For more info see [Kubernetes reference](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding)
* `subject` - (Required) The Users, Groups, or ServiceAccounts to grant permissions to. For more info see [Kubernetes reference](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-subjects)
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the cluster role binding that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the cluster role binding.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the cluster role binding, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this object that can be used by clients to determine when the object has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this cluster role binding. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `role_ref`
#### Arguments
* `name` - (Required) The name of this ClusterRole to bind Subjects to.
* `kind` - (Required) The type of binding to use. This value must be and defaults to `ClusterRole`
* `api_group` - (Required) The API group to drive authorization decisions. This value must be and defaults to `rbac.authorization.k8s.io`
### `subject`
#### Arguments
* `name` - (Required) The name of this ClusterRole to bind Subjects to.
* `namespace` - (Optional) Namespace defines the namespace of the ServiceAccount to bind to. This value only applies to kind `ServiceAccount`
* `kind` - (Required) The type of binding to use. This value must be `ServiceAccount`, `User` or `Group`
* `api_group` - (Required) The API group to drive authorization decisions. This value only applies to kind `User` and `Group`. It must be `rbac.authorization.k8s.io`
## Import
ClusterRoleBinding can be imported using the name, e.g.

131
docs/resources/cluster_role_v1.md
View file

@ -9,6 +9,83 @@ description: |-
A ClusterRole creates a role at the cluster level and in all namespaces.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard clusterRole's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
### Optional
- `aggregation_rule` (Block List, Max: 1) Describes how to build the Rules for this ClusterRole. (see [below for nested schema](#nestedblock--aggregation_rule))
- `rule` (Block List) List of PolicyRules for this ClusterRole (see [below for nested schema](#nestedblock--rule))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the clusterRole that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the clusterRole. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the clusterRole, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this clusterRole that can be used by clients to determine when clusterRole has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this clusterRole. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--aggregation_rule"></a>
### Nested Schema for `aggregation_rule`
Optional:
- `cluster_role_selectors` (Block List) A list of selectors which will be used to find ClusterRoles and create the rules. (see [below for nested schema](#nestedblock--aggregation_rule--cluster_role_selectors))
<a id="nestedblock--aggregation_rule--cluster_role_selectors"></a>
### Nested Schema for `aggregation_rule.cluster_role_selectors`
Optional:
- `match_expressions` (Block List) A list of label selector requirements. The requirements are ANDed. (see [below for nested schema](#nestedblock--aggregation_rule--cluster_role_selectors--match_expressions))
- `match_labels` (Map of String) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
<a id="nestedblock--aggregation_rule--cluster_role_selectors--match_expressions"></a>
### Nested Schema for `aggregation_rule.cluster_role_selectors.match_expressions`
Optional:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
<a id="nestedblock--rule"></a>
### Nested Schema for `rule`
Required:
- `verbs` (List of String) Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule. VerbAll represents all kinds.
Optional:
- `api_groups` (List of String) APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.
- `non_resource_urls` (List of String) NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both.
- `resource_names` (List of String) ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.
- `resources` (List of String) Resources is a list of resources this rule applies to. ResourceAll represents all resources.
## Example Usage
```terraform
@ -49,60 +126,6 @@ resource "kubernetes_cluster_role_v1" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard kubernetes metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `rule` - (Optional) The PolicyRoles for this ClusterRole. For more info see [Kubernetes reference](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole)
* `aggregation_rule` - (Optional) Describes how to build the Rules for this ClusterRole. If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be overwritten by the controller. . For more info see [Kubernetes reference](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles)
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the cluster role binding that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the cluster role binding.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the cluster role binding, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this object that can be used by clients to determine when the object has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this cluster role binding. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `rule`
#### Arguments
* `api_groups` - (Optional) APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.
* `non_resource_urls` - (Optional) NonResourceURLs is a set of partial urls that a user should have access to. \*s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both.
* `resource_names` - (Optional) ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.
* `resources` - (Optional) Resources is a list of resources this rule applies to. '\*' represents all resources.
* `verbs` - (Required) Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule. '\*' represents all kinds.
### `aggregation_rule`
#### Arguments
* `cluster_role_selectors` - (Optional) A list of selectors which will be used to find ClusterRoles and create the rules.
### `cluster_role_selectors`
#### Arguments
* `match_expressions` - (Optional) A list of label selector requirements. The requirements are ANDed.
* `match_labels` - (Optional) A map of `{key,value}` pairs. A single `{key,value}` in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
## Import
ClusterRole can be imported using the name, e.g.

70
docs/resources/config_map.md
View file

@ -9,6 +9,43 @@ description: |-
The resource provides mechanisms to inject containers with configuration data while keeping containers agnostic of Kubernetes. Config Map can be used to store fine-grained information like individual properties or coarse-grained information like entire config files or JSON blobs.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard config map's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
### Optional
- `binary_data` (Map of String) BinaryData contains the binary data. Each key must consist of alphanumeric characters, '-', '_' or '.'. BinaryData can contain byte sequences that are not in the UTF-8 range. The keys stored in BinaryData must not overlap with the ones in the Data field, this is enforced during validation process. Using this field will require 1.10+ apiserver and kubelet. This field only accepts base64-encoded payloads that will be decoded/encoded before being sent/received to/from the apiserver.
- `data` (Map of String) Data contains the configuration data. Each key must consist of alphanumeric characters, '-', '_' or '.'. Values with non-UTF-8 byte sequences must use the BinaryData field. The keys stored in Data must not overlap with the keys in the BinaryData field, this is enforced during validation process.
- `immutable` (Boolean) Immutable, if set to true, ensures that data stored in the ConfigMap cannot be updated (only object metadata can be modified). If not set to true, the field can be modified at any time. Defaulted to nil.
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the config map that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the config map. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the config map, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the config map must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this config map that can be used by clients to determine when config map has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this config map. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
## Example Usage
```terraform
@ -29,39 +66,6 @@ resource "kubernetes_config_map" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `binary_data` - (Optional) BinaryData contains the binary data. Each key must consist of alphanumeric characters, '-', '_' or '.'. BinaryData can contain byte sequences that are not in the UTF-8 range. The keys stored in BinaryData must not overlap with the ones in the Data field, this is enforced during validation process. Using this field will require 1.10+ apiserver and kubelet. This field only accepts base64-encoded payloads that will be decoded/received before being sent/received to the apiserver.
* `data` - (Optional) Data contains the configuration data. Each key must consist of alphanumeric characters, '-', '_' or '.'. Values with non-UTF-8 byte sequences must use the BinaryData field. The keys stored in Data must not overlap with the keys in the BinaryData field, this is enforced during validation process.
* `immutable` - (Optional) Immutable, if set to true, ensures that data stored in the ConfigMap cannot be updated (only object metadata can be modified). If not set to true, the field can be modified at any time. Defaulted to nil.
* `metadata` - (Required) Standard config map's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the config map that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the config map. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the config map, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
* `namespace` - (Optional) Namespace defines the space within which name of the config map must be unique.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this config map that can be used by clients to determine when config map has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this config map. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
## Import
Config Map can be imported using its namespace and name, e.g.

70
docs/resources/config_map_v1.md
View file

@ -9,6 +9,43 @@ description: |-
The resource provides mechanisms to inject containers with configuration data while keeping containers agnostic of Kubernetes. Config Map can be used to store fine-grained information like individual properties or coarse-grained information like entire config files or JSON blobs.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard config map's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
### Optional
- `binary_data` (Map of String) BinaryData contains the binary data. Each key must consist of alphanumeric characters, '-', '_' or '.'. BinaryData can contain byte sequences that are not in the UTF-8 range. The keys stored in BinaryData must not overlap with the ones in the Data field, this is enforced during validation process. Using this field will require 1.10+ apiserver and kubelet. This field only accepts base64-encoded payloads that will be decoded/encoded before being sent/received to/from the apiserver.
- `data` (Map of String) Data contains the configuration data. Each key must consist of alphanumeric characters, '-', '_' or '.'. Values with non-UTF-8 byte sequences must use the BinaryData field. The keys stored in Data must not overlap with the keys in the BinaryData field, this is enforced during validation process.
- `immutable` (Boolean) Immutable, if set to true, ensures that data stored in the ConfigMap cannot be updated (only object metadata can be modified). If not set to true, the field can be modified at any time. Defaulted to nil.
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the config map that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the config map. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the config map, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the config map must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this config map that can be used by clients to determine when config map has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this config map. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
## Example Usage
```terraform
@ -29,39 +66,6 @@ resource "kubernetes_config_map_v1" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `binary_data` - (Optional) BinaryData contains the binary data. Each key must consist of alphanumeric characters, '-', '_' or '.'. BinaryData can contain byte sequences that are not in the UTF-8 range. The keys stored in BinaryData must not overlap with the ones in the Data field, this is enforced during validation process. Using this field will require 1.10+ apiserver and kubelet. This field only accepts base64-encoded payloads that will be decoded/received before being sent/received to the apiserver.
* `data` - (Optional) Data contains the configuration data. Each key must consist of alphanumeric characters, '-', '_' or '.'. Values with non-UTF-8 byte sequences must use the BinaryData field. The keys stored in Data must not overlap with the keys in the BinaryData field, this is enforced during validation process.
* `immutable` - (Optional) Immutable, if set to true, ensures that data stored in the ConfigMap cannot be updated (only object metadata can be modified). If not set to true, the field can be modified at any time. Defaulted to nil.
* `metadata` - (Required) Standard config map's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the config map that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the config map. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the config map, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
* `namespace` - (Optional) Namespace defines the space within which name of the config map must be unique.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this config map that can be used by clients to determine when config map has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this config map. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
## Import
Config Map can be imported using its namespace and name, e.g.

49
docs/resources/config_map_v1_data.md
View file

@ -9,6 +9,37 @@ description: |-
This resource allows Terraform to manage data within a pre-existing ConfigMap. This resource uses [field management](https://kubernetes.io/docs/reference/using-api/server-side-apply/#field-management) and [server-side apply](https://kubernetes.io/docs/reference/using-api/server-side-apply/) to manage only the data that is defined in the Terraform configuration. Existing data not specified in the configuration will be ignored. If data specified in the config and is already managed by another client it will cause a conflict which can be overridden by setting `force` to true.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `data` (Map of String) The data we want to add to the ConfigMap.
- `metadata` (Block List, Min: 1, Max: 1) (see [below for nested schema](#nestedblock--metadata))
### Optional
- `field_manager` (String) Set the name of the field manager for the specified labels.
- `force` (Boolean) Force overwriting data that is managed outside of Terraform.
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Required:
- `name` (String) The name of the ConfigMap.
Optional:
- `namespace` (String) The namespace of the ConfigMap.
## Example Usage
```terraform
@ -22,24 +53,6 @@ resource "kubernetes_config_map_v1_data" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard metadata of the ConfigMap.
* `data` - (Required) A map of data to apply to the ConfigMap.
* `force` - (Optional) Force management of the configured data if there is a conflict.
* `field_manager` - (Optional) The name of the [field manager](https://kubernetes.io/docs/reference/using-api/server-side-apply/#field-management). Defaults to `Terraform`.
## Nested Blocks
### `metadata`
#### Arguments
* `name` - (Required) Name of the ConfigMap.
* `namespace` - (Optional) Namespace of the ConfigMap.
## Import
This resource does not support the `import` command. As this resource operates on Kubernetes resources that already exist, creating the resource is equivalent to importing it.

2433
docs/resources/cron_job.md
View file

File diff suppressed because it is too large Load diff

2435
docs/resources/cron_job_v1.md
View file

File diff suppressed because it is too large Load diff

83
docs/resources/csi_driver.md
View file

@ -9,6 +9,53 @@ description: |-
The [Container Storage Interface](https://kubernetes-csi.github.io/docs/introduction.html) (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Container Orchestration Systems (COs) like Kubernetes.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard csi driver's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
### Optional
- `spec` (Block List, Max: 1) Spec of the CSIDriver (see [below for nested schema](#nestedblock--spec))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the csi driver that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the csi driver. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the csi driver, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this csi driver that can be used by clients to determine when csi driver has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this csi driver. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--spec"></a>
### Nested Schema for `spec`
Required:
- `attach_required` (Boolean) Indicates if the CSI volume driver requires an attach operation
Optional:
- `pod_info_on_mount` (Boolean) Indicates that the CSI volume driver requires additional pod information (like podName, podUID, etc.) during mount operations
- `volume_lifecycle_modes` (List of String) Defines what kind of volumes this CSI volume driver supports
## Example Usage
```terraform
@ -25,42 +72,6 @@ resource "kubernetes_csi_driver" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard CSI driver's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `spec` - (Required) The Specification of the CSI Driver.
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the csi driver that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the csi driver. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
### `spec`
#### Arguments
* `attach_required` - (Required) Indicates if the CSI volume driver requires an attachment operation.
* `pod_info_on_mount` - (Optional) Indicates that the CSI volume driver requires additional pod information (like podName, podUID, etc.) during mount operations.
* `volume_lifecycle_modes` - (Optional) A list of volume types the CSI volume driver supports. values can be `Persistent` and `Ephemeral`.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this csi driver that can be used by clients to determine when csi driver has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this csi driver. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
## Import
kubernetes_csi_driver can be imported using its name, e.g.

83
docs/resources/csi_driver_v1.md
View file

@ -9,6 +9,53 @@ description: |-
The [Container Storage Interface](https://kubernetes-csi.github.io/docs/introduction.html) (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Container Orchestration Systems (COs) like Kubernetes.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard csi driver's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
### Optional
- `spec` (Block List, Max: 1) Spec of the CSIDriver (see [below for nested schema](#nestedblock--spec))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the csi driver that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the csi driver. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the csi driver, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this csi driver that can be used by clients to determine when csi driver has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this csi driver. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--spec"></a>
### Nested Schema for `spec`
Required:
- `attach_required` (Boolean) Indicates if the CSI volume driver requires an attach operation
Optional:
- `pod_info_on_mount` (Boolean) Indicates that the CSI volume driver requires additional pod information (like podName, podUID, etc.) during mount operations
- `volume_lifecycle_modes` (List of String) Defines what kind of volumes this CSI volume driver supports
## Example Usage
```terraform
@ -25,42 +72,6 @@ resource "kubernetes_csi_driver_v1" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard CSI driver's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `spec` - (Required) The Specification of the CSI Driver.
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the csi driver that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the csi driver. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
### `spec`
#### Arguments
* `attach_required` - (Required) Indicates if the CSI volume driver requires an attachment operation.
* `pod_info_on_mount` - (Optional) Indicates that the CSI volume driver requires additional pod information (like podName, podUID, etc.) during mount operations.
* `volume_lifecycle_modes` - (Optional) A list of volume types the CSI volume driver supports. values can be `Persistent` and `Ephemeral`.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this csi driver that can be used by clients to determine when csi driver has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this csi driver. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
## Import
kubernetes_csi_driver_v1 can be imported using its name, e.g.

3061
docs/resources/daemon_set_v1.md
View file

File diff suppressed because it is too large Load diff

3075
docs/resources/daemonset.md
View file

File diff suppressed because it is too large Load diff

117
docs/resources/default_service_account.md
View file

@ -11,6 +11,68 @@ Kubernetes creates a "default" service account in each namespace. This is the se
The `kubernetes_default_service_account` resource behaves differently from normal resources. The service account is created by a Kubernetes controller and Terraform "adopts" it into management. This resource should only be used once per namespace.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard service account's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
### Optional
- `automount_service_account_token` (Boolean) Enable automatic mounting of the service account token
- `image_pull_secret` (Block Set) A list of references to secrets in the same namespace to use for pulling any images in pods that reference this Service Account. More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod (see [below for nested schema](#nestedblock--image_pull_secret))
- `secret` (Block Set) A list of secrets allowed to be used by pods running using this Service Account. More info: https://kubernetes.io/docs/concepts/configuration/secret (see [below for nested schema](#nestedblock--secret))
- `timeouts` (Block, Optional) (see [below for nested schema](#nestedblock--timeouts))
### Read-Only
- `default_secret_name` (String, Deprecated)
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the service account that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the service account. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the service account, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the service account must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this service account that can be used by clients to determine when service account has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this service account. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--image_pull_secret"></a>
### Nested Schema for `image_pull_secret`
Optional:
- `name` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
<a id="nestedblock--secret"></a>
### Nested Schema for `secret`
Optional:
- `name` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
<a id="nestedblock--timeouts"></a>
### Nested Schema for `timeouts`
Optional:
- `create` (String)
## Example Usage
```terraform
@ -30,61 +92,6 @@ resource "kubernetes_secret" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard service account's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `image_pull_secret` - (Optional) A list of references to secrets in the same namespace to use for pulling any images in pods that reference this Service Account. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod)
* `secret` - (Optional) A list of secrets allowed to be used by pods running using this Service Account. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/configuration/secret)
* `automount_service_account_token` - (Optional) Boolean, `true` to enable automatic mounting of the service account token. Defaults to `true`.
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the service account that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the service account. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `namespace` - (Optional) Namespace defines the namespace where Terraform will adopt the default service account.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this service account that can be used by clients to determine when service account has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this service account. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `image_pull_secret`
#### Arguments
* `name` - (Optional) Name of the referent. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
### `secret`
#### Arguments
* `name` - (Optional) Name of the referent. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
## Attributes Reference
In addition to the arguments listed above, the following computed attributes are exported:
* `default_secret_name` - (Deprecated) Name of the default secret, containing service account token, created & managed by the service. By default, the provider will try to find the secret containing the service account token that Kubernetes automatically created for the service account. Where there are multiple tokens and the provider cannot determine which was created by Kubernetes, this attribute will be empty. When only one token is associated with the service account, the provider will return this single token secret.
Starting from version `1.24.0` by default Kubernetes does not automatically generate tokens for service accounts. That leads to the situation when `default_secret_name` cannot be computed and thus will be an empty string. In order to create a service account token, please [use `kubernetes_secret_v1` resource](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1#example-usage-service-account-token)
## Destroying
If you remove a `kubernetes_default_service_account` resource from your configuration, Terraform will send a delete request to the Kubernetes API. Kubernetes will automatically replace this service account, but any customizations will be lost. If you no longer want to manage a default service account with Terraform, use `terraform state rm` to remove it from state before removing the configuration.
## Import
The default service account can be imported using the namespace and name, e.g.

117
docs/resources/default_service_account_v1.md
View file

@ -11,6 +11,68 @@ Kubernetes creates a "default" service account in each namespace. This is the se
The `kubernetes_default_service_account_v1` resource behaves differently from normal resources. The service account is created by a Kubernetes controller and Terraform "adopts" it into management. This resource should only be used once per namespace.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard service account's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
### Optional
- `automount_service_account_token` (Boolean) Enable automatic mounting of the service account token
- `image_pull_secret` (Block Set) A list of references to secrets in the same namespace to use for pulling any images in pods that reference this Service Account. More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod (see [below for nested schema](#nestedblock--image_pull_secret))
- `secret` (Block Set) A list of secrets allowed to be used by pods running using this Service Account. More info: https://kubernetes.io/docs/concepts/configuration/secret (see [below for nested schema](#nestedblock--secret))
- `timeouts` (Block, Optional) (see [below for nested schema](#nestedblock--timeouts))
### Read-Only
- `default_secret_name` (String, Deprecated)
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the service account that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the service account. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the service account, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the service account must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this service account that can be used by clients to determine when service account has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this service account. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--image_pull_secret"></a>
### Nested Schema for `image_pull_secret`
Optional:
- `name` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
<a id="nestedblock--secret"></a>
### Nested Schema for `secret`
Optional:
- `name` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
<a id="nestedblock--timeouts"></a>
### Nested Schema for `timeouts`
Optional:
- `create` (String)
## Example Usage
```terraform
@ -30,61 +92,6 @@ resource "kubernetes_secret_v1" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard service account's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `image_pull_secret` - (Optional) A list of references to secrets in the same namespace to use for pulling any images in pods that reference this Service Account. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod)
* `secret` - (Optional) A list of secrets allowed to be used by pods running using this Service Account. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/configuration/secret)
* `automount_service_account_token` - (Optional) Boolean, `true` to enable automatic mounting of the service account token. Defaults to `true`.
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the service account that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the service account. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `namespace` - (Optional) Namespace defines the namespace where Terraform will adopt the default service account.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this service account that can be used by clients to determine when service account has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this service account. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `image_pull_secret`
#### Arguments
* `name` - (Optional) Name of the referent. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
### `secret`
#### Arguments
* `name` - (Optional) Name of the referent. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
## Attributes Reference
In addition to the arguments listed above, the following computed attributes are exported:
* `default_secret_name` - (Deprecated) Name of the default secret, containing service account token, created & managed by the service. By default, the provider will try to find the secret containing the service account token that Kubernetes automatically created for the service account. Where there are multiple tokens and the provider cannot determine which was created by Kubernetes, this attribute will be empty. When only one token is associated with the service account, the provider will return this single token secret.
Starting from version `1.24.0` by default Kubernetes does not automatically generate tokens for service accounts. That leads to the situation when `default_secret_name` cannot be computed and thus will be an empty string. In order to create a service account token, please [use `kubernetes_secret_v1` resource](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1#example-usage-service-account-token)
## Destroying
If you remove a `kubernetes_default_service_account_v1` resource from your configuration, Terraform will send a delete request to the Kubernetes API. Kubernetes will automatically replace this service account, but any customizations will be lost. If you no longer want to manage a default service account with Terraform, use `terraform state rm` to remove it from state before removing the configuration.
## Import
The default service account can be imported using the namespace and name, e.g.

3078
docs/resources/deployment.md
View file

File diff suppressed because it is too large Load diff

3066
docs/resources/deployment_v1.md
View file

File diff suppressed because it is too large Load diff

160
docs/resources/endpoint_slice_v1.md
View file

@ -5,10 +5,99 @@ description: |-
An EndpointSlice contains references to a set of network endpoints.
---
# kubernetes_endpoints_slice_v1
# kubernetes_endpoint_slice_v1
An EndpointSlice contains references to a set of network endpoints.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `address_type` (String) address_type specifies the type of address carried by this EndpointSlice. All addresses in this slice must be the same type. This field is immutable after creation.
- `endpoint` (Block List, Min: 1, Max: 1000) endpoint is a list of unique endpoints in this slice. Each slice may include a maximum of 1000 endpoints. (see [below for nested schema](#nestedblock--endpoint))
- `metadata` (Block List, Min: 1, Max: 1) Standard endpoint_slice's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `port` (Block List, Min: 1, Max: 100) port specifies the list of network ports exposed by each endpoint in this slice. Each port must have a unique name. Each slice may include a maximum of 100 ports. (see [below for nested schema](#nestedblock--port))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--endpoint"></a>
### Nested Schema for `endpoint`
Required:
- `addresses` (List of String) addresses of this endpoint. The contents of this field are interpreted according to the corresponding EndpointSlice addressType field.
Optional:
- `condition` (Block List, Max: 1) condition contains information about the current status of the endpoint. (see [below for nested schema](#nestedblock--endpoint--condition))
- `hostname` (String) hostname of this endpoint. This field may be used by consumers of endpoints to distinguish endpoints from each other.
- `node_name` (String) nodeName represents the name of the Node hosting this endpoint. This can be used to determine endpoints local to a Node.
- `target_ref` (Block List, Max: 1) targetRef is a reference to a Kubernetes object that represents this endpoint. (see [below for nested schema](#nestedblock--endpoint--target_ref))
- `zone` (String) zone is the name of the Zone this endpoint exists in.
<a id="nestedblock--endpoint--condition"></a>
### Nested Schema for `endpoint.condition`
Optional:
- `ready` (Boolean) ready indicates that this endpoint is prepared to receive traffic, according to whatever system is managing the endpoint.
- `serving` (Boolean) serving is identical to ready except that it is set regardless of the terminating state of endpoints.
- `terminating` (Boolean) terminating indicates that this endpoint is terminating.
<a id="nestedblock--endpoint--target_ref"></a>
### Nested Schema for `endpoint.target_ref`
Required:
- `name` (String) Name of the referent.
Optional:
- `field_path` (String) If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
- `namespace` (String) Namespace of the referent.
- `resource_version` (String) Specific resourceVersion to which this reference is made, if any.
- `uid` (String) If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the endpoint_slice that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the endpoint_slice. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the endpoint_slice, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the endpoint_slice must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this endpoint_slice that can be used by clients to determine when endpoint_slice has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this endpoint_slice. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--port"></a>
### Nested Schema for `port`
Required:
- `app_protocol` (String) The application protocol for this port. This is used as a hint for implementations to offer richer behavior for protocols that they understand.
- `port` (String) port represents the port number of the endpoint.
Optional:
- `name` (String) name represents the name of this port. All ports in an EndpointSlice must have a unique name.
- `protocol` (String) protocol represents the IP protocol for this port. Must be UDP, TCP, or SCTP. Default is TCP.
## Example Usage
```terraform
@ -33,72 +122,3 @@ resource "kubernetes_endpoint_slice_v1" "test" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard endpoints' metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `address_type` - (Required) Specifies the type of address carried by this EndpointSlice. All addresses in this slice must be the same type. This field is immutable after creation. The following address types are currently supported: *IPv4: Represents an IPv4 Address.* IPv6: Represents an IPv6 Address. * FQDN: Represents a Fully Qualified Domain Name.
* `endpoint` - (Required) A list of unique endpoints in this slice. Each slice may include a maximum of 1000 endpoints.
* `port` - (Required) Specifies the list of network ports exposed by each endpoint in this slice. Each port must have a unique name. When ports is empty, it indicates that there are no defined ports. When a port is defined with a nil port value, it indicates "all ports". Each slice may include a maximum of 100 ports.
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the endpoints resource that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the endpoints resource. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the endpoints resource, must be unique. Cannot be updated. This name should correspond with an accompanying Service resource. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
* `namespace` - (Optional) Namespace defines the space within which name of the endpoints resource must be unique.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this endpoints resource that can be used by clients to determine when endpoints resource has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this endpoints resource. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `endpoint`
#### Arguments
* `addresses` - (Required) addresses of this endpoint. The contents of this field are interpreted according to the corresponding EndpointSlice addressType field. Consumers must handle different types of addresses in the context of their own capabilities. This must contain at least one address but no more than 100.
* `condition` - (Optional) Contains information about the current status of the endpoint.
* `hostname` - (Optional) hostname of this endpoint. This field may be used by consumers of endpoints to distinguish endpoints from each other (e.g. in DNS names). Multiple endpoints which use the same hostname should be considered fungible (e.g. multiple A values in DNS). Must be lowercase and pass DNS Label (RFC 1123) validation.
* `node_name` - (Optional) Represents the name of the Node hosting this endpoint. This can be used to determine endpoints local to a Node.
* `target_ref` - (Optional) targetRef is a reference to a Kubernetes object that represents this endpoint.
* `zone` - (Optional) The name of the Zone this endpoint exists in.
### `condition`
#### Attributes
* `ready` - (Optional) Indicates that this endpoint is prepared to receive traffic, according to whatever system is managing the endpoint.
* `serving` - (Optional) Serving is identical to ready except that it is set regardless of the terminating state of endpoints.
* `terminating` - (Optional) Indicates that this endpoint is terminating.
### `target_ref`
#### Attributes
* `ip` - The IP of this endpoint. May not be loopback (127.0.0.0/8), link-local (169.254.0.0/16), or link-local multicast ((224.0.0.0/24).
* `hostname` - (Optional) The Hostname of this endpoint.
* `node_name` - (Optional) Node hosting this endpoint. This can be used to determine endpoints local to a node.
* `zone` - (Optional) The name of the zone this endpoint exists in.
### `port`
#### Arguments
* `name` - (Optional) The name of this port within the endpoint. All ports within the endpoint must have unique names. Optional if only one port is defined on this endpoint.
* `port` - (Required) The port that will be utilized by this endpoint.
* `protocol` - (Optional) The IP protocol for this port. Supports `TCP` and `UDP`. Default is `TCP`.
* `app_protocol` - (Optional) The application protocol for this port. This is used as a hint for implementations to offer richer behavior for protocols that they understand.

149
docs/resources/endpoints.md
View file

@ -5,10 +5,94 @@ description: |-
An Endpoints resource is an abstraction, linked to a Service, which defines the list of endpoints that actually implement the service.
---
# kubernetes_endpoints
# kubernetes_endpoints
An Endpoints resource is an abstraction, linked to a Service, which defines the list of endpoints that actually implement the service.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard endpoints's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
### Optional
- `subset` (Block Set) Set of addresses and ports that comprise a service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#services-without-selectors (see [below for nested schema](#nestedblock--subset))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the endpoints that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the endpoints. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the endpoints, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the endpoints must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this endpoints that can be used by clients to determine when endpoints has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this endpoints. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--subset"></a>
### Nested Schema for `subset`
Optional:
- `address` (Block Set) IP address which offers the related ports that are marked as ready. These endpoints should be considered safe for load balancers and clients to utilize. (see [below for nested schema](#nestedblock--subset--address))
- `not_ready_address` (Block Set) IP address which offers the related ports but is not currently marked as ready because it have not yet finished starting, have recently failed a readiness check, or have recently failed a liveness check. (see [below for nested schema](#nestedblock--subset--not_ready_address))
- `port` (Block Set) Port number available on the related IP addresses. (see [below for nested schema](#nestedblock--subset--port))
<a id="nestedblock--subset--address"></a>
### Nested Schema for `subset.address`
Required:
- `ip` (String) The IP of this endpoint. May not be loopback (127.0.0.0/8), link-local (169.254.0.0/16), or link-local multicast ((224.0.0.0/24).
Optional:
- `hostname` (String) The Hostname of this endpoint.
- `node_name` (String) Node hosting this endpoint. This can be used to determine endpoints local to a node.
<a id="nestedblock--subset--not_ready_address"></a>
### Nested Schema for `subset.not_ready_address`
Required:
- `ip` (String) The IP of this endpoint. May not be loopback (127.0.0.0/8), link-local (169.254.0.0/16), or link-local multicast ((224.0.0.0/24).
Optional:
- `hostname` (String) The Hostname of this endpoint.
- `node_name` (String) Node hosting this endpoint. This can be used to determine endpoints local to a node.
<a id="nestedblock--subset--port"></a>
### Nested Schema for `subset.port`
Required:
- `port` (Number) The port that will be exposed by this endpoint.
Optional:
- `name` (String) The name of this port within the endpoint. Must be a DNS_LABEL. Optional if only one Port is defined on this endpoint.
- `protocol` (String) The IP protocol for this port. Supports `TCP` and `UDP`. Default is `TCP`.
## Example Usage
```terraform
@ -81,69 +165,6 @@ resource "kubernetes_service" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard endpoints' metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `subset` - (Optional) Set of addresses and ports that comprise a service. Can be repeated multiple times.
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the endpoints resource that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the endpoints resource. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the endpoints resource, must be unique. Cannot be updated. This name should correspond with an accompanying Service resource. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
* `namespace` - (Optional) Namespace defines the space within which name of the endpoints resource must be unique.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this endpoints resource that can be used by clients to determine when endpoints resource has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this endpoints resource. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `subset`
#### Arguments
* `address` - (Optional) An IP address block which offers the related ports and is ready to accept traffic. These endpoints should be considered safe for load balancers and clients to utilize. Can be repeated multiple times.
* `not_ready_address` - (Optional) A IP address block which offers the related ports but is not currently marked as ready because it have not yet finished starting, have recently failed a readiness check, or have recently failed a liveness check. Can be repeated multiple times.
* `port` - (Optional) A port number block available on the related IP addresses. Can be repeated multiple times.
### `address`
#### Attributes
* `ip` - The IP of this endpoint. May not be loopback (127.0.0.0/8), link-local (169.254.0.0/16), or link-local multicast ((224.0.0.0/24).
* `hostname` - (Optional) The Hostname of this endpoint.
* `node_name` - (Optional) Node hosting this endpoint. This can be used to determine endpoints local to a node.
### `not_ready_address`
#### Attributes
* `ip` - The IP of this endpoint. May not be loopback (127.0.0.0/8), link-local (169.254.0.0/16), or link-local multicast ((224.0.0.0/24).
* `hostname` - (Optional) The Hostname of this endpoint.
* `node_name` - (Optional) Node hosting this endpoint. This can be used to determine endpoints local to a node.
### `port`
#### Arguments
* `name` - (Optional) The name of this port within the endpoint. All ports within the endpoint must have unique names. Optional if only one port is defined on this endpoint.
* `port` - (Required) The port that will be utilized by this endpoint.
* `protocol` - (Optional) The IP protocol for this port. Supports `TCP` and `UDP`. Default is `TCP`.
## Import
An Endpoints resource can be imported using its namespace and name, e.g.

147
docs/resources/endpoints_v1.md
View file

@ -9,6 +9,90 @@ description: |-
An Endpoints resource is an abstraction, linked to a Service, which defines the list of endpoints that actually implement the service.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard endpoints's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
### Optional
- `subset` (Block Set) Set of addresses and ports that comprise a service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#services-without-selectors (see [below for nested schema](#nestedblock--subset))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the endpoints that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the endpoints. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the endpoints, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the endpoints must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this endpoints that can be used by clients to determine when endpoints has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this endpoints. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--subset"></a>
### Nested Schema for `subset`
Optional:
- `address` (Block Set) IP address which offers the related ports that are marked as ready. These endpoints should be considered safe for load balancers and clients to utilize. (see [below for nested schema](#nestedblock--subset--address))
- `not_ready_address` (Block Set) IP address which offers the related ports but is not currently marked as ready because it have not yet finished starting, have recently failed a readiness check, or have recently failed a liveness check. (see [below for nested schema](#nestedblock--subset--not_ready_address))
- `port` (Block Set) Port number available on the related IP addresses. (see [below for nested schema](#nestedblock--subset--port))
<a id="nestedblock--subset--address"></a>
### Nested Schema for `subset.address`
Required:
- `ip` (String) The IP of this endpoint. May not be loopback (127.0.0.0/8), link-local (169.254.0.0/16), or link-local multicast ((224.0.0.0/24).
Optional:
- `hostname` (String) The Hostname of this endpoint.
- `node_name` (String) Node hosting this endpoint. This can be used to determine endpoints local to a node.
<a id="nestedblock--subset--not_ready_address"></a>
### Nested Schema for `subset.not_ready_address`
Required:
- `ip` (String) The IP of this endpoint. May not be loopback (127.0.0.0/8), link-local (169.254.0.0/16), or link-local multicast ((224.0.0.0/24).
Optional:
- `hostname` (String) The Hostname of this endpoint.
- `node_name` (String) Node hosting this endpoint. This can be used to determine endpoints local to a node.
<a id="nestedblock--subset--port"></a>
### Nested Schema for `subset.port`
Required:
- `port` (Number) The port that will be exposed by this endpoint.
Optional:
- `name` (String) The name of this port within the endpoint. Must be a DNS_LABEL. Optional if only one Port is defined on this endpoint.
- `protocol` (String) The IP protocol for this port. Supports `TCP` and `UDP`. Default is `TCP`.
## Example Usage
```terraform
@ -81,69 +165,6 @@ resource "kubernetes_service_v1" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard endpoints' metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `subset` - (Optional) Set of addresses and ports that comprise a service. Can be repeated multiple times.
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the endpoints resource that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the endpoints resource. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the endpoints resource, must be unique. Cannot be updated. This name should correspond with an accompanying Service resource. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
* `namespace` - (Optional) Namespace defines the space within which name of the endpoints resource must be unique.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this endpoints resource that can be used by clients to determine when endpoints resource has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this endpoints resource. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `subset`
#### Arguments
* `address` - (Optional) An IP address block which offers the related ports and is ready to accept traffic. These endpoints should be considered safe for load balancers and clients to utilize. Can be repeated multiple times.
* `not_ready_address` - (Optional) A IP address block which offers the related ports but is not currently marked as ready because it have not yet finished starting, have recently failed a readiness check, or have recently failed a liveness check. Can be repeated multiple times.
* `port` - (Optional) A port number block available on the related IP addresses. Can be repeated multiple times.
### `address`
#### Attributes
* `ip` - The IP of this endpoint. May not be loopback (127.0.0.0/8), link-local (169.254.0.0/16), or link-local multicast ((224.0.0.0/24).
* `hostname` - (Optional) The Hostname of this endpoint.
* `node_name` - (Optional) Node hosting this endpoint. This can be used to determine endpoints local to a node.
### `not_ready_address`
#### Attributes
* `ip` - The IP of this endpoint. May not be loopback (127.0.0.0/8), link-local (169.254.0.0/16), or link-local multicast ((224.0.0.0/24).
* `hostname` - (Optional) The Hostname of this endpoint.
* `node_name` - (Optional) Node hosting this endpoint. This can be used to determine endpoints local to a node.
### `port`
#### Arguments
* `name` - (Optional) The name of this port within the endpoint. All ports within the endpoint must have unique names. Optional if only one port is defined on this endpoint.
* `port` - (Required) The port that will be utilized by this endpoint.
* `protocol` - (Optional) The IP protocol for this port. Supports `TCP` and `UDP`. Default is `TCP`.
## Import
An Endpoints resource can be imported using its namespace and name, e.g.

171
docs/resources/env.md
View file

@ -9,6 +9,107 @@ description: |-
This resource provides a way to manage environment variables in resources that were created outside of Terraform. This resource provides functionality similar to the `kubectl set env` command.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `api_version` (String) Resource API version
- `env` (Block List, Min: 1) List of custom values used to represent environment variables (see [below for nested schema](#nestedblock--env))
- `kind` (String) Resource Kind
- `metadata` (Block List, Min: 1, Max: 1) (see [below for nested schema](#nestedblock--metadata))
### Optional
- `container` (String) Name of the container for which we are updating the environment variables.
- `field_manager` (String) Set the name of the field manager for the specified environment variables.
- `force` (Boolean) Force overwriting environments that were created or edited outside of Terraform.
- `init_container` (String) Name of the initContainer for which we are updating the environment variables.
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--env"></a>
### Nested Schema for `env`
Required:
- `name` (String) Name of the environment variable. Must be a C_IDENTIFIER
Optional:
- `value` (String) Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".
- `value_from` (Block List, Max: 1) Source for the environment variable's value (see [below for nested schema](#nestedblock--env--value_from))
<a id="nestedblock--env--value_from"></a>
### Nested Schema for `env.value_from`
Optional:
- `config_map_key_ref` (Block List, Max: 1) Selects a key of a ConfigMap. (see [below for nested schema](#nestedblock--env--value_from--config_map_key_ref))
- `field_ref` (Block List, Max: 1) Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.podIP. (see [below for nested schema](#nestedblock--env--value_from--field_ref))
- `resource_field_ref` (Block List, Max: 1) Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. (see [below for nested schema](#nestedblock--env--value_from--resource_field_ref))
- `secret_key_ref` (Block List, Max: 1) Selects a key of a secret in the pod's namespace. (see [below for nested schema](#nestedblock--env--value_from--secret_key_ref))
<a id="nestedblock--env--value_from--config_map_key_ref"></a>
### Nested Schema for `env.value_from.config_map_key_ref`
Optional:
- `key` (String) The key to select.
- `name` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `optional` (Boolean) Specify whether the ConfigMap or its key must be defined.
<a id="nestedblock--env--value_from--field_ref"></a>
### Nested Schema for `env.value_from.field_ref`
Optional:
- `api_version` (String) Version of the schema the FieldPath is written in terms of, defaults to "v1".
- `field_path` (String) Path of the field to select in the specified API version
<a id="nestedblock--env--value_from--resource_field_ref"></a>
### Nested Schema for `env.value_from.resource_field_ref`
Required:
- `resource` (String) Resource to select
Optional:
- `container_name` (String)
- `divisor` (String)
<a id="nestedblock--env--value_from--secret_key_ref"></a>
### Nested Schema for `env.value_from.secret_key_ref`
Optional:
- `key` (String) The key of the secret to select from. Must be a valid secret key.
- `name` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `optional` (Boolean) Specify whether the Secret or its key must be defined.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Required:
- `name` (String) The name of the resource.
Optional:
- `namespace` (String) The namespace of the resource.
## Example Usage
```terraform
@ -33,76 +134,6 @@ resource "kubernetes_env" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `api_version` - (Required) The apiVersion of the resource to add environment variables to.
* `kind` - (Required) The kind of the resource to add environment variables to.
* `metadata` - (Required) Standard metadata of the resource to add environment variables to.
* `container` - (Optional) Name of the container for which we are updating the environment variables.
* `init_container` - (Optional) Name of the initContainer for which we are updating the environment variables.
* `env` - (Required) Value block with custom values used to represent environment variables
* `force` - (Optional) Force management of environment variables if there is a conflict.
* `field_manager` - (Optional) The name of the [field manager](https://kubernetes.io/docs/reference/using-api/server-side-apply/#field-management). Defaults to `Terraform`.
## Nested Blocks
### `metadata`
#### Arguments
* `name` - (Required) Name of the resource to add environment variables to.
* `namespace` - (Optional) Namespace of the resource to add environment variables to.
### `env`
#### Arguments
* `name` - (Required) Name of the environment variable. Must be a C_IDENTIFIER
* `value` - (Optional) Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".
* `value_from` - (Optional) Source for the environment variable's value
### `value_from`
#### Arguments
* `config_map_key_ref` - (Optional) Selects a key of a ConfigMap.
* `field_ref` - (Optional) Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.podIP.
* `resource_field_ref` - (Optional) Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
* `secret_key_ref` - (Optional) Selects a key of a secret in the pod's namespace.
### `config_map_key_ref`
#### Arguments
* `key` - (Optional) The key to select.
* `name` - (Optional) Name of the referent. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
* `optional` - (Optional) Specify whether the Secret or its key must be defined
### `field_ref`
#### Arguments
* `api_version` - (Optional) Version of the schema the FieldPath is written in terms of, defaults to "v1".
* `field_path` - (Optional) Path of the field to select in the specified API version
### `resource_field_ref`
#### Arguments
* `container_name` - (Optional) The name of the container
* `resource` - (Required) Resource to select
* `divisor` - (Optional) Specifies the output format of the exposed resources, defaults to "1".
### `secret_key_ref`
#### Arguments
* `key` - (Optional) The key of the secret to select from. Must be a valid secret key.
* `name` - (Optional) Name of the referent. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
* `optional` - (Optional) Specify whether the Secret or its key must be defined
## Import
This resource does not support the `import` command. As this resource operates on Kubernetes resources that already exist, creating the resource is equivalent to importing it.

507
docs/resources/horizontal_pod_autoscaler.md
View file

@ -9,6 +9,373 @@ description: |-
Horizontal Pod Autoscaler automatically scales the number of pods in a replication controller, deployment or replica set based on observed CPU utilization.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard horizontal pod autoscaler's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `spec` (Block List, Min: 1, Max: 1) Behaviour of the autoscaler. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status (see [below for nested schema](#nestedblock--spec))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the horizontal pod autoscaler that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the horizontal pod autoscaler. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the horizontal pod autoscaler, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the horizontal pod autoscaler must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this horizontal pod autoscaler that can be used by clients to determine when horizontal pod autoscaler has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this horizontal pod autoscaler. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--spec"></a>
### Nested Schema for `spec`
Required:
- `max_replicas` (Number) Upper limit for the number of pods that can be set by the autoscaler.
- `scale_target_ref` (Block List, Min: 1, Max: 1) Reference to scaled resource. e.g. Replication Controller (see [below for nested schema](#nestedblock--spec--scale_target_ref))
Optional:
- `behavior` (Block List, Max: 1) Behavior configures the scaling behavior of the target in both Up and Down directions (`scale_up` and `scale_down` fields respectively). (see [below for nested schema](#nestedblock--spec--behavior))
- `metric` (Block List) The specifications for which to use to calculate the desired replica count (the maximum replica count across all metrics will be used). The desired replica count is calculated multiplying the ratio between the target value and the current value by the current number of pods. Ergo, metrics used must decrease as the pod count is increased, and vice-versa. See the individual metric source types for more information about how each type of metric must respond. If not set, the default metric will be set to 80% average CPU utilization. (see [below for nested schema](#nestedblock--spec--metric))
- `min_replicas` (Number) Lower limit for the number of pods that can be set by the autoscaler, defaults to `1`.
- `target_cpu_utilization_percentage` (Number) Target average CPU utilization (represented as a percentage of requested CPU) over all the pods. If not specified the default autoscaling policy will be used.
<a id="nestedblock--spec--scale_target_ref"></a>
### Nested Schema for `spec.scale_target_ref`
Required:
- `kind` (String) Kind of the referent. e.g. `ReplicationController`. More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#types-kinds
- `name` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Optional:
- `api_version` (String) API version of the referent
<a id="nestedblock--spec--behavior"></a>
### Nested Schema for `spec.behavior`
Optional:
- `scale_down` (Block List) Scaling policy for scaling Down (see [below for nested schema](#nestedblock--spec--behavior--scale_down))
- `scale_up` (Block List) Scaling policy for scaling Up (see [below for nested schema](#nestedblock--spec--behavior--scale_up))
<a id="nestedblock--spec--behavior--scale_down"></a>
### Nested Schema for `spec.behavior.scale_down`
Required:
- `policy` (Block List, Min: 1) List of potential scaling polices which can be used during scaling. At least one policy must be specified, otherwise the scaling rule will be discarded as invalid. (see [below for nested schema](#nestedblock--spec--behavior--scale_down--policy))
Optional:
- `select_policy` (String) Used to specify which policy should be used. If not set, the default value Max is used.
- `stabilization_window_seconds` (Number) Number of seconds for which past recommendations should be considered while scaling up or scaling down. This value must be greater than or equal to zero and less than or equal to 3600 (one hour). If not set, use the default values: - For scale up: 0 (i.e. no stabilization is done). - For scale down: 300 (i.e. the stabilization window is 300 seconds long).
<a id="nestedblock--spec--behavior--scale_down--policy"></a>
### Nested Schema for `spec.behavior.scale_down.policy`
Required:
- `period_seconds` (Number) Period specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).
- `type` (String) Type is used to specify the scaling policy: Percent or Pods
- `value` (Number) Value contains the amount of change which is permitted by the policy. It must be greater than zero.
<a id="nestedblock--spec--behavior--scale_up"></a>
### Nested Schema for `spec.behavior.scale_up`
Required:
- `policy` (Block List, Min: 1) List of potential scaling polices which can be used during scaling. At least one policy must be specified, otherwise the scaling rule will be discarded as invalid. (see [below for nested schema](#nestedblock--spec--behavior--scale_up--policy))
Optional:
- `select_policy` (String) Used to specify which policy should be used. If not set, the default value Max is used.
- `stabilization_window_seconds` (Number) Number of seconds for which past recommendations should be considered while scaling up or scaling down. This value must be greater than or equal to zero and less than or equal to 3600 (one hour). If not set, use the default values: - For scale up: 0 (i.e. no stabilization is done). - For scale down: 300 (i.e. the stabilization window is 300 seconds long).
<a id="nestedblock--spec--behavior--scale_up--policy"></a>
### Nested Schema for `spec.behavior.scale_up.policy`
Required:
- `period_seconds` (Number) Period specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).
- `type` (String) Type is used to specify the scaling policy: Percent or Pods
- `value` (Number) Value contains the amount of change which is permitted by the policy. It must be greater than zero.
<a id="nestedblock--spec--metric"></a>
### Nested Schema for `spec.metric`
Required:
- `type` (String) type is the type of metric source. It should be one of "ContainerResource", "External", "Object", "Pods" or "Resource", each mapping to a matching field in the object. Note: "ContainerResource" type is available on when the feature-gate HPAContainerMetrics is enabled
Optional:
- `container_resource` (Block List, Max: 1) (see [below for nested schema](#nestedblock--spec--metric--container_resource))
- `external` (Block List, Max: 1) (see [below for nested schema](#nestedblock--spec--metric--external))
- `object` (Block List, Max: 1) (see [below for nested schema](#nestedblock--spec--metric--object))
- `pods` (Block List, Max: 1) (see [below for nested schema](#nestedblock--spec--metric--pods))
- `resource` (Block List, Max: 1) (see [below for nested schema](#nestedblock--spec--metric--resource))
<a id="nestedblock--spec--metric--container_resource"></a>
### Nested Schema for `spec.metric.container_resource`
Required:
- `container` (String) name of the container in the pods of the scaling target
- `name` (String) name of the resource in question
Optional:
- `target` (Block List, Max: 1) target specifies the target value for the given metric (see [below for nested schema](#nestedblock--spec--metric--container_resource--target))
<a id="nestedblock--spec--metric--container_resource--target"></a>
### Nested Schema for `spec.metric.container_resource.target`
Required:
- `type` (String) type represents whether the metric type is Utilization, Value, or AverageValue
Optional:
- `average_utilization` (Number) averageUtilization is the target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods. Currently only valid for Resource metric source type
- `average_value` (String) averageValue is the target value of the average of the metric across all relevant pods (as a quantity)
- `value` (String) value is the target value of the metric (as a quantity).
<a id="nestedblock--spec--metric--external"></a>
### Nested Schema for `spec.metric.external`
Required:
- `metric` (Block List, Min: 1, Max: 1) metric identifies the target metric by name and selector (see [below for nested schema](#nestedblock--spec--metric--external--metric))
Optional:
- `target` (Block List, Max: 1) target specifies the target value for the given metric (see [below for nested schema](#nestedblock--spec--metric--external--target))
<a id="nestedblock--spec--metric--external--metric"></a>
### Nested Schema for `spec.metric.external.metric`
Required:
- `name` (String) name is the name of the given metric
Optional:
- `selector` (Block List) selector is the string-encoded form of a standard kubernetes label selector for the given metric When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping. When unset, just the metricName will be used to gather metrics. (see [below for nested schema](#nestedblock--spec--metric--external--metric--selector))
<a id="nestedblock--spec--metric--external--metric--selector"></a>
### Nested Schema for `spec.metric.external.metric.selector`
Optional:
- `match_expressions` (Block List) A list of label selector requirements. The requirements are ANDed. (see [below for nested schema](#nestedblock--spec--metric--external--metric--selector--match_expressions))
- `match_labels` (Map of String) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
<a id="nestedblock--spec--metric--external--metric--selector--match_expressions"></a>
### Nested Schema for `spec.metric.external.metric.selector.match_expressions`
Optional:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
<a id="nestedblock--spec--metric--external--target"></a>
### Nested Schema for `spec.metric.external.target`
Required:
- `type` (String) type represents whether the metric type is Utilization, Value, or AverageValue
Optional:
- `average_utilization` (Number) averageUtilization is the target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods. Currently only valid for Resource metric source type
- `average_value` (String) averageValue is the target value of the average of the metric across all relevant pods (as a quantity)
- `value` (String) value is the target value of the metric (as a quantity).
<a id="nestedblock--spec--metric--object"></a>
### Nested Schema for `spec.metric.object`
Required:
- `described_object` (Block List, Min: 1, Max: 1) (see [below for nested schema](#nestedblock--spec--metric--object--described_object))
- `metric` (Block List, Min: 1, Max: 1) metric identifies the target metric by name and selector (see [below for nested schema](#nestedblock--spec--metric--object--metric))
Optional:
- `target` (Block List, Max: 1) target specifies the target value for the given metric (see [below for nested schema](#nestedblock--spec--metric--object--target))
<a id="nestedblock--spec--metric--object--described_object"></a>
### Nested Schema for `spec.metric.object.described_object`
Required:
- `api_version` (String) API version of the referent
- `kind` (String) Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- `name` (String) Name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
<a id="nestedblock--spec--metric--object--metric"></a>
### Nested Schema for `spec.metric.object.metric`
Required:
- `name` (String) name is the name of the given metric
Optional:
- `selector` (Block List) selector is the string-encoded form of a standard kubernetes label selector for the given metric When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping. When unset, just the metricName will be used to gather metrics. (see [below for nested schema](#nestedblock--spec--metric--object--metric--selector))
<a id="nestedblock--spec--metric--object--metric--selector"></a>
### Nested Schema for `spec.metric.object.metric.selector`
Optional:
- `match_expressions` (Block List) A list of label selector requirements. The requirements are ANDed. (see [below for nested schema](#nestedblock--spec--metric--object--metric--selector--match_expressions))
- `match_labels` (Map of String) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
<a id="nestedblock--spec--metric--object--metric--selector--match_expressions"></a>
### Nested Schema for `spec.metric.object.metric.selector.match_expressions`
Optional:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
<a id="nestedblock--spec--metric--object--target"></a>
### Nested Schema for `spec.metric.object.target`
Required:
- `type` (String) type represents whether the metric type is Utilization, Value, or AverageValue
Optional:
- `average_utilization` (Number) averageUtilization is the target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods. Currently only valid for Resource metric source type
- `average_value` (String) averageValue is the target value of the average of the metric across all relevant pods (as a quantity)
- `value` (String) value is the target value of the metric (as a quantity).
<a id="nestedblock--spec--metric--pods"></a>
### Nested Schema for `spec.metric.pods`
Required:
- `metric` (Block List, Min: 1, Max: 1) metric identifies the target metric by name and selector (see [below for nested schema](#nestedblock--spec--metric--pods--metric))
Optional:
- `target` (Block List, Max: 1) target specifies the target value for the given metric (see [below for nested schema](#nestedblock--spec--metric--pods--target))
<a id="nestedblock--spec--metric--pods--metric"></a>
### Nested Schema for `spec.metric.pods.metric`
Required:
- `name` (String) name is the name of the given metric
Optional:
- `selector` (Block List) selector is the string-encoded form of a standard kubernetes label selector for the given metric When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping. When unset, just the metricName will be used to gather metrics. (see [below for nested schema](#nestedblock--spec--metric--pods--metric--selector))
<a id="nestedblock--spec--metric--pods--metric--selector"></a>
### Nested Schema for `spec.metric.pods.metric.selector`
Optional:
- `match_expressions` (Block List) A list of label selector requirements. The requirements are ANDed. (see [below for nested schema](#nestedblock--spec--metric--pods--metric--selector--match_expressions))
- `match_labels` (Map of String) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
<a id="nestedblock--spec--metric--pods--metric--selector--match_expressions"></a>
### Nested Schema for `spec.metric.pods.metric.selector.match_expressions`
Optional:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
<a id="nestedblock--spec--metric--pods--target"></a>
### Nested Schema for `spec.metric.pods.target`
Required:
- `type` (String) type represents whether the metric type is Utilization, Value, or AverageValue
Optional:
- `average_utilization` (Number) averageUtilization is the target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods. Currently only valid for Resource metric source type
- `average_value` (String) averageValue is the target value of the average of the metric across all relevant pods (as a quantity)
- `value` (String) value is the target value of the metric (as a quantity).
<a id="nestedblock--spec--metric--resource"></a>
### Nested Schema for `spec.metric.resource`
Required:
- `name` (String) name is the name of the resource in question.
Optional:
- `target` (Block List, Max: 1) Target specifies the target value for the given metric (see [below for nested schema](#nestedblock--spec--metric--resource--target))
<a id="nestedblock--spec--metric--resource--target"></a>
### Nested Schema for `spec.metric.resource.target`
Required:
- `type` (String) type represents whether the metric type is Utilization, Value, or AverageValue
Optional:
- `average_utilization` (Number) averageUtilization is the target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods. Currently only valid for Resource metric source type
- `average_value` (String) averageValue is the target value of the average of the metric across all relevant pods (as a quantity)
- `value` (String) value is the target value of the metric (as a quantity).
## Example Usage
```terraform
@ -127,146 +494,6 @@ If you wish to use `autoscaling/v1` use the `target_cpu_utilization_percentage`
If you wish to use `autoscaling/v2beta2` then set one or more `metric` fields.
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard horizontal pod autoscaler's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `spec` - (Required) Behaviour of the autoscaler. For more info see [Kubernetes reference](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status)
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the horizontal pod autoscaler that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the horizontal pod autoscaler. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the horizontal pod autoscaler, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
* `namespace` - (Optional) Namespace defines the space within which name of the horizontal pod autoscaler must be unique.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this horizontal pod autoscaler that can be used by clients to determine when horizontal pod autoscaler has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this horizontal pod autoscaler. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `spec`
#### Arguments
* `max_replicas` - (Required) Upper limit for the number of pods that can be set by the autoscaler.
* `min_replicas` - (Optional) Lower limit for the number of pods that can be set by the autoscaler, defaults to `1`.
* `scale_target_ref` - (Required) Reference to scaled resource. e.g. Replication Controller
* `target_cpu_utilization_percentage` - (Optional) Target average CPU utilization (represented as a percentage of requested CPU) over all the pods. If not specified the default autoscaling policy will be used.
* `metric` - (Optional) A metric on which to scale.
* `behavior` - (Optional) Behavior configures the scaling behavior of the target in both Up and Down directions (scale_up and scale_down fields respectively)
### `metric`
#### Arguments
* `type` - (Required) The type of metric. It can be one of "Object", "Pods", "Resource", or "External".
* `object` - (Optional) A metric describing a single kubernetes object (for example, hits-per-second on an Ingress object).
* `pods` - (Optional) A metric describing each pod in the current scale target (for example, transactions-processed-per-second). The values will be averaged together before being compared to the target value.
* `resource` - (Optional) A resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source.
* `external` - (Optional) A global metric that is not associated with any Kubernetes object. It allows autoscaling based on information coming from components running outside of cluster (for example length of queue in cloud messaging service, or QPS from loadbalancer running outside of cluster).
### Metric Type: `external`
#### Arguments
* `metric` - (Required) Identifies the target by name and selector.
* `target` - (Required) The target for the given metric.
### Metric Type: `object`
#### Arguments
* `described_object` - (Required) Reference to the object.
* `metric` - (Required) Identifies the target by name and selector.
* `target` - (Required) The target for the given metric.
### Metric Type: `pods`
#### Arguments
* `metric` - (Required) Identifies the target by name and selector.
* `target` - (Required) The target for the given metric.
### Metric Type: `resource`
#### Arguments
* `name` - (Required) Name of the resource in question.
* `target` - (Required) The target for the given metric.
### `metric`
#### Arguments
* `name` - (Required) The name of the given metric
* `selector` - (Optional) The label selector for the given metric
### `target`
#### Arguments
* `type` - (Required) Represents whether the metric type is Utilization, Value, or AverageValue.
* `average_value` - (Optional) The target value of the average of the metric across all relevant pods (as a quantity).
* `average_utilization` - (Optional) The target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods. Currently only valid for Resource metric source type.
* `value` - (Optional) value is the target value of the metric (as a quantity).
#### Quantities
See [here](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for documentation on resource management for pods and containers.
### `described_object`
#### Arguments
* `api_version` - (Optional) API version of the referent. This argument is optional for the `v1` API version referents and mandatory for the rest.
* `kind` - (Required) Kind of the referent. e.g. `ReplicationController`. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds)
* `name` - (Required) Name of the referent. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
### `scale_target_ref`
#### Arguments
* `api_version` - (Optional) API version of the referent. This argument is optional for the `v1` API version referents and mandatory for the rest.
* `kind` - (Required) Kind of the referent. e.g. `ReplicationController`. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds)
* `name` - (Required) Name of the referent. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
### `behavior`
#### Arguments
* `scale_up` - (Optional) Scaling policy for scaling Up
* `scale_down` - (Optional) Scaling policy for scaling Down
### `scale_up`
#### Arguments
* `policy` - (Required) List of potential scaling polices which can be used during scaling. At least one policy must be specified, otherwise the scaling rule will be discarded as invalid.
* `select_policy` - (Optional) Used to specify which policy should be used. If not set, the default value Max is used.
* `stabilization_window_seconds` - (Optional) Number of seconds for which past recommendations should be considered while scaling up or scaling down. This value must be greater than or equal to zero and less than or equal to 3600 (one hour). If not set, use the default values: - For scale up: 0 (i.e. no stabilization is done). - For scale down: 300 (i.e. the stabilization window is 300 seconds long).
### `policy`
#### Arguments
* `period_seconds` - (Required) Period specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).
* `type` - (Required) Type is used to specify the scaling policy: Percent or Pods
* `value` - (Required) Value contains the amount of change which is permitted by the policy. It must be greater than zero.
## Import
Horizontal Pod Autoscaler can be imported using the namespace and name, e.g.

109
docs/resources/horizontal_pod_autoscaler_v1.md
View file

@ -5,10 +5,69 @@ description: |-
Horizontal Pod Autoscaler automatically scales the number of pods in a replication controller, deployment or replica set based on observed CPU utilization.
---
# kubernetes_horizontal_pod_autoscaler_v1
# kubernetes_horizontal_pod_autoscaler_v1
Horizontal Pod Autoscaler automatically scales the number of pods in a replication controller, deployment or replica set based on observed CPU utilization.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard horizontal pod autoscaler's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `spec` (Block List, Min: 1, Max: 1) Behaviour of the autoscaler. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status (see [below for nested schema](#nestedblock--spec))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the horizontal pod autoscaler that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the horizontal pod autoscaler. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the horizontal pod autoscaler, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the horizontal pod autoscaler must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this horizontal pod autoscaler that can be used by clients to determine when horizontal pod autoscaler has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this horizontal pod autoscaler. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--spec"></a>
### Nested Schema for `spec`
Required:
- `max_replicas` (Number) Upper limit for the number of pods that can be set by the autoscaler.
- `scale_target_ref` (Block List, Min: 1, Max: 1) Reference to scaled resource. e.g. Replication Controller (see [below for nested schema](#nestedblock--spec--scale_target_ref))
Optional:
- `min_replicas` (Number) Lower limit for the number of pods that can be set by the autoscaler, defaults to `1`.
- `target_cpu_utilization_percentage` (Number) Target average CPU utilization (represented as a percentage of requested CPU) over all the pods. If not specified the default autoscaling policy will be used.
<a id="nestedblock--spec--scale_target_ref"></a>
### Nested Schema for `spec.scale_target_ref`
Required:
- `kind` (String) Kind of the referent. e.g. `ReplicationController`. More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#types-kinds
- `name` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Optional:
- `api_version` (String) API version of the referent
## Example Usage
```terraform
@ -29,54 +88,6 @@ resource "kubernetes_horizontal_pod_autoscaler_v1" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard horizontal pod autoscaler's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `spec` - (Required) Behaviour of the autoscaler. For more info see [Kubernetes reference](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status)
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the horizontal pod autoscaler that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the horizontal pod autoscaler. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the horizontal pod autoscaler, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
* `namespace` - (Optional) Namespace defines the space within which name of the horizontal pod autoscaler must be unique.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this horizontal pod autoscaler that can be used by clients to determine when horizontal pod autoscaler has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this horizontal pod autoscaler. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `spec`
#### Arguments
* `max_replicas` - (Required) Upper limit for the number of pods that can be set by the autoscaler.
* `min_replicas` - (Optional) Lower limit for the number of pods that can be set by the autoscaler, defaults to `1`.
* `scale_target_ref` - (Required) Reference to scaled resource. e.g. Replication Controller
* `target_cpu_utilization_percentage` - (Optional) Target average CPU utilization (represented as a percentage of requested CPU) over all the pods. If not specified the default autoscaling policy will be used.
### `scale_target_ref`
#### Arguments
* `api_version` - (Optional) API version of the referent. This argument is optional for the `v1` API version referents and mandatory for the rest.
* `kind` - (Required) Kind of the referent. e.g. `ReplicationController`. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds)
* `name` - (Required) Name of the referent. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
## Import
Horizontal Pod Autoscaler can be imported using the namespace and name, e.g.

515
docs/resources/horizontal_pod_autoscaler_v2.md
View file

@ -9,6 +9,373 @@ description: |-
Horizontal Pod Autoscaler automatically scales the number of pods in a replication controller, deployment or replica set based on observed CPU utilization.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard horizontal pod autoscaler's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `spec` (Block List, Min: 1, Max: 1) Behaviour of the autoscaler. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status (see [below for nested schema](#nestedblock--spec))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the horizontal pod autoscaler that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the horizontal pod autoscaler. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the horizontal pod autoscaler, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the horizontal pod autoscaler must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this horizontal pod autoscaler that can be used by clients to determine when horizontal pod autoscaler has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this horizontal pod autoscaler. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--spec"></a>
### Nested Schema for `spec`
Required:
- `max_replicas` (Number) Upper limit for the number of pods that can be set by the autoscaler.
- `scale_target_ref` (Block List, Min: 1, Max: 1) Reference to scaled resource. e.g. Replication Controller (see [below for nested schema](#nestedblock--spec--scale_target_ref))
Optional:
- `behavior` (Block List, Max: 1) Behavior configures the scaling behavior of the target in both Up and Down directions (`scale_up` and `scale_down` fields respectively). (see [below for nested schema](#nestedblock--spec--behavior))
- `metric` (Block List) The specifications for which to use to calculate the desired replica count (the maximum replica count across all metrics will be used). The desired replica count is calculated multiplying the ratio between the target value and the current value by the current number of pods. Ergo, metrics used must decrease as the pod count is increased, and vice-versa. See the individual metric source types for more information about how each type of metric must respond. If not set, the default metric will be set to 80% average CPU utilization. (see [below for nested schema](#nestedblock--spec--metric))
- `min_replicas` (Number) Lower limit for the number of pods that can be set by the autoscaler, defaults to `1`.
- `target_cpu_utilization_percentage` (Number) Target average CPU utilization (represented as a percentage of requested CPU) over all the pods. If not specified the default autoscaling policy will be used.
<a id="nestedblock--spec--scale_target_ref"></a>
### Nested Schema for `spec.scale_target_ref`
Required:
- `kind` (String) Kind of the referent. e.g. `ReplicationController`. More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#types-kinds
- `name` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Optional:
- `api_version` (String) API version of the referent
<a id="nestedblock--spec--behavior"></a>
### Nested Schema for `spec.behavior`
Optional:
- `scale_down` (Block List) Scaling policy for scaling Down (see [below for nested schema](#nestedblock--spec--behavior--scale_down))
- `scale_up` (Block List) Scaling policy for scaling Up (see [below for nested schema](#nestedblock--spec--behavior--scale_up))
<a id="nestedblock--spec--behavior--scale_down"></a>
### Nested Schema for `spec.behavior.scale_down`
Required:
- `policy` (Block List, Min: 1) List of potential scaling polices which can be used during scaling. At least one policy must be specified, otherwise the scaling rule will be discarded as invalid. (see [below for nested schema](#nestedblock--spec--behavior--scale_down--policy))
Optional:
- `select_policy` (String) Used to specify which policy should be used. If not set, the default value Max is used.
- `stabilization_window_seconds` (Number) Number of seconds for which past recommendations should be considered while scaling up or scaling down. This value must be greater than or equal to zero and less than or equal to 3600 (one hour). If not set, use the default values: - For scale up: 0 (i.e. no stabilization is done). - For scale down: 300 (i.e. the stabilization window is 300 seconds long).
<a id="nestedblock--spec--behavior--scale_down--policy"></a>
### Nested Schema for `spec.behavior.scale_down.policy`
Required:
- `period_seconds` (Number) Period specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).
- `type` (String) Type is used to specify the scaling policy: Percent or Pods
- `value` (Number) Value contains the amount of change which is permitted by the policy. It must be greater than zero.
<a id="nestedblock--spec--behavior--scale_up"></a>
### Nested Schema for `spec.behavior.scale_up`
Required:
- `policy` (Block List, Min: 1) List of potential scaling polices which can be used during scaling. At least one policy must be specified, otherwise the scaling rule will be discarded as invalid. (see [below for nested schema](#nestedblock--spec--behavior--scale_up--policy))
Optional:
- `select_policy` (String) Used to specify which policy should be used. If not set, the default value Max is used.
- `stabilization_window_seconds` (Number) Number of seconds for which past recommendations should be considered while scaling up or scaling down. This value must be greater than or equal to zero and less than or equal to 3600 (one hour). If not set, use the default values: - For scale up: 0 (i.e. no stabilization is done). - For scale down: 300 (i.e. the stabilization window is 300 seconds long).
<a id="nestedblock--spec--behavior--scale_up--policy"></a>
### Nested Schema for `spec.behavior.scale_up.policy`
Required:
- `period_seconds` (Number) Period specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).
- `type` (String) Type is used to specify the scaling policy: Percent or Pods
- `value` (Number) Value contains the amount of change which is permitted by the policy. It must be greater than zero.
<a id="nestedblock--spec--metric"></a>
### Nested Schema for `spec.metric`
Required:
- `type` (String) type is the type of metric source. It should be one of "ContainerResource", "External", "Object", "Pods" or "Resource", each mapping to a matching field in the object. Note: "ContainerResource" type is available on when the feature-gate HPAContainerMetrics is enabled
Optional:
- `container_resource` (Block List, Max: 1) (see [below for nested schema](#nestedblock--spec--metric--container_resource))
- `external` (Block List, Max: 1) (see [below for nested schema](#nestedblock--spec--metric--external))
- `object` (Block List, Max: 1) (see [below for nested schema](#nestedblock--spec--metric--object))
- `pods` (Block List, Max: 1) (see [below for nested schema](#nestedblock--spec--metric--pods))
- `resource` (Block List, Max: 1) (see [below for nested schema](#nestedblock--spec--metric--resource))
<a id="nestedblock--spec--metric--container_resource"></a>
### Nested Schema for `spec.metric.container_resource`
Required:
- `container` (String) name of the container in the pods of the scaling target
- `name` (String) name of the resource in question
Optional:
- `target` (Block List, Max: 1) target specifies the target value for the given metric (see [below for nested schema](#nestedblock--spec--metric--container_resource--target))
<a id="nestedblock--spec--metric--container_resource--target"></a>
### Nested Schema for `spec.metric.container_resource.target`
Required:
- `type` (String) type represents whether the metric type is Utilization, Value, or AverageValue
Optional:
- `average_utilization` (Number) averageUtilization is the target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods. Currently only valid for Resource metric source type
- `average_value` (String) averageValue is the target value of the average of the metric across all relevant pods (as a quantity)
- `value` (String) value is the target value of the metric (as a quantity).
<a id="nestedblock--spec--metric--external"></a>
### Nested Schema for `spec.metric.external`
Required:
- `metric` (Block List, Min: 1, Max: 1) metric identifies the target metric by name and selector (see [below for nested schema](#nestedblock--spec--metric--external--metric))
Optional:
- `target` (Block List, Max: 1) target specifies the target value for the given metric (see [below for nested schema](#nestedblock--spec--metric--external--target))
<a id="nestedblock--spec--metric--external--metric"></a>
### Nested Schema for `spec.metric.external.metric`
Required:
- `name` (String) name is the name of the given metric
Optional:
- `selector` (Block List) selector is the string-encoded form of a standard kubernetes label selector for the given metric When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping. When unset, just the metricName will be used to gather metrics. (see [below for nested schema](#nestedblock--spec--metric--external--metric--selector))
<a id="nestedblock--spec--metric--external--metric--selector"></a>
### Nested Schema for `spec.metric.external.metric.selector`
Optional:
- `match_expressions` (Block List) A list of label selector requirements. The requirements are ANDed. (see [below for nested schema](#nestedblock--spec--metric--external--metric--selector--match_expressions))
- `match_labels` (Map of String) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
<a id="nestedblock--spec--metric--external--metric--selector--match_expressions"></a>
### Nested Schema for `spec.metric.external.metric.selector.match_expressions`
Optional:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
<a id="nestedblock--spec--metric--external--target"></a>
### Nested Schema for `spec.metric.external.target`
Required:
- `type` (String) type represents whether the metric type is Utilization, Value, or AverageValue
Optional:
- `average_utilization` (Number) averageUtilization is the target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods. Currently only valid for Resource metric source type
- `average_value` (String) averageValue is the target value of the average of the metric across all relevant pods (as a quantity)
- `value` (String) value is the target value of the metric (as a quantity).
<a id="nestedblock--spec--metric--object"></a>
### Nested Schema for `spec.metric.object`
Required:
- `described_object` (Block List, Min: 1, Max: 1) (see [below for nested schema](#nestedblock--spec--metric--object--described_object))
- `metric` (Block List, Min: 1, Max: 1) metric identifies the target metric by name and selector (see [below for nested schema](#nestedblock--spec--metric--object--metric))
Optional:
- `target` (Block List, Max: 1) target specifies the target value for the given metric (see [below for nested schema](#nestedblock--spec--metric--object--target))
<a id="nestedblock--spec--metric--object--described_object"></a>
### Nested Schema for `spec.metric.object.described_object`
Required:
- `api_version` (String) API version of the referent
- `kind` (String) Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- `name` (String) Name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
<a id="nestedblock--spec--metric--object--metric"></a>
### Nested Schema for `spec.metric.object.metric`
Required:
- `name` (String) name is the name of the given metric
Optional:
- `selector` (Block List) selector is the string-encoded form of a standard kubernetes label selector for the given metric When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping. When unset, just the metricName will be used to gather metrics. (see [below for nested schema](#nestedblock--spec--metric--object--metric--selector))
<a id="nestedblock--spec--metric--object--metric--selector"></a>
### Nested Schema for `spec.metric.object.metric.selector`
Optional:
- `match_expressions` (Block List) A list of label selector requirements. The requirements are ANDed. (see [below for nested schema](#nestedblock--spec--metric--object--metric--selector--match_expressions))
- `match_labels` (Map of String) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
<a id="nestedblock--spec--metric--object--metric--selector--match_expressions"></a>
### Nested Schema for `spec.metric.object.metric.selector.match_expressions`
Optional:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
<a id="nestedblock--spec--metric--object--target"></a>
### Nested Schema for `spec.metric.object.target`
Required:
- `type` (String) type represents whether the metric type is Utilization, Value, or AverageValue
Optional:
- `average_utilization` (Number) averageUtilization is the target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods. Currently only valid for Resource metric source type
- `average_value` (String) averageValue is the target value of the average of the metric across all relevant pods (as a quantity)
- `value` (String) value is the target value of the metric (as a quantity).
<a id="nestedblock--spec--metric--pods"></a>
### Nested Schema for `spec.metric.pods`
Required:
- `metric` (Block List, Min: 1, Max: 1) metric identifies the target metric by name and selector (see [below for nested schema](#nestedblock--spec--metric--pods--metric))
Optional:
- `target` (Block List, Max: 1) target specifies the target value for the given metric (see [below for nested schema](#nestedblock--spec--metric--pods--target))
<a id="nestedblock--spec--metric--pods--metric"></a>
### Nested Schema for `spec.metric.pods.metric`
Required:
- `name` (String) name is the name of the given metric
Optional:
- `selector` (Block List) selector is the string-encoded form of a standard kubernetes label selector for the given metric When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping. When unset, just the metricName will be used to gather metrics. (see [below for nested schema](#nestedblock--spec--metric--pods--metric--selector))
<a id="nestedblock--spec--metric--pods--metric--selector"></a>
### Nested Schema for `spec.metric.pods.metric.selector`
Optional:
- `match_expressions` (Block List) A list of label selector requirements. The requirements are ANDed. (see [below for nested schema](#nestedblock--spec--metric--pods--metric--selector--match_expressions))
- `match_labels` (Map of String) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
<a id="nestedblock--spec--metric--pods--metric--selector--match_expressions"></a>
### Nested Schema for `spec.metric.pods.metric.selector.match_expressions`
Optional:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
<a id="nestedblock--spec--metric--pods--target"></a>
### Nested Schema for `spec.metric.pods.target`
Required:
- `type` (String) type represents whether the metric type is Utilization, Value, or AverageValue
Optional:
- `average_utilization` (Number) averageUtilization is the target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods. Currently only valid for Resource metric source type
- `average_value` (String) averageValue is the target value of the average of the metric across all relevant pods (as a quantity)
- `value` (String) value is the target value of the metric (as a quantity).
<a id="nestedblock--spec--metric--resource"></a>
### Nested Schema for `spec.metric.resource`
Required:
- `name` (String) name is the name of the resource in question.
Optional:
- `target` (Block List, Max: 1) Target specifies the target value for the given metric (see [below for nested schema](#nestedblock--spec--metric--resource--target))
<a id="nestedblock--spec--metric--resource--target"></a>
### Nested Schema for `spec.metric.resource.target`
Required:
- `type` (String) type represents whether the metric type is Utilization, Value, or AverageValue
Optional:
- `average_utilization` (Number) averageUtilization is the target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods. Currently only valid for Resource metric source type
- `average_value` (String) averageValue is the target value of the average of the metric across all relevant pods (as a quantity)
- `value` (String) value is the target value of the metric (as a quantity).
## Example Usage, with `metric`
```terraform
@ -99,154 +466,6 @@ resource "kubernetes_horizontal_pod_autoscaler_v2" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard horizontal pod autoscaler's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `spec` - (Required) Behaviour of the autoscaler. For more info see [Kubernetes reference](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status)
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the horizontal pod autoscaler that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the horizontal pod autoscaler. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the horizontal pod autoscaler, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
* `namespace` - (Optional) Namespace defines the space within which name of the horizontal pod autoscaler must be unique.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this horizontal pod autoscaler that can be used by clients to determine when horizontal pod autoscaler has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this horizontal pod autoscaler. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `spec`
#### Arguments
* `max_replicas` - (Required) Upper limit for the number of pods that can be set by the autoscaler.
* `min_replicas` - (Optional) Lower limit for the number of pods that can be set by the autoscaler, defaults to `1`.
* `scale_target_ref` - (Required) Reference to scaled resource. e.g. Replication Controller
* `metric` - (Optional) A metric on which to scale.
* `behavior` - (Optional) Behavior configures the scaling behavior of the target in both Up and Down directions (`scale_up` and `scale_down` fields respectively)
### `metric`
#### Arguments
* `type` - (Required) The type of metric. It can be one of "Object", "Pods", "Resource", "External", or "ContainerResource".
* `object` - (Optional) A metric describing a single kubernetes object (for example, hits-per-second on an Ingress object).
* `pods` - (Optional) A metric describing each pod in the current scale target (for example, transactions-processed-per-second). The values will be averaged together before being compared to the target value.
* `resource` - (Optional) A resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source.
* `external` - (Optional) A global metric that is not associated with any Kubernetes object. It allows autoscaling based on information coming from components running outside of cluster (for example length of queue in cloud messaging service, or QPS from loadbalancer running outside of cluster).
* `container_resource` - (Optional) A resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod of the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source.
### Metric Type: `container_resource`
#### Arguments
* `container` - (Required) Name of the container in the pods of the scaling target.
* `name` - (Required) Name of the resource in question.
* `target` - (Required) The target for the given metric.
### Metric Type: `external`
#### Arguments
* `metric` - (Required) Identifies the target by name and selector.
* `target` - (Required) The target for the given metric.
### Metric Type: `object`
#### Arguments
* `described_object` - (Required) Reference to the object.
* `metric` - (Required) Identifies the target by name and selector.
* `target` - (Required) The target for the given metric.
### Metric Type: `pods`
#### Arguments
* `metric` - (Required) Identifies the target by name and selector.
* `target` - (Required) The target for the given metric.
### Metric Type: `resource`
#### Arguments
* `name` - (Required) Name of the resource in question.
* `target` - (Required) The target for the given metric.
### `metric`
#### Arguments
* `name` - (Required) The name of the given metric
* `selector` - (Optional) The label selector for the given metric
### `target`
#### Arguments
* `type` - (Required) Represents whether the metric type is Utilization, Value, or AverageValue.
* `average_value` - (Optional) The target value of the average of the metric across all relevant pods (as a quantity).
* `average_utilization` - (Optional) The target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods. Currently only valid for Resource metric source type.
* `value` - (Optional) value is the target value of the metric (as a quantity).
#### Quantities
See [here](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for documentation on resource management for pods and containers.
### `described_object`
#### Arguments
* `api_version` - (Optional) API version of the referent. This argument is optional for the `v1` API version referents and mandatory for the rest.
* `kind` - (Required) Kind of the referent. e.g. `ReplicationController`. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds)
* `name` - (Required) Name of the referent. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
### `scale_target_ref`
#### Arguments
* `api_version` - (Optional) API version of the referent. This argument is optional for the `v1` API version referents and mandatory for the rest.
* `kind` - (Required) Kind of the referent. e.g. `ReplicationController`. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds)
* `name` - (Required) Name of the referent. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
### `behavior`
#### Arguments
* `scale_up` - (Optional) Scaling policy for scaling Up
* `scale_down` - (Optional) Scaling policy for scaling Down
### `scale_up`
#### Arguments
* `policy` - (Required) List of potential scaling polices which can be used during scaling. At least one policy must be specified, otherwise the scaling rule will be discarded as invalid.
* `select_policy` - (Optional) Used to specify which policy should be used. If not set, the default value Max is used.
* `stabilization_window_seconds` - (Optional) Number of seconds for which past recommendations should be considered while scaling up or scaling down. This value must be greater than or equal to zero and less than or equal to 3600 (one hour). If not set, use the default values: - For scale up: 0 (i.e. no stabilization is done). - For scale down: 300 (i.e. the stabilization window is 300 seconds long).
### `policy`
#### Arguments
* `period_seconds` - (Required) Period specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).
* `type` - (Required) Type is used to specify the scaling policy: Percent or Pods
* `value` - (Required) Value contains the amount of change which is permitted by the policy. It must be greater than zero.
## Import
Horizontal Pod Autoscaler can be imported using the namespace and name, e.g.

515
docs/resources/horizontal_pod_autoscaler_v2beta2.md
View file

@ -9,6 +9,373 @@ description: |-
Horizontal Pod Autoscaler automatically scales the number of pods in a replication controller, deployment or replica set based on observed CPU utilization.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard horizontal pod autoscaler's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `spec` (Block List, Min: 1, Max: 1) Behaviour of the autoscaler. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status (see [below for nested schema](#nestedblock--spec))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the horizontal pod autoscaler that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the horizontal pod autoscaler. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the horizontal pod autoscaler, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the horizontal pod autoscaler must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this horizontal pod autoscaler that can be used by clients to determine when horizontal pod autoscaler has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this horizontal pod autoscaler. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--spec"></a>
### Nested Schema for `spec`
Required:
- `max_replicas` (Number) Upper limit for the number of pods that can be set by the autoscaler.
- `scale_target_ref` (Block List, Min: 1, Max: 1) Reference to scaled resource. e.g. Replication Controller (see [below for nested schema](#nestedblock--spec--scale_target_ref))
Optional:
- `behavior` (Block List, Max: 1) Behavior configures the scaling behavior of the target in both Up and Down directions (`scale_up` and `scale_down` fields respectively). (see [below for nested schema](#nestedblock--spec--behavior))
- `metric` (Block List) The specifications for which to use to calculate the desired replica count (the maximum replica count across all metrics will be used). The desired replica count is calculated multiplying the ratio between the target value and the current value by the current number of pods. Ergo, metrics used must decrease as the pod count is increased, and vice-versa. See the individual metric source types for more information about how each type of metric must respond. If not set, the default metric will be set to 80% average CPU utilization. (see [below for nested schema](#nestedblock--spec--metric))
- `min_replicas` (Number) Lower limit for the number of pods that can be set by the autoscaler, defaults to `1`.
- `target_cpu_utilization_percentage` (Number) Target average CPU utilization (represented as a percentage of requested CPU) over all the pods. If not specified the default autoscaling policy will be used.
<a id="nestedblock--spec--scale_target_ref"></a>
### Nested Schema for `spec.scale_target_ref`
Required:
- `kind` (String) Kind of the referent. e.g. `ReplicationController`. More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#types-kinds
- `name` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Optional:
- `api_version` (String) API version of the referent
<a id="nestedblock--spec--behavior"></a>
### Nested Schema for `spec.behavior`
Optional:
- `scale_down` (Block List) Scaling policy for scaling Down (see [below for nested schema](#nestedblock--spec--behavior--scale_down))
- `scale_up` (Block List) Scaling policy for scaling Up (see [below for nested schema](#nestedblock--spec--behavior--scale_up))
<a id="nestedblock--spec--behavior--scale_down"></a>
### Nested Schema for `spec.behavior.scale_down`
Required:
- `policy` (Block List, Min: 1) List of potential scaling polices which can be used during scaling. At least one policy must be specified, otherwise the scaling rule will be discarded as invalid. (see [below for nested schema](#nestedblock--spec--behavior--scale_down--policy))
Optional:
- `select_policy` (String) Used to specify which policy should be used. If not set, the default value Max is used.
- `stabilization_window_seconds` (Number) Number of seconds for which past recommendations should be considered while scaling up or scaling down. This value must be greater than or equal to zero and less than or equal to 3600 (one hour). If not set, use the default values: - For scale up: 0 (i.e. no stabilization is done). - For scale down: 300 (i.e. the stabilization window is 300 seconds long).
<a id="nestedblock--spec--behavior--scale_down--policy"></a>
### Nested Schema for `spec.behavior.scale_down.policy`
Required:
- `period_seconds` (Number) Period specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).
- `type` (String) Type is used to specify the scaling policy: Percent or Pods
- `value` (Number) Value contains the amount of change which is permitted by the policy. It must be greater than zero.
<a id="nestedblock--spec--behavior--scale_up"></a>
### Nested Schema for `spec.behavior.scale_up`
Required:
- `policy` (Block List, Min: 1) List of potential scaling polices which can be used during scaling. At least one policy must be specified, otherwise the scaling rule will be discarded as invalid. (see [below for nested schema](#nestedblock--spec--behavior--scale_up--policy))
Optional:
- `select_policy` (String) Used to specify which policy should be used. If not set, the default value Max is used.
- `stabilization_window_seconds` (Number) Number of seconds for which past recommendations should be considered while scaling up or scaling down. This value must be greater than or equal to zero and less than or equal to 3600 (one hour). If not set, use the default values: - For scale up: 0 (i.e. no stabilization is done). - For scale down: 300 (i.e. the stabilization window is 300 seconds long).
<a id="nestedblock--spec--behavior--scale_up--policy"></a>
### Nested Schema for `spec.behavior.scale_up.policy`
Required:
- `period_seconds` (Number) Period specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).
- `type` (String) Type is used to specify the scaling policy: Percent or Pods
- `value` (Number) Value contains the amount of change which is permitted by the policy. It must be greater than zero.
<a id="nestedblock--spec--metric"></a>
### Nested Schema for `spec.metric`
Required:
- `type` (String) type is the type of metric source. It should be one of "ContainerResource", "External", "Object", "Pods" or "Resource", each mapping to a matching field in the object. Note: "ContainerResource" type is available on when the feature-gate HPAContainerMetrics is enabled
Optional:
- `container_resource` (Block List, Max: 1) (see [below for nested schema](#nestedblock--spec--metric--container_resource))
- `external` (Block List, Max: 1) (see [below for nested schema](#nestedblock--spec--metric--external))
- `object` (Block List, Max: 1) (see [below for nested schema](#nestedblock--spec--metric--object))
- `pods` (Block List, Max: 1) (see [below for nested schema](#nestedblock--spec--metric--pods))
- `resource` (Block List, Max: 1) (see [below for nested schema](#nestedblock--spec--metric--resource))
<a id="nestedblock--spec--metric--container_resource"></a>
### Nested Schema for `spec.metric.container_resource`
Required:
- `container` (String) name of the container in the pods of the scaling target
- `name` (String) name of the resource in question
Optional:
- `target` (Block List, Max: 1) target specifies the target value for the given metric (see [below for nested schema](#nestedblock--spec--metric--container_resource--target))
<a id="nestedblock--spec--metric--container_resource--target"></a>
### Nested Schema for `spec.metric.container_resource.target`
Required:
- `type` (String) type represents whether the metric type is Utilization, Value, or AverageValue
Optional:
- `average_utilization` (Number) averageUtilization is the target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods. Currently only valid for Resource metric source type
- `average_value` (String) averageValue is the target value of the average of the metric across all relevant pods (as a quantity)
- `value` (String) value is the target value of the metric (as a quantity).
<a id="nestedblock--spec--metric--external"></a>
### Nested Schema for `spec.metric.external`
Required:
- `metric` (Block List, Min: 1, Max: 1) metric identifies the target metric by name and selector (see [below for nested schema](#nestedblock--spec--metric--external--metric))
Optional:
- `target` (Block List, Max: 1) target specifies the target value for the given metric (see [below for nested schema](#nestedblock--spec--metric--external--target))
<a id="nestedblock--spec--metric--external--metric"></a>
### Nested Schema for `spec.metric.external.metric`
Required:
- `name` (String) name is the name of the given metric
Optional:
- `selector` (Block List) selector is the string-encoded form of a standard kubernetes label selector for the given metric When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping. When unset, just the metricName will be used to gather metrics. (see [below for nested schema](#nestedblock--spec--metric--external--metric--selector))
<a id="nestedblock--spec--metric--external--metric--selector"></a>
### Nested Schema for `spec.metric.external.metric.selector`
Optional:
- `match_expressions` (Block List) A list of label selector requirements. The requirements are ANDed. (see [below for nested schema](#nestedblock--spec--metric--external--metric--selector--match_expressions))
- `match_labels` (Map of String) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
<a id="nestedblock--spec--metric--external--metric--selector--match_expressions"></a>
### Nested Schema for `spec.metric.external.metric.selector.match_expressions`
Optional:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
<a id="nestedblock--spec--metric--external--target"></a>
### Nested Schema for `spec.metric.external.target`
Required:
- `type` (String) type represents whether the metric type is Utilization, Value, or AverageValue
Optional:
- `average_utilization` (Number) averageUtilization is the target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods. Currently only valid for Resource metric source type
- `average_value` (String) averageValue is the target value of the average of the metric across all relevant pods (as a quantity)
- `value` (String) value is the target value of the metric (as a quantity).
<a id="nestedblock--spec--metric--object"></a>
### Nested Schema for `spec.metric.object`
Required:
- `described_object` (Block List, Min: 1, Max: 1) (see [below for nested schema](#nestedblock--spec--metric--object--described_object))
- `metric` (Block List, Min: 1, Max: 1) metric identifies the target metric by name and selector (see [below for nested schema](#nestedblock--spec--metric--object--metric))
Optional:
- `target` (Block List, Max: 1) target specifies the target value for the given metric (see [below for nested schema](#nestedblock--spec--metric--object--target))
<a id="nestedblock--spec--metric--object--described_object"></a>
### Nested Schema for `spec.metric.object.described_object`
Required:
- `api_version` (String) API version of the referent
- `kind` (String) Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- `name` (String) Name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
<a id="nestedblock--spec--metric--object--metric"></a>
### Nested Schema for `spec.metric.object.metric`
Required:
- `name` (String) name is the name of the given metric
Optional:
- `selector` (Block List) selector is the string-encoded form of a standard kubernetes label selector for the given metric When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping. When unset, just the metricName will be used to gather metrics. (see [below for nested schema](#nestedblock--spec--metric--object--metric--selector))
<a id="nestedblock--spec--metric--object--metric--selector"></a>
### Nested Schema for `spec.metric.object.metric.selector`
Optional:
- `match_expressions` (Block List) A list of label selector requirements. The requirements are ANDed. (see [below for nested schema](#nestedblock--spec--metric--object--metric--selector--match_expressions))
- `match_labels` (Map of String) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
<a id="nestedblock--spec--metric--object--metric--selector--match_expressions"></a>
### Nested Schema for `spec.metric.object.metric.selector.match_expressions`
Optional:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
<a id="nestedblock--spec--metric--object--target"></a>
### Nested Schema for `spec.metric.object.target`
Required:
- `type` (String) type represents whether the metric type is Utilization, Value, or AverageValue
Optional:
- `average_utilization` (Number) averageUtilization is the target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods. Currently only valid for Resource metric source type
- `average_value` (String) averageValue is the target value of the average of the metric across all relevant pods (as a quantity)
- `value` (String) value is the target value of the metric (as a quantity).
<a id="nestedblock--spec--metric--pods"></a>
### Nested Schema for `spec.metric.pods`
Required:
- `metric` (Block List, Min: 1, Max: 1) metric identifies the target metric by name and selector (see [below for nested schema](#nestedblock--spec--metric--pods--metric))
Optional:
- `target` (Block List, Max: 1) target specifies the target value for the given metric (see [below for nested schema](#nestedblock--spec--metric--pods--target))
<a id="nestedblock--spec--metric--pods--metric"></a>
### Nested Schema for `spec.metric.pods.metric`
Required:
- `name` (String) name is the name of the given metric
Optional:
- `selector` (Block List) selector is the string-encoded form of a standard kubernetes label selector for the given metric When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping. When unset, just the metricName will be used to gather metrics. (see [below for nested schema](#nestedblock--spec--metric--pods--metric--selector))
<a id="nestedblock--spec--metric--pods--metric--selector"></a>
### Nested Schema for `spec.metric.pods.metric.selector`
Optional:
- `match_expressions` (Block List) A list of label selector requirements. The requirements are ANDed. (see [below for nested schema](#nestedblock--spec--metric--pods--metric--selector--match_expressions))
- `match_labels` (Map of String) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
<a id="nestedblock--spec--metric--pods--metric--selector--match_expressions"></a>
### Nested Schema for `spec.metric.pods.metric.selector.match_expressions`
Optional:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
<a id="nestedblock--spec--metric--pods--target"></a>
### Nested Schema for `spec.metric.pods.target`
Required:
- `type` (String) type represents whether the metric type is Utilization, Value, or AverageValue
Optional:
- `average_utilization` (Number) averageUtilization is the target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods. Currently only valid for Resource metric source type
- `average_value` (String) averageValue is the target value of the average of the metric across all relevant pods (as a quantity)
- `value` (String) value is the target value of the metric (as a quantity).
<a id="nestedblock--spec--metric--resource"></a>
### Nested Schema for `spec.metric.resource`
Required:
- `name` (String) name is the name of the resource in question.
Optional:
- `target` (Block List, Max: 1) Target specifies the target value for the given metric (see [below for nested schema](#nestedblock--spec--metric--resource--target))
<a id="nestedblock--spec--metric--resource--target"></a>
### Nested Schema for `spec.metric.resource.target`
Required:
- `type` (String) type represents whether the metric type is Utilization, Value, or AverageValue
Optional:
- `average_utilization` (Number) averageUtilization is the target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods. Currently only valid for Resource metric source type
- `average_value` (String) averageValue is the target value of the average of the metric across all relevant pods (as a quantity)
- `value` (String) value is the target value of the metric (as a quantity).
## Example Usage, with `metric`
```terraform
@ -99,154 +466,6 @@ resource "kubernetes_horizontal_pod_autoscaler_v2beta2" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard horizontal pod autoscaler's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `spec` - (Required) Behaviour of the autoscaler. For more info see [Kubernetes reference](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status)
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the horizontal pod autoscaler that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the horizontal pod autoscaler. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the horizontal pod autoscaler, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
* `namespace` - (Optional) Namespace defines the space within which name of the horizontal pod autoscaler must be unique.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this horizontal pod autoscaler that can be used by clients to determine when horizontal pod autoscaler has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this horizontal pod autoscaler. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `spec`
#### Arguments
* `max_replicas` - (Required) Upper limit for the number of pods that can be set by the autoscaler.
* `min_replicas` - (Optional) Lower limit for the number of pods that can be set by the autoscaler, defaults to `1`.
* `scale_target_ref` - (Required) Reference to scaled resource. e.g. Replication Controller
* `metric` - (Optional) A metric on which to scale.
* `behavior` - (Optional) Behavior configures the scaling behavior of the target in both Up and Down directions (`scale_up` and `scale_down` fields respectively)
### `metric`
#### Arguments
* `type` - (Required) The type of metric. It can be one of "Object", "Pods", "Resource", "External", or "ContainerResource".
* `object` - (Optional) A metric describing a single kubernetes object (for example, hits-per-second on an Ingress object).
* `pods` - (Optional) A metric describing each pod in the current scale target (for example, transactions-processed-per-second). The values will be averaged together before being compared to the target value.
* `resource` - (Optional) A resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source.
* `external` - (Optional) A global metric that is not associated with any Kubernetes object. It allows autoscaling based on information coming from components running outside of cluster (for example length of queue in cloud messaging service, or QPS from loadbalancer running outside of cluster).
* `container_resource` - (Optional) A resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod of the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source.
### Metric Type: `container_resource`
#### Arguments
* `container` - (Required) Name of the container in the pods of the scaling target.
* `name` - (Required) Name of the resource in question.
* `target` - (Required) The target for the given metric.
### Metric Type: `external`
#### Arguments
* `metric` - (Required) Identifies the target by name and selector.
* `target` - (Required) The target for the given metric.
### Metric Type: `object`
#### Arguments
* `described_object` - (Required) Reference to the object.
* `metric` - (Required) Identifies the target by name and selector.
* `target` - (Required) The target for the given metric.
### Metric Type: `pods`
#### Arguments
* `metric` - (Required) Identifies the target by name and selector.
* `target` - (Required) The target for the given metric.
### Metric Type: `resource`
#### Arguments
* `name` - (Required) Name of the resource in question.
* `target` - (Required) The target for the given metric.
### `metric`
#### Arguments
* `name` - (Required) The name of the given metric
* `selector` - (Optional) The label selector for the given metric
### `target`
#### Arguments
* `type` - (Required) Represents whether the metric type is Utilization, Value, or AverageValue.
* `average_value` - (Optional) The target value of the average of the metric across all relevant pods (as a quantity).
* `average_utilization` - (Optional) The target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods. Currently only valid for Resource metric source type.
* `value` - (Optional) value is the target value of the metric (as a quantity).
#### Quantities
See [here](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for documentation on resource management for pods and containers.
### `described_object`
#### Arguments
* `api_version` - (Optional) API version of the referent. This argument is optional for the `v1` API version referents and mandatory for the rest.
* `kind` - (Required) Kind of the referent. e.g. `ReplicationController`. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds)
* `name` - (Required) Name of the referent. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
### `scale_target_ref`
#### Arguments
* `api_version` - (Optional) API version of the referent. This argument is optional for the `v1` API version referents and mandatory for the rest.
* `kind` - (Required) Kind of the referent. e.g. `ReplicationController`. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds)
* `name` - (Required) Name of the referent. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
### `behavior`
#### Arguments
* `scale_up` - (Optional) Scaling policy for scaling Up
* `scale_down` - (Optional) Scaling policy for scaling Down
### `scale_up`
#### Arguments
* `policy` - (Required) List of potential scaling polices which can be used during scaling. At least one policy must be specified, otherwise the scaling rule will be discarded as invalid.
* `select_policy` - (Optional) Used to specify which policy should be used. If not set, the default value Max is used.
* `stabilization_window_seconds` - (Optional) Number of seconds for which past recommendations should be considered while scaling up or scaling down. This value must be greater than or equal to zero and less than or equal to 3600 (one hour). If not set, use the default values: - For scale up: 0 (i.e. no stabilization is done). - For scale down: 300 (i.e. the stabilization window is 300 seconds long).
### `policy`
#### Arguments
* `period_seconds` - (Required) Period specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).
* `type` - (Required) Type is used to specify the scaling policy: Percent or Pods
* `value` - (Required) Value contains the amount of change which is permitted by the policy. It must be greater than zero.
## Import
Horizontal Pod Autoscaler can be imported using the namespace and name, e.g.

227
docs/resources/ingress.md
View file

@ -9,6 +9,143 @@ description: |-
Ingress is a collection of rules that allow inbound connections to reach the endpoints defined by a backend. An Ingress can be configured to give services externally-reachable urls, load balance traffic, terminate SSL, offer name based virtual hosting etc.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard ingress's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `spec` (Block List, Min: 1, Max: 1) spec is the desired state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status (see [below for nested schema](#nestedblock--spec))
### Optional
- `wait_for_load_balancer` (Boolean) Terraform will wait for the load balancer to have at least 1 endpoint before considering the resource created.
### Read-Only
- `id` (String) The ID of this resource.
- `status` (List of Object) (see [below for nested schema](#nestedatt--status))
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the ingress that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the ingress. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the ingress, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the ingress must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this ingress that can be used by clients to determine when ingress has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this ingress. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--spec"></a>
### Nested Schema for `spec`
Optional:
- `backend` (Block List, Max: 1) A default backend capable of servicing requests that don't match any rule. At least one of 'backend' or 'rules' must be specified. This field is optional to allow the loadbalancer controller or defaulting logic to specify a global default. (see [below for nested schema](#nestedblock--spec--backend))
- `ingress_class_name` (String) ingressClassName is the name of the IngressClass cluster resource. The associated IngressClass defines which controller will implement the resource. This replaces the deprecated `kubernetes.io/ingress.class` annotation. For backwards compatibility, when that annotation is set, it must be given precedence over this field. The controller may emit a warning if the field and annotation have different values. Implementations of this API should ignore Ingresses without a class specified. An IngressClass resource may be marked as default, which can be used to set a default value for this field. For more information, refer to the IngressClass documentation.
- `rule` (Block List) (see [below for nested schema](#nestedblock--spec--rule))
- `tls` (Block List) tls represents the TLS configuration. Currently the Ingress only supports a single TLS port, 443. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension, if the ingress controller fulfilling the ingress supports SNI. (see [below for nested schema](#nestedblock--spec--tls))
<a id="nestedblock--spec--backend"></a>
### Nested Schema for `spec.backend`
Optional:
- `service_name` (String) Specifies the name of the referenced service.
- `service_port` (String) Specifies the port of the referenced service.
<a id="nestedblock--spec--rule"></a>
### Nested Schema for `spec.rule`
Required:
- `http` (Block List, Min: 1, Max: 1) http is a list of http selectors pointing to backends. In the example: http:///? -> backend where where parts of the url correspond to RFC 3986, this resource will be used to match against everything after the last '/' and before the first '?' or '#'. (see [below for nested schema](#nestedblock--spec--rule--http))
Optional:
- `host` (String) host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the "host" part of the URI as defined in RFC 3986: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to
the IP in the Spec of the parent Ingress.
2. The `:` delimiter is not respected because ports are not allowed.
Currently the port of an Ingress is implicitly :80 for http and
:443 for https.
Both these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue.
host can be "precise" which is a domain name without the terminating dot of a network host (e.g. "foo.bar.com") or "wildcard", which is a domain name prefixed with a single wildcard label (e.g. "*.foo.com"). The wildcard character '*' must appear by itself as the first DNS label and matches only a single label. You cannot have a wildcard label by itself (e.g. Host == "*"). Requests will be matched against the Host field in the following way: 1. If Host is precise, the request matches this rule if the http host header is equal to Host. 2. If Host is a wildcard, then the request matches this rule if the http host header is to equal to the suffix (removing the first label) of the wildcard rule.
<a id="nestedblock--spec--rule--http"></a>
### Nested Schema for `spec.rule.http`
Required:
- `path` (Block List, Min: 1) (see [below for nested schema](#nestedblock--spec--rule--http--path))
<a id="nestedblock--spec--rule--http--path"></a>
### Nested Schema for `spec.rule.http.path`
Optional:
- `backend` (Block List, Max: 1) Backend defines the referenced service endpoint to which the traffic will be forwarded to. (see [below for nested schema](#nestedblock--spec--rule--http--path--backend))
- `path` (String) path is matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986. Paths must begin with a '/' and must be present when using PathType with value "Exact" or "Prefix".
<a id="nestedblock--spec--rule--http--path--backend"></a>
### Nested Schema for `spec.rule.http.path.backend`
Optional:
- `service_name` (String) Specifies the name of the referenced service.
- `service_port` (String) Specifies the port of the referenced service.
<a id="nestedblock--spec--tls"></a>
### Nested Schema for `spec.tls`
Optional:
- `hosts` (List of String) hosts is a list of hosts included in the TLS certificate. The values in this list must match the name/s used in the tlsSecret. Defaults to the wildcard host setting for the loadbalancer controller fulfilling this Ingress, if left unspecified.
- `secret_name` (String) secretName is the name of the secret used to terminate TLS traffic on port 443. Field is left optional to allow TLS routing based on SNI hostname alone. If the SNI host in a listener conflicts with the "Host" header field used by an IngressRule, the SNI host is used for termination and value of the Host header is used for routing.
<a id="nestedatt--status"></a>
### Nested Schema for `status`
Read-Only:
- `load_balancer` (List of Object) (see [below for nested schema](#nestedobjatt--status--load_balancer))
<a id="nestedobjatt--status--load_balancer"></a>
### Nested Schema for `status.load_balancer`
Read-Only:
- `ingress` (List of Object) (see [below for nested schema](#nestedobjatt--status--load_balancer--ingress))
<a id="nestedobjatt--status--load_balancer--ingress"></a>
### Nested Schema for `status.load_balancer.ingress`
Read-Only:
- `hostname` (String)
- `ip` (String)
## Example Usage
```terraform
@ -179,96 +316,6 @@ output "load_balancer_ip" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard ingress's metadata. For more info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata
* `spec` - (Required) Spec defines the behavior of a ingress. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
* `wait_for_load_balancer` - (Optional) Terraform will wait for the load balancer to have at least 1 endpoint before considering the resource created. Defaults to `false`.
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the ingress that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. Read more: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the service. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
* `name` - (Optional) Name of the service, must be unique. Cannot be updated. For more info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
* `namespace` - (Optional) Namespace defines the space within which name of the service must be unique.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this service that can be used by clients to determine when service has changed. Read more: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
* `uid` - The unique in time and space value for this service. For more info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
### `spec`
#### Arguments
* `backend` - (Optional) Backend defines the referenced service endpoint to which the traffic will be forwarded. See `backend` block attributes below.
* `rule` - (Optional) A list of host rules used to configure the Ingress. If unspecified, or no rule matches, all traffic is sent to the default backend. See `rule` block attributes below.
* `tls` - (Optional) TLS configuration. Currently the Ingress only supports a single TLS port, 443. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension, if the ingress controller fulfilling the ingress supports SNI. See `tls` block attributes below.
* `ingress_class_name` - (Optional) The ingress class name references an IngressClass resource that contains additional configuration including the name of the controller that should implement the class.
### `backend`
#### Arguments
* `service_name` - (Optional) Specifies the name of the referenced service.
* `service_port` - (Optional) Specifies the port of the referenced service.
### `rule`
#### Arguments
* `host` - (Optional) Host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the \"host\" part of the URI as defined in the RFC: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to the IP in the Spec of the parent Ingress. 2. The : delimiter is not respected because ports are not allowed. Currently the port of an Ingress is implicitly :80 for http and :443 for https. Both these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue.
* `http` - (Required) http is a list of http selectors pointing to backends. In the example: http:///? -> backend where parts of the url correspond to RFC 3986, this resource will be used to match against everything after the last '/' and before the first '?' or '#'. See `http` block attributes below.
#### `http`
* `path` - (Required) Path array of path regex associated with a backend. Incoming urls matching the path are forwarded to the backend, see below for `path` block structure.
#### `path`
* `path` - (Required) A string or an extended POSIX regular expression as defined by IEEE Std 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional \"path\" part of a URL as defined by RFC 3986. Paths must begin with a '/'. If unspecified, the path defaults to a catch all sending traffic to the backend.
* `backend` - (Required) Backend defines the referenced service endpoint to which the traffic will be forwarded to.
### `tls`
#### Arguments
* `hosts` - (Optional) Hosts are a list of hosts included in the TLS certificate. The values in this list must match the name/s used in the tlsSecret. Defaults to the wildcard host setting for the loadbalancer controller fulfilling this Ingress, if left unspecified.
* `secret_name` - (Optional) SecretName is the name of the secret used to terminate SSL traffic on 443. Field is left optional to allow SSL routing based on SNI hostname alone. If the SNI host in a listener conflicts with the \"Host\" header field used by an IngressRule, the SNI host is used for termination and value of the Host header is used for routing.
## Attributes
### `status`
* `status` - Status is the current state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
#### `load_balancer`
* LoadBalancer contains the current status of the load-balancer, if one is present.
##### `ingress`
* `ingress` - Ingress is a list containing ingress points for the load-balancer. Traffic intended for the service should be sent to these ingress points.
###### Attributes
* `ip` - IP is set for load-balancer ingress points that are IP based (typically GCE or OpenStack load-balancers).
* `hostname` - Hostname is set for load-balancer ingress points that are DNS based (typically AWS load-balancers).
## Import
Ingress can be imported using its namespace and name:

103
docs/resources/ingress_class.md
View file

@ -9,6 +9,61 @@ description: |-
Ingresses can be implemented by different controllers, often with different configuration. Each Ingress should specify a class, a reference to an IngressClass resource that contains additional configuration including the name of the controller that should implement the class.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard ingress_class_v1's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `spec` (Block List, Min: 1, Max: 1) spec is the desired state of the IngressClass. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status (see [below for nested schema](#nestedblock--spec))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the ingress_class_v1 that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the ingress_class_v1. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the ingress_class_v1, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this ingress_class_v1 that can be used by clients to determine when ingress_class_v1 has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this ingress_class_v1. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--spec"></a>
### Nested Schema for `spec`
Optional:
- `controller` (String) controller refers to the name of the controller that should handle this class. This allows for different "flavors" that are controlled by the same controller. For example, you may have different parameters for the same implementing controller. This should be specified as a domain-prefixed path no more than 250 characters in length, e.g. "acme.io/ingress-controller". This field is immutable.
- `parameters` (Block List) (see [below for nested schema](#nestedblock--spec--parameters))
<a id="nestedblock--spec--parameters"></a>
### Nested Schema for `spec.parameters`
Required:
- `kind` (String) Kind is the type of resource being referenced
- `name` (String) Name is the name of resource being referenced
Optional:
- `api_group` (String) APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.
- `namespace` (String)
- `scope` (String)
## Example Usage
```terraform
@ -28,54 +83,6 @@ resource "kubernetes_ingress_class" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard ingress's metadata. For more info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata
* `spec` - (Required) Spec defines the behavior of a ingress. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
* `wait_for_load_balancer` - (Optional) Terraform will wait for the load balancer to have at least 1 endpoint before considering the resource created. Defaults to `false`.
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the ingress that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. Read more: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the service. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
* `name` - (Optional) Name of the ingress class, must be unique. Cannot be updated. For more info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this service that can be used by clients to determine when service has changed. Read more: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
* `uid` - The unique in time and space value for this service. For more info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
### `spec`
#### Arguments
* `controller` - (Required) the name of the controller that should handle this class.
* `parameters` - (Optional) Parameters is a link to a custom resource containing additional configuration for the controller. See `parameters` block attributes below.
### `parameters`
#### Arguments
* `name` - (Required) The name of resource being referenced.
* `kind` - (Required) The type of resource being referenced.
* `api_group` - (Optional) The group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group.
* `scope` - (Optional) Refers to a cluster or namespace scoped resource. This may be set to "Cluster" (default) or "Namespace". Field can be enabled with IngressClassNamespacedParams feature gate.
* `namespace` - (Optional) The namespace of the resource being referenced. This field is required when scope is set to "Namespace" and must be unset when scope is set to "Cluster".
## Import
Ingress Classes can be imported using its name, e.g:

103
docs/resources/ingress_class_v1.md
View file

@ -9,6 +9,61 @@ description: |-
Ingresses can be implemented by different controllers, often with different configuration. Each Ingress should specify a class, a reference to an IngressClass resource that contains additional configuration including the name of the controller that should implement the class.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard ingress_class_v1's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `spec` (Block List, Min: 1, Max: 1) spec is the desired state of the IngressClass. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status (see [below for nested schema](#nestedblock--spec))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the ingress_class_v1 that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the ingress_class_v1. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the ingress_class_v1, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this ingress_class_v1 that can be used by clients to determine when ingress_class_v1 has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this ingress_class_v1. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--spec"></a>
### Nested Schema for `spec`
Optional:
- `controller` (String) controller refers to the name of the controller that should handle this class. This allows for different "flavors" that are controlled by the same controller. For example, you may have different parameters for the same implementing controller. This should be specified as a domain-prefixed path no more than 250 characters in length, e.g. "acme.io/ingress-controller". This field is immutable.
- `parameters` (Block List) (see [below for nested schema](#nestedblock--spec--parameters))
<a id="nestedblock--spec--parameters"></a>
### Nested Schema for `spec.parameters`
Required:
- `kind` (String) Kind is the type of resource being referenced
- `name` (String) Name is the name of resource being referenced
Optional:
- `api_group` (String) APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.
- `namespace` (String)
- `scope` (String)
## Example Usage
```terraform
@ -28,54 +83,6 @@ resource "kubernetes_ingress_class_v1" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard ingress's metadata. For more info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata
* `spec` - (Required) Spec defines the behavior of a ingress. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
* `wait_for_load_balancer` - (Optional) Terraform will wait for the load balancer to have at least 1 endpoint before considering the resource created. Defaults to `false`.
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the ingress that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. Read more: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the service. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
* `name` - (Optional) Name of the ingress class, must be unique. Cannot be updated. For more info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this service that can be used by clients to determine when service has changed. Read more: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
* `uid` - The unique in time and space value for this service. For more info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
### `spec`
#### Arguments
* `controller` - (Required) the name of the controller that should handle this class.
* `parameters` - (Optional) Parameters is a link to a custom resource containing additional configuration for the controller. See `parameters` block attributes below.
### `parameters`
#### Arguments
* `name` - (Required) The name of resource being referenced.
* `kind` - (Required) The type of resource being referenced.
* `api_group` - (Optional) The group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group.
* `scope` - (Optional) Refers to a cluster or namespace scoped resource. This may be set to "Cluster" (default) or "Namespace". Field can be enabled with IngressClassNamespacedParams feature gate.
* `namespace` - (Optional) The namespace of the resource being referenced. This field is required when scope is set to "Namespace" and must be unset when scope is set to "Cluster".
## Import
Ingress Classes can be imported using its name, e.g:

325
docs/resources/ingress_v1.md
View file

@ -9,6 +9,219 @@ description: |-
Ingress is a collection of rules that allow inbound connections to reach the endpoints defined by a backend. An Ingress can be configured to give services externally-reachable urls, load balance traffic, terminate SSL, offer name based virtual hosting etc.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard ingress's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `spec` (Block List, Min: 1, Max: 1) spec is the desired state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status (see [below for nested schema](#nestedblock--spec))
### Optional
- `timeouts` (Block, Optional) (see [below for nested schema](#nestedblock--timeouts))
- `wait_for_load_balancer` (Boolean) Terraform will wait for the load balancer to have at least 1 endpoint before considering the resource created.
### Read-Only
- `id` (String) The ID of this resource.
- `status` (List of Object) (see [below for nested schema](#nestedatt--status))
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the ingress that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the ingress. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the ingress, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the ingress must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this ingress that can be used by clients to determine when ingress has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this ingress. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--spec"></a>
### Nested Schema for `spec`
Optional:
- `default_backend` (Block List, Max: 1) A default backend capable of servicing requests that don't match any rule. At least one of 'backend' or 'rules' must be specified. This field is optional to allow the loadbalancer controller or defaulting logic to specify a global default. (see [below for nested schema](#nestedblock--spec--default_backend))
- `ingress_class_name` (String) ingressClassName is the name of an IngressClass cluster resource. Ingress controller implementations use this field to know whether they should be serving this Ingress resource, by a transitive connection (controller -> IngressClass -> Ingress resource). Although the `kubernetes.io/ingress.class` annotation (simple constant name) was never formally defined, it was widely supported by Ingress controllers to create a direct binding between Ingress controller and Ingress resources. Newly created Ingress resources should prefer using the field. However, even though the annotation is officially deprecated, for backwards compatibility reasons, ingress controllers should still honor that annotation if present.
- `rule` (Block List) (see [below for nested schema](#nestedblock--spec--rule))
- `tls` (Block List) tls represents the TLS configuration. Currently the Ingress only supports a single TLS port, 443. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension, if the ingress controller fulfilling the ingress supports SNI. (see [below for nested schema](#nestedblock--spec--tls))
<a id="nestedblock--spec--default_backend"></a>
### Nested Schema for `spec.default_backend`
Optional:
- `resource` (Block List, Max: 1) Resource is an ObjectRef to another Kubernetes resource in the namespace of the Ingress object. If resource is specified, a service.Name and service.Port must not be specified. (see [below for nested schema](#nestedblock--spec--default_backend--resource))
- `service` (Block List, Max: 1) (see [below for nested schema](#nestedblock--spec--default_backend--service))
<a id="nestedblock--spec--default_backend--resource"></a>
### Nested Schema for `spec.default_backend.resource`
Required:
- `api_group` (String) APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.
- `kind` (String) The kind of resource.
- `name` (String) The name of the User to bind to.
<a id="nestedblock--spec--default_backend--service"></a>
### Nested Schema for `spec.default_backend.service`
Required:
- `name` (String) Specifies the name of the referenced service.
- `port` (Block List, Min: 1, Max: 1) Specifies the port of the referenced service. (see [below for nested schema](#nestedblock--spec--default_backend--service--port))
<a id="nestedblock--spec--default_backend--service--port"></a>
### Nested Schema for `spec.default_backend.service.port`
Optional:
- `name` (String) Specifies the name of the port of the referenced service.
- `number` (Number) Specifies the numerical port of the referenced service.
<a id="nestedblock--spec--rule"></a>
### Nested Schema for `spec.rule`
Optional:
- `host` (String) host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the "host" part of the URI as defined in RFC 3986: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to
the IP in the Spec of the parent Ingress.
2. The `:` delimiter is not respected because ports are not allowed.
Currently the port of an Ingress is implicitly :80 for http and
:443 for https.
Both these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue.
host can be "precise" which is a domain name without the terminating dot of a network host (e.g. "foo.bar.com") or "wildcard", which is a domain name prefixed with a single wildcard label (e.g. "*.foo.com"). The wildcard character '*' must appear by itself as the first DNS label and matches only a single label. You cannot have a wildcard label by itself (e.g. Host == "*"). Requests will be matched against the Host field in the following way: 1. If host is precise, the request matches this rule if the http host header is equal to Host. 2. If host is a wildcard, then the request matches this rule if the http host header is to equal to the suffix (removing the first label) of the wildcard rule.
- `http` (Block List, Max: 1) http is a list of http selectors pointing to backends. In the example: http:///? -> backend where where parts of the url correspond to RFC 3986, this resource will be used to match against everything after the last '/' and before the first '?' or '#'. (see [below for nested schema](#nestedblock--spec--rule--http))
<a id="nestedblock--spec--rule--http"></a>
### Nested Schema for `spec.rule.http`
Required:
- `path` (Block List, Min: 1) (see [below for nested schema](#nestedblock--spec--rule--http--path))
<a id="nestedblock--spec--rule--http--path"></a>
### Nested Schema for `spec.rule.http.path`
Optional:
- `backend` (Block List, Max: 1) Backend defines the referenced service endpoint to which the traffic will be forwarded to. (see [below for nested schema](#nestedblock--spec--rule--http--path--backend))
- `path` (String) path is matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986. Paths must begin with a '/' and must be present when using PathType with value "Exact" or "Prefix".
- `path_type` (String) pathType determines the interpretation of the path matching. PathType can be one of the following values: * Exact: Matches the URL path exactly. * Prefix: Matches based on a URL path prefix split by '/'. Matching is
done on a path element by element basis. A path element refers is the
list of labels in the path split by the '/' separator. A request is a
match for path p if every p is an element-wise prefix of p of the
request path. Note that if the last element of the path is a substring
of the last element in request path, it is not a match (e.g. /foo/bar
matches /foo/bar/baz, but does not match /foo/barbaz).
* ImplementationSpecific: Interpretation of the Path matching is up to
the IngressClass. Implementations can treat this as a separate PathType
or treat it identically to Prefix or Exact path types.
Implementations are required to support all path types.
<a id="nestedblock--spec--rule--http--path--backend"></a>
### Nested Schema for `spec.rule.http.path.backend`
Optional:
- `resource` (Block List, Max: 1) Resource is an ObjectRef to another Kubernetes resource in the namespace of the Ingress object. If resource is specified, a service.Name and service.Port must not be specified. (see [below for nested schema](#nestedblock--spec--rule--http--path--backend--resource))
- `service` (Block List, Max: 1) (see [below for nested schema](#nestedblock--spec--rule--http--path--backend--service))
<a id="nestedblock--spec--rule--http--path--backend--resource"></a>
### Nested Schema for `spec.rule.http.path.backend.resource`
Required:
- `api_group` (String) APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.
- `kind` (String) The kind of resource.
- `name` (String) The name of the User to bind to.
<a id="nestedblock--spec--rule--http--path--backend--service"></a>
### Nested Schema for `spec.rule.http.path.backend.service`
Required:
- `name` (String) Specifies the name of the referenced service.
- `port` (Block List, Min: 1, Max: 1) Specifies the port of the referenced service. (see [below for nested schema](#nestedblock--spec--rule--http--path--backend--service--port))
<a id="nestedblock--spec--rule--http--path--backend--service--port"></a>
### Nested Schema for `spec.rule.http.path.backend.service.port`
Optional:
- `name` (String) Specifies the name of the port of the referenced service.
- `number` (Number) Specifies the numerical port of the referenced service.
<a id="nestedblock--spec--tls"></a>
### Nested Schema for `spec.tls`
Optional:
- `hosts` (List of String) hosts is a list of hosts included in the TLS certificate. The values in this list must match the name/s used in the tlsSecret. Defaults to the wildcard host setting for the loadbalancer controller fulfilling this Ingress, if left unspecified.
- `secret_name` (String) secretName is the name of the secret used to terminate TLS traffic on port 443. Field is left optional to allow TLS routing based on SNI hostname alone. If the SNI host in a listener conflicts with the "Host" header field used by an IngressRule, the SNI host is used for termination and value of the "Host" header is used for routing.
<a id="nestedblock--timeouts"></a>
### Nested Schema for `timeouts`
Optional:
- `create` (String)
- `delete` (String)
<a id="nestedatt--status"></a>
### Nested Schema for `status`
Read-Only:
- `load_balancer` (List of Object) (see [below for nested schema](#nestedobjatt--status--load_balancer))
<a id="nestedobjatt--status--load_balancer"></a>
### Nested Schema for `status.load_balancer`
Read-Only:
- `ingress` (List of Object) (see [below for nested schema](#nestedobjatt--status--load_balancer--ingress))
<a id="nestedobjatt--status--load_balancer--ingress"></a>
### Nested Schema for `status.load_balancer.ingress`
Read-Only:
- `hostname` (String)
- `ip` (String)
## Example Usage
```terraform
@ -193,118 +406,6 @@ output "load_balancer_ip" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard ingress's metadata. For more info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata
* `spec` - (Required) Spec defines the behavior of a ingress. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
* `wait_for_load_balancer` - (Optional) Terraform will wait for the load balancer to have at least 1 endpoint before considering the resource created. Defaults to `false`.
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the ingress that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. Read more: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the service. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
* `name` - (Optional) Name of the service, must be unique. Cannot be updated. For more info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
* `namespace` - (Optional) Namespace defines the space within which name of the service must be unique.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this service that can be used by clients to determine when service has changed. Read more: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
* `uid` - The unique in time and space value for this service. For more info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
### `spec`
#### Arguments
* `default_backend` - (Optional) DefaultBackend is the backend that should handle requests that don't match any rule. If Rules are not specified, DefaultBackend must be specified. If DefaultBackend is not set, the handling of requests that do not match any of the rules will be up to the Ingress controller. See `backend` block attributes below.
* `rule` - (Optional) A list of host rules used to configure the Ingress. If unspecified, or no rule matches, all traffic is sent to the default backend. See `rule` block attributes below.
* `tls` - (Optional) TLS configuration. Currently the Ingress only supports a single TLS port, 443. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension, if the ingress controller fulfilling the ingress supports SNI. See `tls` block attributes below.
* `ingress_class_name` - (Optional) The ingress class name references an IngressClass resource that contains additional configuration including the name of the controller that should implement the class.
### `backend`
#### Arguments
* `resource` - (Optional) Resource is an ObjectRef to another Kubernetes resource in the namespace of the Ingress object. If resource is specified, a `service.name` and `service.port` must not be specified.
* `service` - (Optional) Service references a Service as a Backend.
### `service`
#### Arguments
* `name` - (Optional) Specifies the name of the referenced service.
* `port` - (Optional) Specifies the port of the referenced service.
### `port`
* `name` - (Optional) Name is the name of the port on the Service.
* `number` - (Optional) Number is the numerical port number (e.g. 80) on the Service.
#### Arguments
### `rule`
#### Arguments
* `host` - (Optional) Host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the \"host\" part of the URI as defined in the RFC: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to the IP in the Spec of the parent Ingress. 2. The : delimiter is not respected because ports are not allowed. Currently the port of an Ingress is implicitly :80 for http and :443 for https. Both these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue.
* `http` - (Optional) http is a list of http selectors pointing to backends. In the example: http:///? -> backend where parts of the url correspond to RFC 3986, this resource will be used to match against everything after the last '/' and before the first '?' or '#'. See `http` block attributes below.
#### `http`
* `path` - (Required) Path array of path regex associated with a backend. Incoming urls matching the path are forwarded to the backend, see below for `path` block structure.
#### `path`
* `path` - (Required) A string or an extended POSIX regular expression as defined by IEEE Std 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional \"path\" part of a URL as defined by RFC 3986. Paths must begin with a '/'. If unspecified, the path defaults to a catch all sending traffic to the backend.
* `path_type` - (Optional) PathType determines the interpretation of the Path matching. PathType can be one of the following values: `ImplementationSpecific`, `Exact`, or `Prefix`. See the [Kubernetes Ingress documentation](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) for details.
* `backend` - (Required) Backend defines the referenced service endpoint to which the traffic will be forwarded to.
### `tls`
#### Arguments
* `hosts` - (Optional) Hosts are a list of hosts included in the TLS certificate. The values in this list must match the name/s used in the tlsSecret. Defaults to the wildcard host setting for the loadbalancer controller fulfilling this Ingress, if left unspecified.
* `secret_name` - (Optional) SecretName is the name of the secret used to terminate SSL traffic on 443. Field is left optional to allow SSL routing based on SNI hostname alone. If the SNI host in a listener conflicts with the \"Host\" header field used by an IngressRule, the SNI host is used for termination and value of the Host header is used for routing.
## Attributes
### `status`
* `status` - Status is the current state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
#### `load_balancer`
* LoadBalancer contains the current status of the load-balancer, if one is present.
##### `ingress`
* `ingress` - Ingress is a list containing ingress points for the load-balancer. Traffic intended for the service should be sent to these ingress points.
###### Attributes
* `ip` - IP is set for load-balancer ingress points that are IP based (typically GCE or OpenStack load-balancers).
* `hostname` - Hostname is set for load-balancer ingress points that are DNS based (typically AWS load-balancers).
## Timeouts
The following [Timeout](https://developer.hashicorp.com/terraform/language/resources/syntax#operation-timeouts) configuration options are available for the `kubernetes_ingress_v1` resource:
* `create` - ingress load balancer creation timeout (default `20 minutes`).
* `delete` - ingress load balancer deletion timeout (default `20 minutes`).
## Import
Ingress can be imported using its namespace and name:

2372
docs/resources/job.md
View file

File diff suppressed because it is too large Load diff

2374
docs/resources/job_v1.md
View file

File diff suppressed because it is too large Load diff

53
docs/resources/labels.md
View file

@ -9,6 +9,39 @@ description: |-
This resource allows Terraform to manage the labels for a resource that already exists. This resource uses [field management](https://kubernetes.io/docs/reference/using-api/server-side-apply/#field-management) and [server-side apply](https://kubernetes.io/docs/reference/using-api/server-side-apply/) to manage only the labels that are defined in the Terraform configuration. Existing labels not specified in the configuration will be ignored. If a label specified in the config and is already managed by another client it will cause a conflict which can be overridden by setting `force` to true.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `api_version` (String) The apiVersion of the resource to label.
- `kind` (String) The kind of the resource to label.
- `labels` (Map of String) A map of labels to apply to the resource.
- `metadata` (Block List, Min: 1, Max: 1) (see [below for nested schema](#nestedblock--metadata))
### Optional
- `field_manager` (String) Set the name of the field manager for the specified labels.
- `force` (Boolean) Force overwriting labels that were created or edited outside of Terraform.
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Required:
- `name` (String) The name of the resource.
Optional:
- `namespace` (String) The namespace of the resource.
## Example Usage
```terraform
@ -24,26 +57,6 @@ resource "kubernetes_labels" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `api_version` - (Required) The apiVersion of the resource to be labelled.
* `kind` - (Required) The kind of the resource to be labelled.
* `metadata` - (Required) Standard metadata of the resource to be labelled.
* `labels` - (Required) A map of labels to apply to the resource.
* `force` - (Optional) Force management of labels if there is a conflict.
* `field_manager` - (Optional) The name of the [field manager](https://kubernetes.io/docs/reference/using-api/server-side-apply/#field-management). Defaults to `Terraform`.
## Nested Blocks
### `metadata`
#### Arguments
* `name` - (Required) Name of the resource to be labelled.
* `namespace` - (Optional) Namespace of the resource to be labelled.
## Import
This resource does not support the `import` command. As this resource operates on Kubernetes resources that already exist, creating the resource is equivalent to importing it.

104
docs/resources/limit_range.md
View file

@ -11,6 +11,62 @@ Limit Range sets resource usage limits (e.g. memory, cpu, storage) for supported
Read more in [the official docs](https://kubernetes.io/docs/concepts/policy/limit-range/).
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard limit range's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
### Optional
- `spec` (Block List, Max: 1) Spec defines the limits enforced. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status (see [below for nested schema](#nestedblock--spec))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the limit range that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the limit range. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the limit range, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the limit range must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this limit range that can be used by clients to determine when limit range has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this limit range. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--spec"></a>
### Nested Schema for `spec`
Optional:
- `limit` (Block List) Limits is the list of objects that are enforced. (see [below for nested schema](#nestedblock--spec--limit))
<a id="nestedblock--spec--limit"></a>
### Nested Schema for `spec.limit`
Optional:
- `default` (Map of String) Default resource requirement limit value by resource name if resource limit is omitted.
- `default_request` (Map of String) The default resource requirement request value by resource name if resource request is omitted.
- `max` (Map of String) Max usage constraints on this kind by resource name.
- `max_limit_request_ratio` (Map of String) The named resource must have a request and limit that are both non-zero where limit divided by request is less than or equal to the enumerated value; this represents the max burst for the named resource.
- `min` (Map of String) Min usage constraints on this kind by resource name.
- `type` (String) Type of resource that this limit applies to.
## Example Usage
```terraform
@ -43,54 +99,6 @@ resource "kubernetes_limit_range" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard limit range's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `spec` - (Optional) Spec defines the limits enforced. For more info see [Kubernetes reference](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status)
## Nested Blocks
### `spec`
#### Arguments
* `limit` - (Optional) The list of limits that are enforced.
### `limit`
#### Arguments
* `default` - (Optional) Default resource requirement limit value by resource name if resource limit is omitted.
* `default_request` - (Optional) The default resource requirement request value by resource name if resource request is omitted.
* `max` - (Optional) Max usage constraints on this kind by resource name.
* `max_limit_request_ratio` - (Optional) The named resource must have a request and limit that are both non-zero where limit divided by request is less than or equal to the enumerated value; this represents the max burst for the named resource.
* `min` - (Optional) Min usage constraints on this kind by resource name.
* `type` - (Optional) Type of resource that this limit applies to. e.g. `Pod`, `Container` or `PersistentVolumeClaim`
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the limit range that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the limit range. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the limit range, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
* `namespace` - (Optional) Namespace defines the space within which name of the limit range must be unique.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this limit range that can be used by clients to determine when limit range has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this limit range. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
## Import
Limit Range can be imported using its namespace and name, e.g.

106
docs/resources/limit_range_v1.md
View file

@ -7,9 +7,63 @@ description: |-
# kubernetes_limit_range_v1
Limit Range sets resource usage limits (e.g. memory, cpu, storage) for supported kinds of resources in a namespace.
Limit Range sets resource usage limits (e.g. memory, cpu, storage) for supported kinds of resources in a namespace. Read more in [the official docs](https://kubernetes.io/docs/concepts/policy/limit-range/).
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard limit range's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
### Optional
- `spec` (Block List, Max: 1) Spec defines the limits enforced. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status (see [below for nested schema](#nestedblock--spec))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the limit range that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the limit range. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the limit range, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the limit range must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this limit range that can be used by clients to determine when limit range has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this limit range. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--spec"></a>
### Nested Schema for `spec`
Optional:
- `limit` (Block List) Limits is the list of objects that are enforced. (see [below for nested schema](#nestedblock--spec--limit))
<a id="nestedblock--spec--limit"></a>
### Nested Schema for `spec.limit`
Optional:
- `default` (Map of String) Default resource requirement limit value by resource name if resource limit is omitted.
- `default_request` (Map of String) The default resource requirement request value by resource name if resource request is omitted.
- `max` (Map of String) Max usage constraints on this kind by resource name.
- `max_limit_request_ratio` (Map of String) The named resource must have a request and limit that are both non-zero where limit divided by request is less than or equal to the enumerated value; this represents the max burst for the named resource.
- `min` (Map of String) Min usage constraints on this kind by resource name.
- `type` (String) Type of resource that this limit applies to.
Read more in [the official docs](https://kubernetes.io/docs/concepts/policy/limit-range/).
## Example Usage
@ -43,54 +97,6 @@ resource "kubernetes_limit_range_v1" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard limit range's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `spec` - (Optional) Spec defines the limits enforced. For more info see [Kubernetes reference](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status)
## Nested Blocks
### `spec`
#### Arguments
* `limit` - (Optional) The list of limits that are enforced.
### `limit`
#### Arguments
* `default` - (Optional) Default resource requirement limit value by resource name if resource limit is omitted.
* `default_request` - (Optional) The default resource requirement request value by resource name if resource request is omitted.
* `max` - (Optional) Max usage constraints on this kind by resource name.
* `max_limit_request_ratio` - (Optional) The named resource must have a request and limit that are both non-zero where limit divided by request is less than or equal to the enumerated value; this represents the max burst for the named resource.
* `min` - (Optional) Min usage constraints on this kind by resource name.
* `type` - (Optional) Type of resource that this limit applies to. e.g. `Pod`, `Container` or `PersistentVolumeClaim`
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the limit range that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the limit range. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the limit range, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
* `namespace` - (Optional) Namespace defines the space within which name of the limit range must be unique.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this limit range that can be used by clients to determine when limit range has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this limit range. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
## Import
Limit Range can be imported using its namespace and name, e.g.

100
docs/resources/manifest.md
View file

@ -13,6 +13,70 @@ Once applied, the `object` attribute contains the state of the resource as retur
~> A minimum Terraform version of 0.14.8 is required to use this resource.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `manifest` (Dynamic) A Kubernetes manifest describing the desired state of the resource in HCL format.
### Optional
- `computed_fields` (List of String) List of manifest fields whose values can be altered by the API server during 'apply'. Defaults to: ["metadata.annotations", "metadata.labels"]
- `field_manager` (Block List, Max: 1) Configure field manager options. (see [below for nested schema](#nestedblock--field_manager))
- `object` (Dynamic) The resulting resource state, as returned by the API server after applying the desired state from `manifest`.
- `timeouts` (Block List, Max: 1) (see [below for nested schema](#nestedblock--timeouts))
- `wait` (Block List, Max: 1) Configure waiter options. (see [below for nested schema](#nestedblock--wait))
- `wait_for` (Object, Deprecated) A map of attribute paths and desired patterns to be matched. After each apply the provider will wait for all attributes listed here to reach a value that matches the desired pattern. (see [below for nested schema](#nestedatt--wait_for))
<a id="nestedblock--field_manager"></a>
### Nested Schema for `field_manager`
Optional:
- `force_conflicts` (Boolean) Force changes against conflicts.
- `name` (String) The name to use for the field manager when creating and updating the resource.
<a id="nestedblock--timeouts"></a>
### Nested Schema for `timeouts`
Optional:
- `create` (String) Timeout for the create operation.
- `delete` (String) Timeout for the delete operation.
- `update` (String) Timeout for the update operation.
<a id="nestedblock--wait"></a>
### Nested Schema for `wait`
Optional:
- `condition` (Block List) (see [below for nested schema](#nestedblock--wait--condition))
- `fields` (Map of String) A map of paths to fields to wait for a specific field value.
- `rollout` (Boolean) Wait for rollout to complete on resources that support `kubectl rollout status`.
<a id="nestedblock--wait--condition"></a>
### Nested Schema for `wait.condition`
Optional:
- `status` (String) The condition status.
- `type` (String) The type of condition.
<a id="nestedatt--wait_for"></a>
### Nested Schema for `wait_for`
Optional:
- `fields` (Map of String)
### Before you use this resource
- This resource requires API access during planning time. This means the cluster has to be accessible at plan time and thus cannot be created in the same apply operation. We recommend only using this resource for custom resources or resources not yet fully supported by the provider.
@ -213,25 +277,6 @@ resource "kubernetes_manifest" "test-ns" {
The syntax for the field paths is the same as the one used in the `wait` block.
## Argument Reference
The following arguments are supported:
- `computed_fields` - (Optional) List of paths of fields to be handled as "computed". The user-configured value for the field will be overridden by any different value returned by the API after apply.
- `manifest` (Required) An object Kubernetes manifest describing the desired state of the resource in HCL format.
- `object` (Optional) The resulting resource state, as returned by the API server after applying the desired state from `manifest`.
- `wait` (Optional) An object which allows you configure the provider to wait for specific fields to reach a desired value or certain conditions to be met. See below for schema.
- `wait_for` (Optional, Deprecated) An object which allows you configure the provider to wait for certain conditions to be met. See below for schema. **DEPRECATED: use `wait` block**.
- `field_manager` (Optional) Configure field manager options. See below.
### `wait`
#### Arguments
- `rollout` (Optional) When set to `true` will wait for the resource to roll out, equivalent to `kubectl rollout status`.
- `condition` (Optional) A set of condition to wait for. You can specify multiple `condition` blocks and it will wait for all of them.
- `fields` (Optional) A map of field paths and a corresponding regular expression with a pattern to wait for. The provider will wait until the field's value matches the regular expression. Use `*` for any value.
A field path is a string that describes the fully qualified address of a field within the resource, including its parent fields all the way up to "object". The syntax of a path string follows the rules below:
- Fields of objects are addressed with `.`
@ -254,20 +299,3 @@ A field path is a string that describes the fully qualified address of a field w
> type(kubernetes_manifest.my-secret.object.data)
map(string)
```
### `wait_for` (deprecated, use `wait`)
#### Arguments
- `fields` (Optional) A map of fields and a corresponding regular expression with a pattern to wait for. The provider will wait until the field matches the regular expression. Use `*` for any value.
### `field_manager`
#### Arguments
- `name` (Optional) The name of the field manager to use when applying the resource. Defaults to `Terraform`.
- `force_conflicts` (Optional) Forcibly override any field manager conflicts when applying the resource. Defaults to `false`.
### `timeouts`
See [Operation Timeouts](https://www.terraform.io/docs/language/resources/syntax.html#operation-timeouts)

262
docs/resources/mutating_webhook_configuration.md
View file

@ -9,6 +9,193 @@ description: |-
Mutating Webhook Configuration configures a [mutating admission webhook](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#what-are-admission-webhooks).
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard mutating webhook configuration's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `webhook` (Block List, Min: 1) Webhooks is a list of webhooks and the affected resources and operations. (see [below for nested schema](#nestedblock--webhook))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the mutating webhook configuration that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the mutating webhook configuration. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the mutating webhook configuration, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this mutating webhook configuration that can be used by clients to determine when mutating webhook configuration has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this mutating webhook configuration. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--webhook"></a>
### Nested Schema for `webhook`
Required:
- `client_config` (Block List, Min: 1, Max: 1) ClientConfig defines how to communicate with the hook. Required (see [below for nested schema](#nestedblock--webhook--client_config))
- `name` (String) The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where "imagepolicy" is the name of the webhook, and kubernetes.io is the name of the organization. Required.
Optional:
- `admission_review_versions` (List of String) AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` versions the Webhook expects. API server will try to use first version in the list which it supports. If none of the versions specified in this list supported by API server, validation will fail for this object. If a persisted webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail and be subject to the failure policy.
- `failure_policy` (String) FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Fail.
- `match_policy` (String) matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent".
- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
Defaults to "Equivalent"
- `namespace_selector` (Block List, Max: 1) NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.
For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1"; you will set the selector as follows: "namespaceSelector": {
"matchExpressions": [
{
"key": "runlevel",
"operator": "NotIn",
"values": [
"0",
"1"
]
}
]
}
If instead you want to only run the webhook on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": {
"matchExpressions": [
{
"key": "environment",
"operator": "In",
"values": [
"prod",
"staging"
]
}
]
}
See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.
Default to the empty LabelSelector, which matches everything. (see [below for nested schema](#nestedblock--webhook--namespace_selector))
- `object_selector` (Block List, Max: 1) ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything. (see [below for nested schema](#nestedblock--webhook--object_selector))
- `reinvocation_policy` (String) reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation. Allowed values are "Never" and "IfNeeded".
Never: the webhook will not be called more than once in a single admission evaluation.
IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation if the object being admitted is modified by other admission plugins after the initial webhook call. Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted. Note: * the number of additional invocations is not guaranteed to be exactly one. * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again. * webhooks that use this option may be reordered to minimize the number of additional invocations. * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.
Defaults to "Never".
- `rule` (Block List) Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects. (see [below for nested schema](#nestedblock--webhook--rule))
- `side_effects` (String) SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission chain and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.
- `timeout_seconds` (Number) TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.
<a id="nestedblock--webhook--client_config"></a>
### Nested Schema for `webhook.client_config`
Optional:
- `ca_bundle` (String) `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.
- `service` (Block List, Max: 1) `service` is a reference to the service for this webhook. Either `service` or `url` must be specified.
If the webhook is running within the cluster, then you should use `service`. (see [below for nested schema](#nestedblock--webhook--client_config--service))
- `url` (String) `url` gives the location of the webhook, in standard URL form (`scheme://host:port/path`). Exactly one of `url` or `service` must be specified.
The `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.
Please note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster.
The scheme must be "https"; the URL must begin with "https://".
A path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier.
Attempting to use a user or basic auth e.g. "user:password@" is not allowed. Fragments ("#...") and query parameters ("?...") are not allowed, either.
<a id="nestedblock--webhook--client_config--service"></a>
### Nested Schema for `webhook.client_config.service`
Required:
- `name` (String) `name` is the name of the service. Required
- `namespace` (String) `namespace` is the namespace of the service. Required
Optional:
- `path` (String) `path` is an optional URL path which will be sent in any request to this service.
- `port` (Number) If specified, the port on the service that hosting webhook. Default to 443 for backward compatibility. `port` should be a valid port number (1-65535, inclusive).
<a id="nestedblock--webhook--namespace_selector"></a>
### Nested Schema for `webhook.namespace_selector`
Optional:
- `match_expressions` (Block List) A list of label selector requirements. The requirements are ANDed. (see [below for nested schema](#nestedblock--webhook--namespace_selector--match_expressions))
- `match_labels` (Map of String) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
<a id="nestedblock--webhook--namespace_selector--match_expressions"></a>
### Nested Schema for `webhook.namespace_selector.match_expressions`
Optional:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
<a id="nestedblock--webhook--object_selector"></a>
### Nested Schema for `webhook.object_selector`
Optional:
- `match_expressions` (Block List) A list of label selector requirements. The requirements are ANDed. (see [below for nested schema](#nestedblock--webhook--object_selector--match_expressions))
- `match_labels` (Map of String) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
<a id="nestedblock--webhook--object_selector--match_expressions"></a>
### Nested Schema for `webhook.object_selector.match_expressions`
Optional:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
<a id="nestedblock--webhook--rule"></a>
### Nested Schema for `webhook.rule`
Required:
- `api_groups` (List of String)
- `api_versions` (List of String)
- `operations` (List of String) Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.
- `resources` (List of String)
Optional:
- `scope` (String)
## Example Usage
```terraform
@ -47,81 +234,6 @@ resource "kubernetes_mutating_webhook_configuration" "example" {
The provider supports clusters running either `v1` or `v1beta1` of the Admission Registration API.
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard Mutating Webhook Configuration metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `webhook` - (Required) A list of webhooks and the affected resources and operations.
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the Mutating Webhook Configuration that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the Mutating Webhook Configuration. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the Mutating Webhook Configuration, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this Mutating Webhook Configuration that can be used by clients to determine when Mutating Webhook Configuration has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this Mutating Webhook Configuration. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `webhook`
#### Arguments
* `admission_review_versions` - (Optional) AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` versions the Webhook expects. API server will try to use first version in the list which it supports. If none of the versions specified in this list are supported by API server, validation will fail for this object. If a persisted webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail and be subject to the failure policy.
* `client_config` - (Required) ClientConfig defines how to communicate with the hook.
* `failure_policy` - (Optional) FailurePolicy defines how unrecognized errors from the admission endpoint are handled - Allowed values are "Ignore" or "Fail". Defaults to "Fail".
* `match_policy` - (Optional) matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent". - Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. Defaults to "Equivalent"
* `name` - (Required) The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where "imagepolicy" is the name of the webhook, and kubernetes.io is the name of the organization.
* `namespace_selector` - (Optional) NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook. For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1"; you will set the selector as follows: "namespaceSelector": { "matchExpressions": [ { "key": "runlevel", "operator": "NotIn", "values": [ "0", "1" ] } ] } If instead you want to only run the webhook on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": { "matchExpressions": [ { "key": "environment", "operator": "In", "values": [ "prod", "staging" ] } ] } See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels for more examples of label selectors. Default to the empty LabelSelector, which matches everything.
* `object_selector` - (Optional) ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.
* `reinvocation_policy` - (Optional) reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation. Allowed values are "Never" and "IfNeeded". Never: the webhook will not be called more than once in a single admission evaluation. IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation if the object being admitted is modified by other admission plugins after the initial webhook call. Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted. Note: *the number of additional invocations is not guaranteed to be exactly one.* if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again. *webhooks that use this option may be reordered to minimize the number of additional invocations.* to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead. Defaults to "Never".
* `rule` - (Optional) Describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches *any* Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
* `side_effects` - (Required) SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission change and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.
* `timeout_seconds` - (Optional) TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.
### `client_config`
#### Arguments
* `ca_bundle` - (Optional) A PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.
* `service` - (Optional) A reference to the service for this webhook. Either `service` or `url` must be specified. If the webhook is running within the cluster, then you should use `service`.
* `url` - (Optional) Gives the location of the webhook, in standard URL form (`scheme://host:port/path`). Exactly one of `url` or `service` must be specified. The `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.
~> Please note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster. The scheme must be "https"; the URL must begin with "https://". A path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier. Attempting to use a user or basic auth e.g. "user:password@" is not allowed. Fragments ("#...") and query parameters ("?...") are not allowed, either.
### `service`
#### Arguments
* `name` - (Required) The name of the service.
* `namespace` - (Required) The namespace of the service.
* `path` - (Optional) The URL path which will be sent in any request to this service.
* `port` - (Optional) If specified, the port on the service that hosting webhook. Default to 443 for backward compatibility. `port` should be a valid port number (1-65535, inclusive).
### `rule`
#### Arguments
* `api_groups` - (Required) The API groups the resources belong to. '\*' is all groups. If '\*' is present, the length of the list must be one.
* `api_versions` - (Required) The API versions the resources belong to. '\*' is all versions. If '\*' is present, the length of the list must be one.
* `operations` - (Required) The operations the admission hook cares about - CREATE, UPDATE, or * for all operations. If '\*' is present, the length of the list must be one.
* `resources` - (Required) A list of resources this rule applies to. For example: 'pods' means pods. 'pods/log' means the log subresource of pods. '\*' means all resources, but not subresources. 'pods/\*' means all subresources of pods. '\*/scale' means all scale subresources. '\*/\*' means all resources and their subresources. If wildcard is present, the validation rule will ensure resources do not overlap with each other. Depending on the enclosing object, subresources might not be allowed.
* `scope` - (Optional) Specifies the scope of this rule. Valid values are "Cluster", "Namespaced", and "*" "Cluster" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. "Namespaced" means that only namespaced resources will match this rule. "*" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is "*".
## Import
Mutating Webhook Configuration can be imported using the name, e.g.

262
docs/resources/mutating_webhook_configuration_v1.md
View file

@ -9,6 +9,193 @@ description: |-
Mutating Webhook Configuration configures a [mutating admission webhook](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#what-are-admission-webhooks).
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard mutating webhook configuration's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `webhook` (Block List, Min: 1) Webhooks is a list of webhooks and the affected resources and operations. (see [below for nested schema](#nestedblock--webhook))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the mutating webhook configuration that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the mutating webhook configuration. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the mutating webhook configuration, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this mutating webhook configuration that can be used by clients to determine when mutating webhook configuration has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this mutating webhook configuration. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--webhook"></a>
### Nested Schema for `webhook`
Required:
- `client_config` (Block List, Min: 1, Max: 1) ClientConfig defines how to communicate with the hook. Required (see [below for nested schema](#nestedblock--webhook--client_config))
- `name` (String) The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where "imagepolicy" is the name of the webhook, and kubernetes.io is the name of the organization. Required.
Optional:
- `admission_review_versions` (List of String) AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` versions the Webhook expects. API server will try to use first version in the list which it supports. If none of the versions specified in this list supported by API server, validation will fail for this object. If a persisted webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail and be subject to the failure policy.
- `failure_policy` (String) FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Fail.
- `match_policy` (String) matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent".
- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
Defaults to "Equivalent"
- `namespace_selector` (Block List, Max: 1) NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.
For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1"; you will set the selector as follows: "namespaceSelector": {
"matchExpressions": [
{
"key": "runlevel",
"operator": "NotIn",
"values": [
"0",
"1"
]
}
]
}
If instead you want to only run the webhook on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": {
"matchExpressions": [
{
"key": "environment",
"operator": "In",
"values": [
"prod",
"staging"
]
}
]
}
See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.
Default to the empty LabelSelector, which matches everything. (see [below for nested schema](#nestedblock--webhook--namespace_selector))
- `object_selector` (Block List, Max: 1) ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything. (see [below for nested schema](#nestedblock--webhook--object_selector))
- `reinvocation_policy` (String) reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation. Allowed values are "Never" and "IfNeeded".
Never: the webhook will not be called more than once in a single admission evaluation.
IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation if the object being admitted is modified by other admission plugins after the initial webhook call. Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted. Note: * the number of additional invocations is not guaranteed to be exactly one. * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again. * webhooks that use this option may be reordered to minimize the number of additional invocations. * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.
Defaults to "Never".
- `rule` (Block List) Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects. (see [below for nested schema](#nestedblock--webhook--rule))
- `side_effects` (String) SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission chain and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.
- `timeout_seconds` (Number) TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.
<a id="nestedblock--webhook--client_config"></a>
### Nested Schema for `webhook.client_config`
Optional:
- `ca_bundle` (String) `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.
- `service` (Block List, Max: 1) `service` is a reference to the service for this webhook. Either `service` or `url` must be specified.
If the webhook is running within the cluster, then you should use `service`. (see [below for nested schema](#nestedblock--webhook--client_config--service))
- `url` (String) `url` gives the location of the webhook, in standard URL form (`scheme://host:port/path`). Exactly one of `url` or `service` must be specified.
The `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.
Please note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster.
The scheme must be "https"; the URL must begin with "https://".
A path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier.
Attempting to use a user or basic auth e.g. "user:password@" is not allowed. Fragments ("#...") and query parameters ("?...") are not allowed, either.
<a id="nestedblock--webhook--client_config--service"></a>
### Nested Schema for `webhook.client_config.service`
Required:
- `name` (String) `name` is the name of the service. Required
- `namespace` (String) `namespace` is the namespace of the service. Required
Optional:
- `path` (String) `path` is an optional URL path which will be sent in any request to this service.
- `port` (Number) If specified, the port on the service that hosting webhook. Default to 443 for backward compatibility. `port` should be a valid port number (1-65535, inclusive).
<a id="nestedblock--webhook--namespace_selector"></a>
### Nested Schema for `webhook.namespace_selector`
Optional:
- `match_expressions` (Block List) A list of label selector requirements. The requirements are ANDed. (see [below for nested schema](#nestedblock--webhook--namespace_selector--match_expressions))
- `match_labels` (Map of String) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
<a id="nestedblock--webhook--namespace_selector--match_expressions"></a>
### Nested Schema for `webhook.namespace_selector.match_expressions`
Optional:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
<a id="nestedblock--webhook--object_selector"></a>
### Nested Schema for `webhook.object_selector`
Optional:
- `match_expressions` (Block List) A list of label selector requirements. The requirements are ANDed. (see [below for nested schema](#nestedblock--webhook--object_selector--match_expressions))
- `match_labels` (Map of String) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
<a id="nestedblock--webhook--object_selector--match_expressions"></a>
### Nested Schema for `webhook.object_selector.match_expressions`
Optional:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
<a id="nestedblock--webhook--rule"></a>
### Nested Schema for `webhook.rule`
Required:
- `api_groups` (List of String)
- `api_versions` (List of String)
- `operations` (List of String) Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.
- `resources` (List of String)
Optional:
- `scope` (String)
## Example Usage
```terraform
@ -47,81 +234,6 @@ resource "kubernetes_mutating_webhook_configuration_v1" "example" {
The provider supports clusters running either `v1` or `v1beta1` of the Admission Registration API.
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard Mutating Webhook Configuration metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `webhook` - (Required) A list of webhooks and the affected resources and operations.
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the Mutating Webhook Configuration that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the Mutating Webhook Configuration. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the Mutating Webhook Configuration, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this Mutating Webhook Configuration that can be used by clients to determine when Mutating Webhook Configuration has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this Mutating Webhook Configuration. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `webhook`
#### Arguments
* `admission_review_versions` - (Optional) AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` versions the Webhook expects. API server will try to use first version in the list which it supports. If none of the versions specified in this list are supported by API server, validation will fail for this object. If a persisted webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail and be subject to the failure policy.
* `client_config` - (Required) ClientConfig defines how to communicate with the hook.
* `failure_policy` - (Optional) FailurePolicy defines how unrecognized errors from the admission endpoint are handled - Allowed values are "Ignore" or "Fail". Defaults to "Fail".
* `match_policy` - (Optional) matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent". - Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. Defaults to "Equivalent"
* `name` - (Required) The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where "imagepolicy" is the name of the webhook, and kubernetes.io is the name of the organization.
* `namespace_selector` - (Optional) NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook. For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1"; you will set the selector as follows: "namespaceSelector": { "matchExpressions": [ { "key": "runlevel", "operator": "NotIn", "values": [ "0", "1" ] } ] } If instead you want to only run the webhook on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": { "matchExpressions": [ { "key": "environment", "operator": "In", "values": [ "prod", "staging" ] } ] } See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels for more examples of label selectors. Default to the empty LabelSelector, which matches everything.
* `object_selector` - (Optional) ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.
* `reinvocation_policy` - (Optional) reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation. Allowed values are "Never" and "IfNeeded". Never: the webhook will not be called more than once in a single admission evaluation. IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation if the object being admitted is modified by other admission plugins after the initial webhook call. Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted. Note: *the number of additional invocations is not guaranteed to be exactly one.* if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again. *webhooks that use this option may be reordered to minimize the number of additional invocations.* to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead. Defaults to "Never".
* `rule` - (Optional) Describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches *any* Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
* `side_effects` - (Required) SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission change and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.
* `timeout_seconds` - (Optional) TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.
### `client_config`
#### Arguments
* `ca_bundle` - (Optional) A PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.
* `service` - (Optional) A reference to the service for this webhook. Either `service` or `url` must be specified. If the webhook is running within the cluster, then you should use `service`.
* `url` - (Optional) Gives the location of the webhook, in standard URL form (`scheme://host:port/path`). Exactly one of `url` or `service` must be specified. The `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.
~> Please note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster. The scheme must be "https"; the URL must begin with "https://". A path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier. Attempting to use a user or basic auth e.g. "user:password@" is not allowed. Fragments ("#...") and query parameters ("?...") are not allowed, either.
### `service`
#### Arguments
* `name` - (Required) The name of the service.
* `namespace` - (Required) The namespace of the service.
* `path` - (Optional) The URL path which will be sent in any request to this service.
* `port` - (Optional) If specified, the port on the service that hosting webhook. Default to 443 for backward compatibility. `port` should be a valid port number (1-65535, inclusive).
### `rule`
#### Arguments
* `api_groups` - (Required) The API groups the resources belong to. '\*' is all groups. If '\*' is present, the length of the list must be one.
* `api_versions` - (Required) The API versions the resources belong to. '\*' is all versions. If '\*' is present, the length of the list must be one.
* `operations` - (Required) The operations the admission hook cares about - CREATE, UPDATE, or * for all operations. If '\*' is present, the length of the list must be one.
* `resources` - (Required) A list of resources this rule applies to. For example: 'pods' means pods. 'pods/log' means the log subresource of pods. '\*' means all resources, but not subresources. 'pods/\*' means all subresources of pods. '\*/scale' means all scale subresources. '\*/\*' means all resources and their subresources. If wildcard is present, the validation rule will ensure resources do not overlap with each other. Depending on the enclosing object, subresources might not be allowed.
* `scope` - (Optional) Specifies the scope of this rule. Valid values are "Cluster", "Namespaced", and "*" "Cluster" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. "Namespaced" means that only namespaced resources will match this rule. "*" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is "*".
## Import
Mutating Webhook Configuration can be imported using the name, e.g.

78
docs/resources/namespace.md
View file

@ -5,10 +5,53 @@ description: |-
Kubernetes supports multiple virtual clusters backed by the same physical cluster. These virtual clusters are called namespaces.
---
# kubernetes_namespace
# kubernetes_namespace
Kubernetes supports multiple virtual clusters backed by the same physical cluster. These virtual clusters are called namespaces. Read more about namespaces at [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/).
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard namespace's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
### Optional
- `timeouts` (Block, Optional) (see [below for nested schema](#nestedblock--timeouts))
- `wait_for_default_service_account` (Boolean) Terraform will wait for the default service account to be created.
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the namespace that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the namespace. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the namespace, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this namespace that can be used by clients to determine when namespace has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this namespace. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--timeouts"></a>
### Nested Schema for `timeouts`
Optional:
- `delete` (String)
## Example Usage
```terraform
@ -27,45 +70,12 @@ resource "kubernetes_namespace" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard namespace's [metadata](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata).
### Timeouts
`kubernetes_namespace` provides the following [Timeouts](/docs/configuration/resources.html#timeouts) configuration options:
- `delete` - Default `5 minutes`
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the namespace that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/).
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. Read more about [name idempotency](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency).
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) namespaces. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/).
* `name` - (Optional) Name of the namespace, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this namespace that can be used by clients to determine when namespaces have changed. Read more about [concurrency control and consistency](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency).
* `uid` - The unique in time and space value for this namespace. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids).
## Attribute Reference
* `wait_for_default_service_account` - (Optional) When set to `true` Terraform will wait until the default service account has been asynchronously created by Kubernetes when creating the namespace resource. This has the equivalent effect of creating a `kubernetes_default_service_account` resource for dependent resources but allows a user to consume the "default" service account directly. The default behaviour (`false`) does not wait for the default service account to exist.
## Import
Namespaces can be imported using their name, e.g.

76
docs/resources/namespace_v1.md
View file

@ -9,6 +9,49 @@ description: |-
Kubernetes supports multiple virtual clusters backed by the same physical cluster. These virtual clusters are called namespaces. Read more about namespaces at [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/)
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard namespace's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
### Optional
- `timeouts` (Block, Optional) (see [below for nested schema](#nestedblock--timeouts))
- `wait_for_default_service_account` (Boolean) Terraform will wait for the default service account to be created.
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the namespace that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the namespace. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the namespace, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this namespace that can be used by clients to determine when namespace has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this namespace. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--timeouts"></a>
### Nested Schema for `timeouts`
Optional:
- `delete` (String)
## Example Usage
```terraform
@ -27,45 +70,12 @@ resource "kubernetes_namespace_v1" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard namespace's [metadata](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata).
### Timeouts
`kubernetes_namespace_v1` provides the following [Timeouts](/docs/configuration/resources.html#timeouts) configuration options:
- `delete` - Default `5 minutes`
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the namespace that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. Read more about [name idempotency](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency).
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) namespaces. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the namespace, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this namespace that can be used by clients to determine when namespaces have changed. Read more about [concurrency control and consistency](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency).
* `uid` - The unique in time and space value for this namespace. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
## Attribute Reference
* `wait_for_default_service_account` - (Optional) When set to `true` Terraform will wait until the default service account has been asynchronously created by Kubernetes when creating the namespace resource. This has the equivalent effect of creating a `kubernetes_default_service_account_v1` resource for dependent resources but allows a user to consume the "default" service account directly. The default behaviour (`false`) does not wait for the default service account to exist.
## Import
Namespaces can be imported using their name, e.g.

332
docs/resources/network_policy.md
View file

@ -10,6 +10,231 @@ description: |-
Kubernetes supports network policies to specify how groups of pods are allowed to communicate with each other and with other network endpoints. NetworkPolicy resources use labels to select pods and define rules which specify what traffic is allowed to the selected pods. Read more about network policies at https://kubernetes.io/docs/concepts/services-networking/network-policies/
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard network policy's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `spec` (Block List, Min: 1, Max: 1) spec represents the specification of the desired behavior for this NetworkPolicy. (see [below for nested schema](#nestedblock--spec))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the network policy that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the network policy. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the network policy, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the network policy must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this network policy that can be used by clients to determine when network policy has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this network policy. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--spec"></a>
### Nested Schema for `spec`
Required:
- `pod_selector` (Block List, Min: 1, Max: 1) podSelector selects the pods to which this NetworkPolicy object applies. The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace. (see [below for nested schema](#nestedblock--spec--pod_selector))
- `policy_types` (List of String) policyTypes is a list of rule types that the NetworkPolicy relates to. Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"]. If this field is not specified, it will default based on the existence of ingress or egress rules; policies that contain an egress section are assumed to affect egress, and all policies (whether or not they contain an ingress section) are assumed to affect ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8
Optional:
- `egress` (Block List) egress is a list of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8 (see [below for nested schema](#nestedblock--spec--egress))
- `ingress` (Block List) ingress is a list of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default) (see [below for nested schema](#nestedblock--spec--ingress))
<a id="nestedblock--spec--pod_selector"></a>
### Nested Schema for `spec.pod_selector`
Optional:
- `match_expressions` (Block List) A list of label selector requirements. The requirements are ANDed. (see [below for nested schema](#nestedblock--spec--pod_selector--match_expressions))
- `match_labels` (Map of String) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
<a id="nestedblock--spec--pod_selector--match_expressions"></a>
### Nested Schema for `spec.pod_selector.match_expressions`
Optional:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
<a id="nestedblock--spec--egress"></a>
### Nested Schema for `spec.egress`
Optional:
- `ports` (Block List) ports is a list of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list. (see [below for nested schema](#nestedblock--spec--egress--ports))
- `to` (Block List) to is a list of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list. (see [below for nested schema](#nestedblock--spec--egress--to))
<a id="nestedblock--spec--egress--ports"></a>
### Nested Schema for `spec.egress.ports`
Optional:
- `port` (String) port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
- `protocol` (String) protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.
<a id="nestedblock--spec--egress--to"></a>
### Nested Schema for `spec.egress.to`
Optional:
- `ip_block` (Block List, Max: 1) ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be. (see [below for nested schema](#nestedblock--spec--egress--to--ip_block))
- `namespace_selector` (Block List, Max: 1) namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.
If podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector. (see [below for nested schema](#nestedblock--spec--egress--to--namespace_selector))
- `pod_selector` (Block List, Max: 1) podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods.
If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy's own namespace. (see [below for nested schema](#nestedblock--spec--egress--to--pod_selector))
<a id="nestedblock--spec--egress--to--ip_block"></a>
### Nested Schema for `spec.egress.to.ip_block`
Optional:
- `cidr` (String) cidr is a string representing the IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64"
- `except` (List of String) except is a slice of CIDRs that should not be included within an IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64" Except values will be rejected if they are outside the cidr range
<a id="nestedblock--spec--egress--to--namespace_selector"></a>
### Nested Schema for `spec.egress.to.namespace_selector`
Optional:
- `match_expressions` (Block List) A list of label selector requirements. The requirements are ANDed. (see [below for nested schema](#nestedblock--spec--egress--to--namespace_selector--match_expressions))
- `match_labels` (Map of String) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
<a id="nestedblock--spec--egress--to--namespace_selector--match_expressions"></a>
### Nested Schema for `spec.egress.to.namespace_selector.match_expressions`
Optional:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
<a id="nestedblock--spec--egress--to--pod_selector"></a>
### Nested Schema for `spec.egress.to.pod_selector`
Optional:
- `match_expressions` (Block List) A list of label selector requirements. The requirements are ANDed. (see [below for nested schema](#nestedblock--spec--egress--to--pod_selector--match_expressions))
- `match_labels` (Map of String) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
<a id="nestedblock--spec--egress--to--pod_selector--match_expressions"></a>
### Nested Schema for `spec.egress.to.pod_selector.match_expressions`
Optional:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
<a id="nestedblock--spec--ingress"></a>
### Nested Schema for `spec.ingress`
Optional:
- `from` (Block List) from is a list of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list. (see [below for nested schema](#nestedblock--spec--ingress--from))
- `ports` (Block List) ports is a list of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list. (see [below for nested schema](#nestedblock--spec--ingress--ports))
<a id="nestedblock--spec--ingress--from"></a>
### Nested Schema for `spec.ingress.from`
Optional:
- `ip_block` (Block List, Max: 1) ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be. (see [below for nested schema](#nestedblock--spec--ingress--from--ip_block))
- `namespace_selector` (Block List, Max: 1) namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.
If podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector. (see [below for nested schema](#nestedblock--spec--ingress--from--namespace_selector))
- `pod_selector` (Block List, Max: 1) podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods.
If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy's own namespace. (see [below for nested schema](#nestedblock--spec--ingress--from--pod_selector))
<a id="nestedblock--spec--ingress--from--ip_block"></a>
### Nested Schema for `spec.ingress.from.ip_block`
Optional:
- `cidr` (String) cidr is a string representing the IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64"
- `except` (List of String) except is a slice of CIDRs that should not be included within an IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64" Except values will be rejected if they are outside the cidr range
<a id="nestedblock--spec--ingress--from--namespace_selector"></a>
### Nested Schema for `spec.ingress.from.namespace_selector`
Optional:
- `match_expressions` (Block List) A list of label selector requirements. The requirements are ANDed. (see [below for nested schema](#nestedblock--spec--ingress--from--namespace_selector--match_expressions))
- `match_labels` (Map of String) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
<a id="nestedblock--spec--ingress--from--namespace_selector--match_expressions"></a>
### Nested Schema for `spec.ingress.from.namespace_selector.match_expressions`
Optional:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
<a id="nestedblock--spec--ingress--from--pod_selector"></a>
### Nested Schema for `spec.ingress.from.pod_selector`
Optional:
- `match_expressions` (Block List) A list of label selector requirements. The requirements are ANDed. (see [below for nested schema](#nestedblock--spec--ingress--from--pod_selector--match_expressions))
- `match_labels` (Map of String) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
<a id="nestedblock--spec--ingress--from--pod_selector--match_expressions"></a>
### Nested Schema for `spec.ingress.from.pod_selector.match_expressions`
Optional:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
<a id="nestedblock--spec--ingress--ports"></a>
### Nested Schema for `spec.ingress.ports`
Optional:
- `port` (String) port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
- `protocol` (String) protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.
## Example Usage
```terraform
@ -64,113 +289,6 @@ resource "kubernetes_network_policy" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard network policy's [metadata](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata).
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the network policy that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. Read more about [name idempotency](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency).
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) network policies. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
* `name` - (Optional) Name of the network policy, must be unique. Cannot be updated. For more info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this network policy that can be used by clients to determine when network policies have changed. Read more about [concurrency control and consistency](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency).
* `uid` - The unique in time and space value for this network policy. For more info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
### `spec`
#### Arguments
* `egress` - (Optional) List of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this block is empty then this NetworkPolicy allows all outgoing traffic. If this block is omitted then this NetworkPolicy does not allow any outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default).
* `ingress` - (Optional) List of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this block is empty then this NetworkPolicy allows all incoming traffic. If this block is omitted then this NetworkPolicy does not allow any incoming traffic (and serves solely to ensure that the pods it selects are isolated by default).
* `pod_selector` - (Required) Selects the pods to which this NetworkPolicy object applies. The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace.
* `policy_types` (Required) List of rule types that the NetworkPolicy relates to. Valid options are `Ingress`, `Egress`, or `Ingress,Egress`. This field is beta-level in 1.8 **Note**: the native Kubernetes API allows not to specify the `policy_types` property with the following description:
> If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an Egress section and would otherwise default to just [ "Ingress" ]).
Leaving the `policy_types` property optional here would have prevented an `egress` rule added to a Network Policy initially created without any `egress` rule nor `policy_types` from working as expected. Indeed, the PolicyTypes would have stuck to Ingress server side as the default value is only computed server side on resource creation, not on updates.
### `ingress`
#### Arguments
* `from` - (Optional) List of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least on item, this rule allows traffic only if the traffic matches at least one item in the from list.
* `ports` - (Optional) List of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.
### `egress`
#### Arguments
* `to` - (Optional) List of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.
* `ports` - (Optional) List of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.
### `from`
#### Arguments
* `namespace_selector` - (Optional) Selects Namespaces using cluster scoped-labels. This matches all pods in all namespaces selected by this label selector. This field follows standard label selector semantics. If present but empty, this selector selects all namespaces.
* `pod_selector` - (Optional) This is a label selector which selects Pods in this namespace. This field follows standard label selector semantics. If present but empty, this selector selects all pods in this namespace.
### `ports`
#### Arguments
* `port` - (Optional) The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers.
* `protocol` - (Optional) The protocol (TCP or UDP) which traffic must match. If not specified, this field defaults to TCP.
### `to`
#### Arguments
* `ip_block` - (Optional) IPBlock defines policy on a particular IPBlock
* `namespace_selector` - (Optional) Selects Namespaces using cluster scoped-labels. This matches all pods in all namespaces selected by this label selector. This field follows standard label selector semantics. If present but empty, this selector selects all namespaces.
* `pod_selector` - (Optional) This is a label selector which selects Pods in this namespace. This field follows standard label selector semantics. If present but empty, this selector selects all pods in this namespace.
### `ip_block`
#### Arguments
* `cidr` - (Optional) CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24"
* `except` - (Optional) Except is a slice of CIDRs that should not be included within an IP Block. Valid examples are "192.168.1.1/24". Except values will be rejected if they are outside the CIDR range.
### `namespace_selector`
#### Arguments
* `match_expressions` - (Optional) A list of label selector requirements. The requirements are ANDed.
* `match_labels` - (Optional) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
### `pod_selector`
#### Arguments
* `match_expressions` - (Optional) A list of label selector requirements. The requirements are ANDed.
* `match_labels` - (Optional) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
### `match_expressions`
#### Arguments
* `key` - (Optional) The label key that the selector applies to.
* `operator` - (Optional) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
* `values` - (Optional) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
## Import
Network policies can be imported using their identifier consisting of `<namespace-name>/<network-policy-name>`, e.g.:

332
docs/resources/network_policy_v1.md
View file

@ -10,6 +10,231 @@ description: |-
Kubernetes supports network policies to specify how groups of pods are allowed to communicate with each other and with other network endpoints. NetworkPolicy resources use labels to select pods and define rules which specify what traffic is allowed to the selected pods. Read more about network policies at https://kubernetes.io/docs/concepts/services-networking/network-policies/
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard network policy's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `spec` (Block List, Min: 1, Max: 1) spec represents the specification of the desired behavior for this NetworkPolicy. (see [below for nested schema](#nestedblock--spec))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the network policy that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the network policy. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the network policy, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the network policy must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this network policy that can be used by clients to determine when network policy has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this network policy. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--spec"></a>
### Nested Schema for `spec`
Required:
- `pod_selector` (Block List, Min: 1, Max: 1) podSelector selects the pods to which this NetworkPolicy object applies. The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace. (see [below for nested schema](#nestedblock--spec--pod_selector))
- `policy_types` (List of String) policyTypes is a list of rule types that the NetworkPolicy relates to. Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"]. If this field is not specified, it will default based on the existence of ingress or egress rules; policies that contain an egress section are assumed to affect egress, and all policies (whether or not they contain an ingress section) are assumed to affect ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8
Optional:
- `egress` (Block List) egress is a list of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8 (see [below for nested schema](#nestedblock--spec--egress))
- `ingress` (Block List) ingress is a list of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default) (see [below for nested schema](#nestedblock--spec--ingress))
<a id="nestedblock--spec--pod_selector"></a>
### Nested Schema for `spec.pod_selector`
Optional:
- `match_expressions` (Block List) A list of label selector requirements. The requirements are ANDed. (see [below for nested schema](#nestedblock--spec--pod_selector--match_expressions))
- `match_labels` (Map of String) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
<a id="nestedblock--spec--pod_selector--match_expressions"></a>
### Nested Schema for `spec.pod_selector.match_expressions`
Optional:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
<a id="nestedblock--spec--egress"></a>
### Nested Schema for `spec.egress`
Optional:
- `ports` (Block List) ports is a list of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list. (see [below for nested schema](#nestedblock--spec--egress--ports))
- `to` (Block List) to is a list of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list. (see [below for nested schema](#nestedblock--spec--egress--to))
<a id="nestedblock--spec--egress--ports"></a>
### Nested Schema for `spec.egress.ports`
Optional:
- `port` (String) port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
- `protocol` (String) protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.
<a id="nestedblock--spec--egress--to"></a>
### Nested Schema for `spec.egress.to`
Optional:
- `ip_block` (Block List, Max: 1) ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be. (see [below for nested schema](#nestedblock--spec--egress--to--ip_block))
- `namespace_selector` (Block List, Max: 1) namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.
If podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector. (see [below for nested schema](#nestedblock--spec--egress--to--namespace_selector))
- `pod_selector` (Block List, Max: 1) podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods.
If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy's own namespace. (see [below for nested schema](#nestedblock--spec--egress--to--pod_selector))
<a id="nestedblock--spec--egress--to--ip_block"></a>
### Nested Schema for `spec.egress.to.ip_block`
Optional:
- `cidr` (String) cidr is a string representing the IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64"
- `except` (List of String) except is a slice of CIDRs that should not be included within an IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64" Except values will be rejected if they are outside the cidr range
<a id="nestedblock--spec--egress--to--namespace_selector"></a>
### Nested Schema for `spec.egress.to.namespace_selector`
Optional:
- `match_expressions` (Block List) A list of label selector requirements. The requirements are ANDed. (see [below for nested schema](#nestedblock--spec--egress--to--namespace_selector--match_expressions))
- `match_labels` (Map of String) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
<a id="nestedblock--spec--egress--to--namespace_selector--match_expressions"></a>
### Nested Schema for `spec.egress.to.namespace_selector.match_expressions`
Optional:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
<a id="nestedblock--spec--egress--to--pod_selector"></a>
### Nested Schema for `spec.egress.to.pod_selector`
Optional:
- `match_expressions` (Block List) A list of label selector requirements. The requirements are ANDed. (see [below for nested schema](#nestedblock--spec--egress--to--pod_selector--match_expressions))
- `match_labels` (Map of String) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
<a id="nestedblock--spec--egress--to--pod_selector--match_expressions"></a>
### Nested Schema for `spec.egress.to.pod_selector.match_expressions`
Optional:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
<a id="nestedblock--spec--ingress"></a>
### Nested Schema for `spec.ingress`
Optional:
- `from` (Block List) from is a list of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list. (see [below for nested schema](#nestedblock--spec--ingress--from))
- `ports` (Block List) ports is a list of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list. (see [below for nested schema](#nestedblock--spec--ingress--ports))
<a id="nestedblock--spec--ingress--from"></a>
### Nested Schema for `spec.ingress.from`
Optional:
- `ip_block` (Block List, Max: 1) ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be. (see [below for nested schema](#nestedblock--spec--ingress--from--ip_block))
- `namespace_selector` (Block List, Max: 1) namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.
If podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector. (see [below for nested schema](#nestedblock--spec--ingress--from--namespace_selector))
- `pod_selector` (Block List, Max: 1) podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods.
If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy's own namespace. (see [below for nested schema](#nestedblock--spec--ingress--from--pod_selector))
<a id="nestedblock--spec--ingress--from--ip_block"></a>
### Nested Schema for `spec.ingress.from.ip_block`
Optional:
- `cidr` (String) cidr is a string representing the IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64"
- `except` (List of String) except is a slice of CIDRs that should not be included within an IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64" Except values will be rejected if they are outside the cidr range
<a id="nestedblock--spec--ingress--from--namespace_selector"></a>
### Nested Schema for `spec.ingress.from.namespace_selector`
Optional:
- `match_expressions` (Block List) A list of label selector requirements. The requirements are ANDed. (see [below for nested schema](#nestedblock--spec--ingress--from--namespace_selector--match_expressions))
- `match_labels` (Map of String) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
<a id="nestedblock--spec--ingress--from--namespace_selector--match_expressions"></a>
### Nested Schema for `spec.ingress.from.namespace_selector.match_expressions`
Optional:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
<a id="nestedblock--spec--ingress--from--pod_selector"></a>
### Nested Schema for `spec.ingress.from.pod_selector`
Optional:
- `match_expressions` (Block List) A list of label selector requirements. The requirements are ANDed. (see [below for nested schema](#nestedblock--spec--ingress--from--pod_selector--match_expressions))
- `match_labels` (Map of String) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
<a id="nestedblock--spec--ingress--from--pod_selector--match_expressions"></a>
### Nested Schema for `spec.ingress.from.pod_selector.match_expressions`
Optional:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
<a id="nestedblock--spec--ingress--ports"></a>
### Nested Schema for `spec.ingress.ports`
Optional:
- `port` (String) port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
- `protocol` (String) protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.
## Example Usage
```terraform
@ -64,113 +289,6 @@ resource "kubernetes_network_policy_v1" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard network policy's [metadata](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata).
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the network policy that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. Read more about [name idempotency](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency).
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) network policies. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
* `name` - (Optional) Name of the network policy, must be unique. Cannot be updated. For more info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this network policy that can be used by clients to determine when network policies have changed. Read more about [concurrency control and consistency](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency).
* `uid` - The unique in time and space value for this network policy. For more info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
### `spec`
#### Arguments
* `egress` - (Optional) List of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this block is empty then this NetworkPolicy allows all outgoing traffic. If this block is omitted then this NetworkPolicy does not allow any outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default).
* `ingress` - (Optional) List of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this block is empty then this NetworkPolicy allows all incoming traffic. If this block is omitted then this NetworkPolicy does not allow any incoming traffic (and serves solely to ensure that the pods it selects are isolated by default).
* `pod_selector` - (Required) Selects the pods to which this NetworkPolicy object applies. The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace.
* `policy_types` (Required) List of rule types that the NetworkPolicy relates to. Valid options are `Ingress`, `Egress`, or `Ingress,Egress`. This field is beta-level in 1.8 **Note**: the native Kubernetes API allows not to specify the `policy_types` property with the following description:
> If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an Egress section and would otherwise default to just [ "Ingress" ]).
Leaving the `policy_types` property optional here would have prevented an `egress` rule added to a Network Policy initially created without any `egress` rule nor `policy_types` from working as expected. Indeed, the PolicyTypes would have stuck to Ingress server side as the default value is only computed server side on resource creation, not on updates.
### `ingress`
#### Arguments
* `from` - (Optional) List of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least on item, this rule allows traffic only if the traffic matches at least one item in the from list.
* `ports` - (Optional) List of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.
### `egress`
#### Arguments
* `to` - (Optional) List of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.
* `ports` - (Optional) List of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.
### `from`
#### Arguments
* `namespace_selector` - (Optional) Selects Namespaces using cluster scoped-labels. This matches all pods in all namespaces selected by this label selector. This field follows standard label selector semantics. If present but empty, this selector selects all namespaces.
* `pod_selector` - (Optional) This is a label selector which selects Pods in this namespace. This field follows standard label selector semantics. If present but empty, this selector selects all pods in this namespace.
### `ports`
#### Arguments
* `port` - (Optional) The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers.
* `protocol` - (Optional) The protocol (TCP or UDP) which traffic must match. If not specified, this field defaults to TCP.
### `to`
#### Arguments
* `ip_block` - (Optional) IPBlock defines policy on a particular IPBlock
* `namespace_selector` - (Optional) Selects Namespaces using cluster scoped-labels. This matches all pods in all namespaces selected by this label selector. This field follows standard label selector semantics. If present but empty, this selector selects all namespaces.
* `pod_selector` - (Optional) This is a label selector which selects Pods in this namespace. This field follows standard label selector semantics. If present but empty, this selector selects all pods in this namespace.
### `ip_block`
#### Arguments
* `cidr` - (Optional) CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24"
* `except` - (Optional) Except is a slice of CIDRs that should not be included within an IP Block. Valid examples are "192.168.1.1/24". Except values will be rejected if they are outside the CIDR range.
### `namespace_selector`
#### Arguments
* `match_expressions` - (Optional) A list of label selector requirements. The requirements are ANDed.
* `match_labels` - (Optional) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
### `pod_selector`
#### Arguments
* `match_expressions` - (Optional) A list of label selector requirements. The requirements are ANDed.
* `match_labels` - (Optional) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
### `match_expressions`
#### Arguments
* `key` - (Optional) The label key that the selector applies to.
* `operator` - (Optional) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
* `values` - (Optional) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
## Import
Network policies can be imported using their identifier consisting of `<namespace-name>/<network-policy-name>`, e.g.:

62
docs/resources/node_taint.md
View file

@ -9,6 +9,43 @@ description: |-
[Node affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) is a property of Pods that attracts them to a set of [nodes](https://kubernetes.io/docs/concepts/architecture/nodes/) (either as a preference or a hard requirement). Taints are the opposite -- they allow a node to repel a set of pods.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) (see [below for nested schema](#nestedblock--metadata))
- `taint` (Block List, Min: 1) (see [below for nested schema](#nestedblock--taint))
### Optional
- `field_manager` (String) Set the name of the field manager for the node taint
- `force` (Boolean) Force overwriting annotations that were created or edited outside of Terraform.
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Required:
- `name` (String) The name of the node
<a id="nestedblock--taint"></a>
### Nested Schema for `taint`
Required:
- `effect` (String) The taint effect
- `key` (String) The taint key
- `value` (String) The taint value
## Example Usage
```terraform
@ -24,31 +61,6 @@ resource "kubernetes_node_taint" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Metadata describing which Kubernetes node to apply the taint to.
* `field_manager` - (Optional) Set the name of the field manager for the node taint.
* `force` - (Optional) Force overwriting annotations that were created or edited outside of Terraform.
* `taint` - (Required) The taint configuration to apply to the node. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/).
## Nested Blocks
### `metadata`
#### Arguments
* `name` - (Required) The name of the node to apply the taint to
### `taint`
#### Arguments
* `key` - (Required, Forces new resource) The key of this node taint.
* `value` - (Required) The value of this node taint. Can be empty string.
* `effect` - (Required, Forces new resource) The scheduling effect to apply with this taint. Must be one of: `NoSchedule`, `PreferNoSchedule`, `NoExecute`.
## Import
This resource does not support the `import` command. As this resource operates on Kubernetes resources that already exist, creating the resource is equivalent to importing it.

750
docs/resources/persistent_volume.md
View file

@ -9,6 +9,479 @@ description: |-
The resource provides a piece of networked storage in the cluster provisioned by an administrator. It is a resource in the cluster just like a node is a cluster resource. Persistent Volumes have a lifecycle independent of any individual pod that uses the PV. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/persistent-volumes/)
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard persistent volume's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `spec` (Block List, Min: 1) Spec of the persistent volume owned by the cluster (see [below for nested schema](#nestedblock--spec))
### Optional
- `timeouts` (Block, Optional) (see [below for nested schema](#nestedblock--timeouts))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the persistent volume that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the persistent volume. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the persistent volume, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this persistent volume that can be used by clients to determine when persistent volume has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this persistent volume. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--spec"></a>
### Nested Schema for `spec`
Required:
- `access_modes` (Set of String) Contains all ways the volume can be mounted. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes
- `capacity` (Map of String) A description of the persistent volume's resources and capacity. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacity
- `persistent_volume_source` (Block List, Min: 1, Max: 1) The specification of a persistent volume. (see [below for nested schema](#nestedblock--spec--persistent_volume_source))
Optional:
- `claim_ref` (Block List, Max: 1) A reference to the persistent volume claim details for statically managed PVs. More Info: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#binding (see [below for nested schema](#nestedblock--spec--claim_ref))
- `mount_options` (Set of String) A list of mount options, e.g. ["ro", "soft"]. Not validated - mount will simply fail if one is invalid.
- `node_affinity` (Block List, Max: 1) A description of the persistent volume's node affinity. More info: https://kubernetes.io/docs/concepts/storage/volumes/#local (see [below for nested schema](#nestedblock--spec--node_affinity))
- `persistent_volume_reclaim_policy` (String) What happens to a persistent volume when released from its claim. Valid options are Retain (default) and Recycle. Recycling must be supported by the volume plugin underlying this persistent volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#reclaiming
- `storage_class_name` (String) A description of the persistent volume's class. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#class
- `volume_mode` (String) Defines if a volume is intended to be used with a formatted filesystem. or to remain in raw block state.
<a id="nestedblock--spec--persistent_volume_source"></a>
### Nested Schema for `spec.persistent_volume_source`
Optional:
- `aws_elastic_block_store` (Block List, Max: 1) Represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore (see [below for nested schema](#nestedblock--spec--persistent_volume_source--aws_elastic_block_store))
- `azure_disk` (Block List, Max: 1) Represents an Azure Data Disk mount on the host and bind mount to the pod. (see [below for nested schema](#nestedblock--spec--persistent_volume_source--azure_disk))
- `azure_file` (Block List, Max: 1) Represents an Azure File Service mount on the host and bind mount to the pod. (see [below for nested schema](#nestedblock--spec--persistent_volume_source--azure_file))
- `ceph_fs` (Block List, Max: 1) Represents a Ceph FS mount on the host that shares a pod's lifetime (see [below for nested schema](#nestedblock--spec--persistent_volume_source--ceph_fs))
- `cinder` (Block List, Max: 1) Represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md (see [below for nested schema](#nestedblock--spec--persistent_volume_source--cinder))
- `csi` (Block List, Max: 1) Represents a CSI Volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#csi (see [below for nested schema](#nestedblock--spec--persistent_volume_source--csi))
- `fc` (Block List, Max: 1) Represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod. (see [below for nested schema](#nestedblock--spec--persistent_volume_source--fc))
- `flex_volume` (Block List, Max: 1) Represents a generic volume resource that is provisioned/attached using an exec based plugin. This is an alpha feature and may change in future. (see [below for nested schema](#nestedblock--spec--persistent_volume_source--flex_volume))
- `flocker` (Block List, Max: 1) Represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running (see [below for nested schema](#nestedblock--spec--persistent_volume_source--flocker))
- `gce_persistent_disk` (Block List, Max: 1) Represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk (see [below for nested schema](#nestedblock--spec--persistent_volume_source--gce_persistent_disk))
- `glusterfs` (Block List, Max: 1) Represents a Glusterfs volume that is attached to a host and exposed to the pod. Provisioned by an admin. More info: https://examples.k8s.io/volumes/glusterfs/README.md (see [below for nested schema](#nestedblock--spec--persistent_volume_source--glusterfs))
- `host_path` (Block List, Max: 1) Represents a directory on the host. Provisioned by a developer or tester. This is useful for single-node development and testing only! On-host storage is not supported in any way and WILL NOT WORK in a multi-node cluster. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath (see [below for nested schema](#nestedblock--spec--persistent_volume_source--host_path))
- `iscsi` (Block List, Max: 1) Represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin. (see [below for nested schema](#nestedblock--spec--persistent_volume_source--iscsi))
- `local` (Block List, Max: 1) Represents a mounted local storage device such as a disk, partition or directory. Local volumes can only be used as a statically created PersistentVolume. Dynamic provisioning is not supported yet. More info: https://kubernetes.io/docs/concepts/storage/volumes#local (see [below for nested schema](#nestedblock--spec--persistent_volume_source--local))
- `nfs` (Block List, Max: 1) Represents an NFS mount on the host. Provisioned by an admin. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs (see [below for nested schema](#nestedblock--spec--persistent_volume_source--nfs))
- `photon_persistent_disk` (Block List, Max: 1) Represents a PhotonController persistent disk attached and mounted on kubelets host machine (see [below for nested schema](#nestedblock--spec--persistent_volume_source--photon_persistent_disk))
- `quobyte` (Block List, Max: 1) Quobyte represents a Quobyte mount on the host that shares a pod's lifetime (see [below for nested schema](#nestedblock--spec--persistent_volume_source--quobyte))
- `rbd` (Block List, Max: 1) Represents a Rados Block Device mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md (see [below for nested schema](#nestedblock--spec--persistent_volume_source--rbd))
- `vsphere_volume` (Block List, Max: 1) Represents a vSphere volume attached and mounted on kubelets host machine (see [below for nested schema](#nestedblock--spec--persistent_volume_source--vsphere_volume))
<a id="nestedblock--spec--persistent_volume_source--aws_elastic_block_store"></a>
### Nested Schema for `spec.persistent_volume_source.aws_elastic_block_store`
Required:
- `volume_id` (String) Unique ID of the persistent disk resource in AWS (Amazon EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
Optional:
- `fs_type` (String) Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
- `partition` (Number) The partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as "1". Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
- `read_only` (Boolean) Whether to set the read-only property in VolumeMounts to "true". If omitted, the default is "false". More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
<a id="nestedblock--spec--persistent_volume_source--azure_disk"></a>
### Nested Schema for `spec.persistent_volume_source.azure_disk`
Required:
- `caching_mode` (String) Host Caching mode: None, Read Only, Read Write.
- `data_disk_uri` (String) The URI the data disk in the blob storage
- `disk_name` (String) The Name of the data disk in the blob storage
Optional:
- `fs_type` (String) Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
- `kind` (String) The type for the data disk. Expected values: Shared, Dedicated, Managed. Defaults to Shared
- `read_only` (Boolean) Whether to force the read-only setting in VolumeMounts. Defaults to false (read/write).
<a id="nestedblock--spec--persistent_volume_source--azure_file"></a>
### Nested Schema for `spec.persistent_volume_source.azure_file`
Required:
- `secret_name` (String) The name of secret that contains Azure Storage Account Name and Key
- `share_name` (String) Share Name
Optional:
- `read_only` (Boolean) Whether to force the read-only setting in VolumeMounts. Defaults to false (read/write).
- `secret_namespace` (String) The namespace of the secret that contains Azure Storage Account Name and Key. For Kubernetes up to 1.18.x the default is the same as the Pod. For Kubernetes 1.19.x and later the default is "default" namespace.
<a id="nestedblock--spec--persistent_volume_source--ceph_fs"></a>
### Nested Schema for `spec.persistent_volume_source.ceph_fs`
Required:
- `monitors` (Set of String) Monitors is a collection of Ceph monitors. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
Optional:
- `path` (String) Used as the mounted root, rather than the full Ceph tree, default is /
- `read_only` (Boolean) Whether to force the read-only setting in VolumeMounts. Defaults to `false` (read/write). More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
- `secret_file` (String) The path to key ring for User, default is `/etc/ceph/user.secret`. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
- `secret_ref` (Block List, Max: 1) Reference to the authentication secret for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it (see [below for nested schema](#nestedblock--spec--persistent_volume_source--ceph_fs--secret_ref))
- `user` (String) User is the rados user name, default is admin. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
<a id="nestedblock--spec--persistent_volume_source--ceph_fs--secret_ref"></a>
### Nested Schema for `spec.persistent_volume_source.ceph_fs.secret_ref`
Optional:
- `name` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
<a id="nestedblock--spec--persistent_volume_source--cinder"></a>
### Nested Schema for `spec.persistent_volume_source.cinder`
Required:
- `volume_id` (String) Volume ID used to identify the volume in Cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md
Optional:
- `fs_type` (String) Filesystem type to mount. Must be a filesystem type supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md
- `read_only` (Boolean) Whether to force the read-only setting in VolumeMounts. Defaults to false (read/write). More info: https://examples.k8s.io/mysql-cinder-pd/README.md
<a id="nestedblock--spec--persistent_volume_source--csi"></a>
### Nested Schema for `spec.persistent_volume_source.csi`
Required:
- `driver` (String) the name of the volume driver to use. More info: https://kubernetes.io/docs/concepts/storage/volumes/#csi
- `volume_handle` (String) A string value that uniquely identifies the volume. More info: https://kubernetes.io/docs/concepts/storage/volumes/#csi
Optional:
- `controller_expand_secret_ref` (Block List, Max: 1) A reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI ControllerExpandVolume call. (see [below for nested schema](#nestedblock--spec--persistent_volume_source--csi--controller_expand_secret_ref))
- `controller_publish_secret_ref` (Block List, Max: 1) A reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI ControllerPublishVolume and ControllerUnpublishVolume calls. (see [below for nested schema](#nestedblock--spec--persistent_volume_source--csi--controller_publish_secret_ref))
- `fs_type` (String) Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
- `node_publish_secret_ref` (Block List, Max: 1) A reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodePublishVolume and NodeUnpublishVolume calls. (see [below for nested schema](#nestedblock--spec--persistent_volume_source--csi--node_publish_secret_ref))
- `node_stage_secret_ref` (Block List, Max: 1) A reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodeStageVolume and NodeStageVolume and NodeUnstageVolume calls. (see [below for nested schema](#nestedblock--spec--persistent_volume_source--csi--node_stage_secret_ref))
- `read_only` (Boolean) Whether to set the read-only property in VolumeMounts to "true". If omitted, the default is "false". More info: https://kubernetes.io/docs/concepts/storage/volumes#csi
- `volume_attributes` (Map of String) Attributes of the volume to publish.
<a id="nestedblock--spec--persistent_volume_source--csi--controller_expand_secret_ref"></a>
### Nested Schema for `spec.persistent_volume_source.csi.controller_expand_secret_ref`
Optional:
- `name` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
<a id="nestedblock--spec--persistent_volume_source--csi--controller_publish_secret_ref"></a>
### Nested Schema for `spec.persistent_volume_source.csi.controller_publish_secret_ref`
Optional:
- `name` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
<a id="nestedblock--spec--persistent_volume_source--csi--node_publish_secret_ref"></a>
### Nested Schema for `spec.persistent_volume_source.csi.node_publish_secret_ref`
Optional:
- `name` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
<a id="nestedblock--spec--persistent_volume_source--csi--node_stage_secret_ref"></a>
### Nested Schema for `spec.persistent_volume_source.csi.node_stage_secret_ref`
Optional:
- `name` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
<a id="nestedblock--spec--persistent_volume_source--fc"></a>
### Nested Schema for `spec.persistent_volume_source.fc`
Required:
- `lun` (Number) FC target lun number
- `target_ww_ns` (Set of String) FC target worldwide names (WWNs)
Optional:
- `fs_type` (String) Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
- `read_only` (Boolean) Whether to force the read-only setting in VolumeMounts. Defaults to false (read/write).
<a id="nestedblock--spec--persistent_volume_source--flex_volume"></a>
### Nested Schema for `spec.persistent_volume_source.flex_volume`
Required:
- `driver` (String) Driver is the name of the driver to use for this volume.
Optional:
- `fs_type` (String) Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
- `options` (Map of String) Extra command options if any.
- `read_only` (Boolean) Whether to force the ReadOnly setting in VolumeMounts. Defaults to false (read/write).
- `secret_ref` (Block List, Max: 1) Reference to the secret object containing sensitive information to pass to the plugin scripts. This may be empty if no secret object is specified. If the secret object contains more than one secret, all secrets are passed to the plugin scripts. (see [below for nested schema](#nestedblock--spec--persistent_volume_source--flex_volume--secret_ref))
<a id="nestedblock--spec--persistent_volume_source--flex_volume--secret_ref"></a>
### Nested Schema for `spec.persistent_volume_source.flex_volume.secret_ref`
Optional:
- `name` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
<a id="nestedblock--spec--persistent_volume_source--flocker"></a>
### Nested Schema for `spec.persistent_volume_source.flocker`
Optional:
- `dataset_name` (String) Name of the dataset stored as metadata -> name on the dataset for Flocker should be considered as deprecated
- `dataset_uuid` (String) UUID of the dataset. This is unique identifier of a Flocker dataset
<a id="nestedblock--spec--persistent_volume_source--gce_persistent_disk"></a>
### Nested Schema for `spec.persistent_volume_source.gce_persistent_disk`
Required:
- `pd_name` (String) Unique name of the PD resource in GCE. Used to identify the disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
Optional:
- `fs_type` (String) Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
- `partition` (Number) The partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as "1". Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
- `read_only` (Boolean) Whether to force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
<a id="nestedblock--spec--persistent_volume_source--glusterfs"></a>
### Nested Schema for `spec.persistent_volume_source.glusterfs`
Required:
- `endpoints_name` (String) The endpoint name that details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
- `path` (String) The Glusterfs volume path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
Optional:
- `read_only` (Boolean) Whether to force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
<a id="nestedblock--spec--persistent_volume_source--host_path"></a>
### Nested Schema for `spec.persistent_volume_source.host_path`
Optional:
- `path` (String) Path of the directory on the host. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
- `type` (String) Type for HostPath volume. Allowed values are "" (default), DirectoryOrCreate, Directory, FileOrCreate, File, Socket, CharDevice and BlockDevice
<a id="nestedblock--spec--persistent_volume_source--iscsi"></a>
### Nested Schema for `spec.persistent_volume_source.iscsi`
Required:
- `iqn` (String) Target iSCSI Qualified Name.
- `target_portal` (String) iSCSI target portal. The portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).
Optional:
- `fs_type` (String) Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
- `iscsi_interface` (String) iSCSI interface name that uses an iSCSI transport. Defaults to 'default' (tcp).
- `lun` (Number) iSCSI target lun number.
- `read_only` (Boolean) Whether to force the read-only setting in VolumeMounts. Defaults to false.
<a id="nestedblock--spec--persistent_volume_source--local"></a>
### Nested Schema for `spec.persistent_volume_source.local`
Optional:
- `path` (String) Path of the directory on the host. More info: https://kubernetes.io/docs/concepts/storage/volumes#local
<a id="nestedblock--spec--persistent_volume_source--nfs"></a>
### Nested Schema for `spec.persistent_volume_source.nfs`
Required:
- `path` (String) Path that is exported by the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
- `server` (String) Server is the hostname or IP address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
Optional:
- `read_only` (Boolean) Whether to force the NFS export to be mounted with read-only permissions. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
<a id="nestedblock--spec--persistent_volume_source--photon_persistent_disk"></a>
### Nested Schema for `spec.persistent_volume_source.photon_persistent_disk`
Required:
- `pd_id` (String) ID that identifies Photon Controller persistent disk
Optional:
- `fs_type` (String) Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
<a id="nestedblock--spec--persistent_volume_source--quobyte"></a>
### Nested Schema for `spec.persistent_volume_source.quobyte`
Required:
- `registry` (String) Registry represents a single or multiple Quobyte Registry services specified as a string as host:port pair (multiple entries are separated with commas) which acts as the central registry for volumes
- `volume` (String) Volume is a string that references an already created Quobyte volume by name.
Optional:
- `group` (String) Group to map volume access to Default is no group
- `read_only` (Boolean) Whether to force the Quobyte volume to be mounted with read-only permissions. Defaults to false.
- `user` (String) User to map volume access to Defaults to serivceaccount user
<a id="nestedblock--spec--persistent_volume_source--rbd"></a>
### Nested Schema for `spec.persistent_volume_source.rbd`
Required:
- `ceph_monitors` (Set of String) A collection of Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
- `rbd_image` (String) The rados image name. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
Optional:
- `fs_type` (String) Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
- `keyring` (String) Keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
- `rados_user` (String) The rados user name. Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
- `rbd_pool` (String) The rados pool name. Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it.
- `read_only` (Boolean) Whether to force the read-only setting in VolumeMounts. Defaults to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
- `secret_ref` (Block List, Max: 1) Name of the authentication secret for RBDUser. If provided overrides keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it (see [below for nested schema](#nestedblock--spec--persistent_volume_source--rbd--secret_ref))
<a id="nestedblock--spec--persistent_volume_source--rbd--secret_ref"></a>
### Nested Schema for `spec.persistent_volume_source.rbd.secret_ref`
Optional:
- `name` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
<a id="nestedblock--spec--persistent_volume_source--vsphere_volume"></a>
### Nested Schema for `spec.persistent_volume_source.vsphere_volume`
Required:
- `volume_path` (String) Path that identifies vSphere volume vmdk
Optional:
- `fs_type` (String) Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
<a id="nestedblock--spec--claim_ref"></a>
### Nested Schema for `spec.claim_ref`
Required:
- `name` (String) The name of the PersistentVolumeClaim
Optional:
- `namespace` (String) The namespace of the PersistentVolumeClaim. Uses 'default' namespace if none is specified.
<a id="nestedblock--spec--node_affinity"></a>
### Nested Schema for `spec.node_affinity`
Optional:
- `required` (Block List, Max: 1) (see [below for nested schema](#nestedblock--spec--node_affinity--required))
<a id="nestedblock--spec--node_affinity--required"></a>
### Nested Schema for `spec.node_affinity.required`
Required:
- `node_selector_term` (Block List, Min: 1) (see [below for nested schema](#nestedblock--spec--node_affinity--required--node_selector_term))
<a id="nestedblock--spec--node_affinity--required--node_selector_term"></a>
### Nested Schema for `spec.node_affinity.required.node_selector_term`
Optional:
- `match_expressions` (Block List) A list of node selector requirements by node's labels. The requirements are ANDed. (see [below for nested schema](#nestedblock--spec--node_affinity--required--node_selector_term--match_expressions))
- `match_fields` (Block List) A list of node selector requirements by node's fields. The requirements are ANDed. (see [below for nested schema](#nestedblock--spec--node_affinity--required--node_selector_term--match_fields))
<a id="nestedblock--spec--node_affinity--required--node_selector_term--match_expressions"></a>
### Nested Schema for `spec.node_affinity.required.node_selector_term.match_expressions`
Required:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists`, `DoesNotExist`, `Gt`, and `Lt`.
Optional:
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
<a id="nestedblock--spec--node_affinity--required--node_selector_term--match_fields"></a>
### Nested Schema for `spec.node_affinity.required.node_selector_term.match_fields`
Required:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists`, `DoesNotExist`, `Gt`, and `Lt`.
Optional:
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
<a id="nestedblock--timeouts"></a>
### Nested Schema for `timeouts`
Optional:
- `create` (String)
## Example Usage
```terraform
@ -77,283 +550,6 @@ resource "azurerm_managed_disk" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard persistent volume's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `spec` - (Required) Spec of the persistent volume owned by the cluster. See below.
## Nested Blocks
### `spec`
#### Arguments
* `access_modes` - (Required) Contains all ways the volume can be mounted. Valid values are `ReadWriteOnce`, `ReadOnlyMany`, `ReadWriteMany`. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes)
* `capacity` - (Required) A description of the persistent volume's resources and capacity. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacity)
* `node_affinity` - (Optional) NodeAffinity defines constraints that limit what nodes this volume can be accessed from. This field influences the scheduling of pods that use this volume.
* `persistent_volume_reclaim_policy` - (Optional) What happens to a persistent volume when released from its claim. Valid options are Retain (default), Delete and Recycle. Recycling must be supported by the volume plugin underlying this persistent volume. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/persistent-volumes#reclaiming)
* `persistent_volume_source` - (Required) The specification of a persistent volume.
* `storage_class_name` - (Optional) The name of the persistent volume's storage class. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#class)
* `mount_options` - (Optional) A Kubernetes administrator can specify additional mount options for when a Persistent Volume is mounted on a node.
~> Not all Persistent Volume types support mount options. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#mount-options)
* `volume_mode` - (Optional) Defines if a volume is used with a formatted filesystem or to remain in raw block state. Possible values are `Block` and `Filesystem`. Default value is `Filesystem`. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#volume-mode)
### `node_affinity`
#### Arguments
* `required` - (Optional) Required specifies hard node constraints that must be met.
### `required`
#### Arguments
* `node_selector_term` - (Required) A list of node selector terms. The terms are ORed.
### `node_selector_term`
#### Arguments
* `match_expressions` - (Optional) A list of node selector requirements by node's labels.
* `match_fields` - (Optional) A list of node selector requirements by node's fields.
### `match_expressions` and `match_fields`
#### Arguments
* `key` - (Required) The label key that the selector applies to.
* `operator` - (Required) Represents a key's relationship to a set of values. Valid operators are `In`, `NotIn`, `Exists`, `DoesNotExist`. `Gt`, and `Lt`.
* `values` - (Optional) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. If the operator is `Gt` or `Lt`, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
### `persistent_volume_source`
#### Arguments
* `aws_elastic_block_store` - (Optional) Represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore)
* `azure_disk` - (Optional) Represents an Azure Data Disk mount on the host and bind mount to the pod.
* `azure_file` - (Optional) Represents an Azure File Service mount on the host and bind mount to the pod.
* `ceph_fs` - (Optional) Represents a Ceph FS mount on the host that shares a pod's lifetime.
* `cinder` - (Optional) Represents a cinder volume attached and mounted on kubelets host machine. For more info see https://github.com/kubernetes/examples/tree/master/mysql-cinder-pd#mysql-installation-with-cinder-volume-plugin.
* `csi` - (Optional) CSI represents storage that is handled by an external CSI driver. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes/#csi).
* `fc` - (Optional) Represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod.
* `flex_volume` - (Optional) Represents a generic volume resource that is provisioned/attached using an exec based plugin. This is an alpha feature and may change in future.
* `flocker` - (Optional) Represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running.
* `gce_persistent_disk` - (Optional) Represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk).
* `glusterfs` - (Optional) Represents a Glusterfs volume that is attached to a host and exposed to the pod. Provisioned by an admin. For more info see https://github.com/kubernetes/examples/tree/master/volumes/glusterfs#glusterfs.
* `host_path` - (Optional) Represents a directory on the host. Provisioned by a developer or tester. This is useful for single-node development and testing only! On-host storage is not supported in any way and WILL NOT WORK in a multi-node cluster. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#hostpath)
* `iscsi` - (Optional) Represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin.
* `local` - (Optional) Represents a local storage volume on the host. Provisioned by an admin. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes/#local).
* `nfs` - (Optional) Represents an NFS mount on the host. Provisioned by an admin. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#nfs).
* `photon_persistent_disk` - (Optional) Represents a PhotonController persistent disk attached and mounted on kubelets host machine.
* `quobyte` - (Optional) Quobyte represents a Quobyte mount on the host that shares a pod's lifetime.
* `rbd` - (Optional) Represents a Rados Block Device mount on the host that shares a pod's lifetime. For more info see https://kubernetes.io/docs/concepts/storage/volumes/#rbd.
* `vsphere_volume` - (Optional) Represents a vSphere volume attached and mounted on kubelets host machine.
### `aws_elastic_block_store`
#### Arguments
* `fs_type` - (Optional) Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore)
* `partition` - (Optional) The partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as "1". Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
* `read_only` - (Optional) Whether to set the read-only property in VolumeMounts to "true". If omitted, the default is "false". For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore)
* `volume_id` - (Required) Unique ID of the persistent disk resource in AWS (Amazon EBS volume). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore)
### `azure_disk`
#### Arguments
* `caching_mode` - (Required) Host Caching mode: None, Read Only, Read Write.
* `data_disk_uri` - (Required) The URI the data disk in the blob storage OR the resource ID of an Azure managed data disk if `kind` is `Managed`.
* `disk_name` - (Required) The Name of the data disk in the blob storage OR the name of an Azure managed data disk if `kind` is `Managed`.
* `fs_type` - (Optional) Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
* `read_only` - (Optional) Whether to force the read-only setting in VolumeMounts. Defaults to false (read/write).
* `kind` - (Optional) The type for the data disk. Expected values: `Shared`, `Dedicated`, `Managed`. Defaults to `Shared`.
### `azure_file`
#### Arguments
* `read_only` - (Optional) Whether to force the read-only setting in VolumeMounts. Defaults to false (read/write).
* `secret_name` - (Required) The name of secret that contains Azure Storage Account Name and Key.
* `secret_namespace` - (Optional) The namespace of the secret that contains Azure Storage Account Name and Key. For Kubernetes up to 1.18.x the default is the same as the Pod. For Kubernetes 1.19.x and later the default is \"default\" namespace.
* `share_name` - (Required) Share Name
### `ceph_fs`
#### Arguments
* `monitors` - (Required) Monitors is a collection of Ceph monitors. For more info see https://github.com/kubernetes/examples/tree/master/volumes/cephfs/#how-to-use-it.
* `path` - (Optional) Used as the mounted root, rather than the full Ceph tree, default is /.
* `read_only` - (Optional) Whether to force the read-only setting in VolumeMounts. Defaults to `false` (read/write). For more info see https://github.com/kubernetes/examples/tree/master/volumes/cephfs/#how-to-use-it.
* `secret_file` - (Optional) The path to key ring for User, default is /etc/ceph/user.secret. For more info see https://github.com/kubernetes/examples/tree/master/volumes/cephfs/#how-to-use-it.
* `secret_ref` - (Optional) Reference to the authentication secret for User, default is empty. sFor more info see https://github.com/kubernetes/examples/tree/master/volumes/cephfs/#how-to-use-it. see [secret_ref](#secret_ref) for more details.
* `user` - (Optional) User is the rados user name, default is admin. For more info see https://github.com/kubernetes/examples/tree/master/volumes/cephfs/#how-to-use-it.
### `cinder`
#### Arguments
* `fs_type` - (Optional) Filesystem type to mount. Must be a filesystem type supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. For more info see https://github.com/kubernetes/examples/blob/master/mysql-cinder-pd/README.md#mysql-installation-with-cinder-volume-plugin.
* `read_only` - (Optional) Whether to force the read-only setting in VolumeMounts. Defaults to false (read/write). For more info see https://github.com/kubernetes/examples/blob/master/mysql-cinder-pd/README.md#mysql-installation-with-cinder-volume-plugin.
* `volume_id` - (Required) Volume ID used to identify the volume in Cinder. For more info see https://github.com/kubernetes/examples/blob/master/mysql-cinder-pd/README.md#mysql-installation-with-cinder-volume-plugin.
### `csi`
#### Arguments
* `driver` - (Required) the name of the volume driver to use. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes/#csi).
* `volume_handle` - (Required) A map that specifies static properties of a volume. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes/#csi).
* `volume_attributes` - (Optional) Attributes of the volume to publish.
* `fs_type` - (Optional) Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. `ext4`, `xfs`, `ntfs`.
* `read_only` - (Optional) Whether to set the read-only property in VolumeMounts to `true`. If omitted, the default is `false`.
* `controller_publish_secret_ref` - (Optional) A reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI ControllerPublishVolume and ControllerUnpublishVolume calls. see [secret_ref](#secret_ref) for more details.
* `node_stage_secret_ref` - (Optional) A reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodeStageVolume and NodeStageVolume and NodeUnstageVolume calls. see [secret_ref](#secret_ref) for more details.
* `node_publish_secret_ref` - (Optional) A reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodePublishVolume and NodeUnpublishVolume calls. see [secret_ref](#secret_ref) for more details.
* `controller_expand_secret_ref` - (Optional) A reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI ControllerExpandVolume call. see [secret_ref](#secret_ref) for more details.
### `fc`
#### Arguments
* `fs_type` - (Optional) Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
* `lun` - (Required) FC target lun number
* `read_only` - (Optional) Whether to force the read-only setting in VolumeMounts. Defaults to false (read/write).
* `target_ww_ns` - (Required) FC target worldwide names (WWNs)
### `flex_volume`
#### Arguments
* `driver` - (Required) Driver is the name of the driver to use for this volume.
* `fs_type` - (Optional) Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
* `options` - (Optional) Extra command options if any.
* `read_only` - (Optional) Whether to force the ReadOnly setting in VolumeMounts. Defaults to false (read/write).
* `secret_ref` - (Optional) Reference to the secret object containing sensitive information to pass to the plugin scripts. This may be empty if no secret object is specified. If the secret object contains more than one secret, all secrets are passed to the plugin scripts. see [secret_ref](#secret_ref) for more details.
### `flocker`
#### Arguments
* `dataset_name` - (Optional) Name of the dataset stored as metadata -> name on the dataset for Flocker should be considered as deprecated
* `dataset_uuid` - (Optional) UUID of the dataset. This is unique identifier of a Flocker dataset
### `gce_persistent_disk`
#### Arguments
* `fs_type` - (Optional) Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk)
* `partition` - (Optional) The partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as "1". Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk)
* `pd_name` - (Required) Unique name of the PD resource in GCE. Used to identify the disk in GCE. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk)
* `read_only` - (Optional) Whether to force the ReadOnly setting in VolumeMounts. Defaults to false. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk)
### `glusterfs`
#### Arguments
* `endpoints_name` - (Required) The endpoint name that details Glusterfs topology. For more info see https://github.com/kubernetes/examples/tree/master/volumes/glusterfs#create-a-pod.
* `path` - (Required) The Glusterfs volume path. For more info see https://github.com/kubernetes/examples/tree/master/volumes/glusterfs#create-a-pod.
* `read_only` - (Optional) Whether to force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. For more info see https://github.com/kubernetes/examples/tree/master/volumes/glusterfs#create-a-pod.
### `host_path`
#### Arguments
* `path` - (Optional) Path of the directory on the host. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#hostpath)
* `type` - (Optional) Type for HostPath volume. Defaults to "". For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#hostpath)
### `iscsi`
#### Arguments
* `fs_type` - (Optional) Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#iscsi)
* `iqn` - (Required) Target iSCSI Qualified Name.
* `iscsi_interface` - (Optional) iSCSI interface name that uses an iSCSI transport. Defaults to 'default' (tcp).
* `lun` - (Optional) iSCSI target lun number.
* `read_only` - (Optional) Whether to force the read-only setting in VolumeMounts. Defaults to false.
* `target_portal` - (Required) iSCSI target portal. The portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).
### `local`
#### Arguments
* `path` - (Optional) Path of the directory on the host. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#local)
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the persistent volume that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the persistent volume. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the persistent volume, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this persistent volume that can be used by clients to determine when persistent volume has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this persistent volume. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `nfs`
#### Arguments
* `path` - (Required) Path that is exported by the NFS server. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#nfs)
* `read_only` - (Optional) Whether to force the NFS export to be mounted with read-only permissions. Defaults to false. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#nfs)
* `server` - (Required) Server is the hostname or IP address of the NFS server. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#nfs)
### `photon_persistent_disk`
#### Arguments
* `fs_type` - (Optional) Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
* `pd_id` - (Required) ID that identifies Photon Controller persistent disk
### `quobyte`
#### Arguments
* `group` - (Optional) Group to map volume access to Default is no group
* `read_only` - (Optional) Whether to force the Quobyte volume to be mounted with read-only permissions. Defaults to false.
* `registry` - (Required) Registry represents a single or multiple Quobyte Registry services specified as a string as host:port pair (multiple entries are separated with commas) which acts as the central registry for volumes
* `user` - (Optional) User to map volume access to Defaults to serivceaccount user
* `volume` - (Required) Volume is a string that references an already created Quobyte volume by name.
### `rbd`
#### Arguments
* `ceph_monitors` - (Required) A collection of Ceph monitors. For more info see https://github.com/kubernetes/examples/tree/master/volumes/cephfs/#how-to-use-it.
* `fs_type` - (Optional) Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#rbd)
* `keyring` - (Optional) Keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. For more info see https://github.com/kubernetes/examples/tree/master/volumes/cephfs/#how-to-use-it.
* `rados_user` - (Optional) The rados user name. Default is admin. For more info see https://github.com/kubernetes/examples/tree/master/volumes/cephfs/#how-to-use-it.
* `rbd_image` - (Required) The rados image name. For more info see https://github.com/kubernetes/examples/tree/master/volumes/cephfs/#how-to-use-it.
* `rbd_pool` - (Optional) The rados pool name. Default is rbd. For more info see https://github.com/kubernetes/examples/tree/master/volumes/cephfs/#how-to-use-it.
* `read_only` - (Optional) Whether to force the read-only setting in VolumeMounts. Defaults to false. For more info see https://github.com/kubernetes/examples/tree/master/volumes/cephfs/#how-to-use-it.
* `secret_ref` - (Optional) Name of the authentication secret for RBDUser. If provided overrides keyring. Default is nil. For more info see https://github.com/kubernetes/examples/tree/master/volumes/cephfs/#how-to-use-it. see [secret_ref](#secret_ref) for more details.
### `secret_ref`
#### Arguments
* `name` - (Optional) Name of the referent. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
* `namespace` - (Optional) The Namespace of the referent secret.
### `vsphere_volume`
#### Arguments
* `fs_type` - (Optional) Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
* `volume_path` - (Required) Path that identifies vSphere volume vmdk
## Import
Persistent Volume can be imported using its name, e.g.

154
docs/resources/persistent_volume_claim.md
View file

@ -9,6 +9,95 @@ description: |-
This resource allows the user to request for and claim to a persistent volume.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard persistent volume claim's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `spec` (Block List, Min: 1, Max: 1) Spec defines the desired characteristics of a volume requested by a pod author. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims (see [below for nested schema](#nestedblock--spec))
### Optional
- `timeouts` (Block, Optional) (see [below for nested schema](#nestedblock--timeouts))
- `wait_until_bound` (Boolean) Whether to wait for the claim to reach `Bound` state (to find volume in which to claim the space)
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the persistent volume claim that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the persistent volume claim. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the persistent volume claim, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the persistent volume claim must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this persistent volume claim that can be used by clients to determine when persistent volume claim has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this persistent volume claim. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--spec"></a>
### Nested Schema for `spec`
Required:
- `access_modes` (Set of String) A set of the desired access modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes
- `resources` (Block List, Min: 1, Max: 1) A list of the minimum resources the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources (see [below for nested schema](#nestedblock--spec--resources))
Optional:
- `selector` (Block List, Max: 1) A label query over volumes to consider for binding. (see [below for nested schema](#nestedblock--spec--selector))
- `storage_class_name` (String) Name of the storage class requested by the claim
- `volume_mode` (String) Defines what type of volume is required by the claim.
- `volume_name` (String) The binding reference to the PersistentVolume backing this claim.
<a id="nestedblock--spec--resources"></a>
### Nested Schema for `spec.resources`
Optional:
- `limits` (Map of String) Map describing the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
- `requests` (Map of String) Map describing the minimum amount of compute resources required. If this is omitted for a container, it defaults to `limits` if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
<a id="nestedblock--spec--selector"></a>
### Nested Schema for `spec.selector`
Optional:
- `match_expressions` (Block List) A list of label selector requirements. The requirements are ANDed. (see [below for nested schema](#nestedblock--spec--selector--match_expressions))
- `match_labels` (Map of String) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
<a id="nestedblock--spec--selector--match_expressions"></a>
### Nested Schema for `spec.selector.match_expressions`
Optional:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
<a id="nestedblock--timeouts"></a>
### Nested Schema for `timeouts`
Optional:
- `create` (String)
## Example Usage
```terraform
@ -45,71 +134,6 @@ resource "kubernetes_persistent_volume" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard persistent volume claim's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `spec` - (Required) Spec defines the desired characteristics of a volume requested by a pod author. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims)
* `wait_until_bound` - (Optional) Whether to wait for the claim to reach `Bound` state (to find volume in which to claim the space)
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the persistent volume claim that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the persistent volume claim. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the persistent volume claim, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
* `namespace` - (Optional) Namespace defines the space within which name of the persistent volume claim must be unique.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this persistent volume claim that can be used by clients to determine when persistent volume claim has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this persistent volume claim. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `spec`
#### Arguments
* `access_modes` - (Required) A set of the desired access modes the volume should have. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes)
* `resources` - (Required) A list of the minimum resources the volume should have. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources)
* `selector` - (Optional) A label query over volumes to consider for binding.
* `volume_name` - (Optional) The binding reference to the PersistentVolume backing this claim.
* `storage_class_name` - (Optional) Name of the storage class requested by the claim.
* `volume_mode` - (Optional) Defines what type of volume is required by the claim. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#volume-mode)
### `match_expressions`
#### Arguments
* `key` - (Optional) The label key that the selector applies to.
* `operator` - (Optional) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
* `values` - (Optional) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
### `resources`
#### Arguments
* `limits` - (Optional) Map describing the maximum amount of compute resources allowed. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)
* `requests` - (Optional) Map describing the minimum amount of compute resources required. If this is omitted for a container, it defaults to `limits` if that is explicitly specified, otherwise to an implementation-defined value. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)
### `selector`
#### Arguments
* `match_expressions` - (Optional) A list of label selector requirements. The requirements are ANDed.
* `match_labels` - (Optional) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
## Import
Persistent Volume Claim can be imported using its namespace and name, e.g.

154
docs/resources/persistent_volume_claim_v1.md
View file

@ -9,6 +9,95 @@ description: |-
This resource allows the user to request for and claim to a persistent volume.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard persistent volume claim's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `spec` (Block List, Min: 1, Max: 1) Spec defines the desired characteristics of a volume requested by a pod author. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims (see [below for nested schema](#nestedblock--spec))
### Optional
- `timeouts` (Block, Optional) (see [below for nested schema](#nestedblock--timeouts))
- `wait_until_bound` (Boolean) Whether to wait for the claim to reach `Bound` state (to find volume in which to claim the space)
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the persistent volume claim that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the persistent volume claim. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the persistent volume claim, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the persistent volume claim must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this persistent volume claim that can be used by clients to determine when persistent volume claim has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this persistent volume claim. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--spec"></a>
### Nested Schema for `spec`
Required:
- `access_modes` (Set of String) A set of the desired access modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes
- `resources` (Block List, Min: 1, Max: 1) A list of the minimum resources the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources (see [below for nested schema](#nestedblock--spec--resources))
Optional:
- `selector` (Block List, Max: 1) A label query over volumes to consider for binding. (see [below for nested schema](#nestedblock--spec--selector))
- `storage_class_name` (String) Name of the storage class requested by the claim
- `volume_mode` (String) Defines what type of volume is required by the claim.
- `volume_name` (String) The binding reference to the PersistentVolume backing this claim.
<a id="nestedblock--spec--resources"></a>
### Nested Schema for `spec.resources`
Optional:
- `limits` (Map of String) Map describing the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
- `requests` (Map of String) Map describing the minimum amount of compute resources required. If this is omitted for a container, it defaults to `limits` if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
<a id="nestedblock--spec--selector"></a>
### Nested Schema for `spec.selector`
Optional:
- `match_expressions` (Block List) A list of label selector requirements. The requirements are ANDed. (see [below for nested schema](#nestedblock--spec--selector--match_expressions))
- `match_labels` (Map of String) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
<a id="nestedblock--spec--selector--match_expressions"></a>
### Nested Schema for `spec.selector.match_expressions`
Optional:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
<a id="nestedblock--timeouts"></a>
### Nested Schema for `timeouts`
Optional:
- `create` (String)
## Example Usage
```terraform
@ -45,71 +134,6 @@ resource "kubernetes_persistent_volume_v1" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard persistent volume claim's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `spec` - (Required) Spec defines the desired characteristics of a volume requested by a pod author. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims)
* `wait_until_bound` - (Optional) Whether to wait for the claim to reach `Bound` state (to find volume in which to claim the space)
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the persistent volume claim that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the persistent volume claim. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the persistent volume claim, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
* `namespace` - (Optional) Namespace defines the space within which name of the persistent volume claim must be unique.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this persistent volume claim that can be used by clients to determine when persistent volume claim has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this persistent volume claim. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `spec`
#### Arguments
* `access_modes` - (Required) A set of the desired access modes the volume should have. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes)
* `resources` - (Required) A list of the minimum resources the volume should have. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources)
* `selector` - (Optional) A label query over volumes to consider for binding.
* `volume_name` - (Optional) The binding reference to the PersistentVolume backing this claim.
* `storage_class_name` - (Optional) Name of the storage class requested by the claim.
* `volume_mode` - (Optional) Defines what type of volume is required by the claim. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#volume-mode)
### `match_expressions`
#### Arguments
* `key` - (Optional) The label key that the selector applies to.
* `operator` - (Optional) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
* `values` - (Optional) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
### `resources`
#### Arguments
* `limits` - (Optional) Map describing the maximum amount of compute resources allowed. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)
* `requests` - (Optional) Map describing the minimum amount of compute resources required. If this is omitted for a container, it defaults to `limits` if that is explicitly specified, otherwise to an implementation-defined value. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)
### `selector`
#### Arguments
* `match_expressions` - (Optional) A list of label selector requirements. The requirements are ANDed.
* `match_labels` - (Optional) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
## Import
Persistent Volume Claim can be imported using its namespace and name, e.g.

750
docs/resources/persistent_volume_v1.md
View file

@ -9,6 +9,479 @@ description: |-
The resource provides a piece of networked storage in the cluster provisioned by an administrator. It is a resource in the cluster just like a node is a cluster resource. Persistent Volumes have a lifecycle independent of any individual pod that uses the PV. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/persistent-volumes/)
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard persistent volume's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `spec` (Block List, Min: 1) Spec of the persistent volume owned by the cluster (see [below for nested schema](#nestedblock--spec))
### Optional
- `timeouts` (Block, Optional) (see [below for nested schema](#nestedblock--timeouts))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the persistent volume that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the persistent volume. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the persistent volume, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this persistent volume that can be used by clients to determine when persistent volume has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this persistent volume. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--spec"></a>
### Nested Schema for `spec`
Required:
- `access_modes` (Set of String) Contains all ways the volume can be mounted. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes
- `capacity` (Map of String) A description of the persistent volume's resources and capacity. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacity
- `persistent_volume_source` (Block List, Min: 1, Max: 1) The specification of a persistent volume. (see [below for nested schema](#nestedblock--spec--persistent_volume_source))
Optional:
- `claim_ref` (Block List, Max: 1) A reference to the persistent volume claim details for statically managed PVs. More Info: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#binding (see [below for nested schema](#nestedblock--spec--claim_ref))
- `mount_options` (Set of String) A list of mount options, e.g. ["ro", "soft"]. Not validated - mount will simply fail if one is invalid.
- `node_affinity` (Block List, Max: 1) A description of the persistent volume's node affinity. More info: https://kubernetes.io/docs/concepts/storage/volumes/#local (see [below for nested schema](#nestedblock--spec--node_affinity))
- `persistent_volume_reclaim_policy` (String) What happens to a persistent volume when released from its claim. Valid options are Retain (default) and Recycle. Recycling must be supported by the volume plugin underlying this persistent volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#reclaiming
- `storage_class_name` (String) A description of the persistent volume's class. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#class
- `volume_mode` (String) Defines if a volume is intended to be used with a formatted filesystem. or to remain in raw block state.
<a id="nestedblock--spec--persistent_volume_source"></a>
### Nested Schema for `spec.persistent_volume_source`
Optional:
- `aws_elastic_block_store` (Block List, Max: 1) Represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore (see [below for nested schema](#nestedblock--spec--persistent_volume_source--aws_elastic_block_store))
- `azure_disk` (Block List, Max: 1) Represents an Azure Data Disk mount on the host and bind mount to the pod. (see [below for nested schema](#nestedblock--spec--persistent_volume_source--azure_disk))
- `azure_file` (Block List, Max: 1) Represents an Azure File Service mount on the host and bind mount to the pod. (see [below for nested schema](#nestedblock--spec--persistent_volume_source--azure_file))
- `ceph_fs` (Block List, Max: 1) Represents a Ceph FS mount on the host that shares a pod's lifetime (see [below for nested schema](#nestedblock--spec--persistent_volume_source--ceph_fs))
- `cinder` (Block List, Max: 1) Represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md (see [below for nested schema](#nestedblock--spec--persistent_volume_source--cinder))
- `csi` (Block List, Max: 1) Represents a CSI Volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#csi (see [below for nested schema](#nestedblock--spec--persistent_volume_source--csi))
- `fc` (Block List, Max: 1) Represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod. (see [below for nested schema](#nestedblock--spec--persistent_volume_source--fc))
- `flex_volume` (Block List, Max: 1) Represents a generic volume resource that is provisioned/attached using an exec based plugin. This is an alpha feature and may change in future. (see [below for nested schema](#nestedblock--spec--persistent_volume_source--flex_volume))
- `flocker` (Block List, Max: 1) Represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running (see [below for nested schema](#nestedblock--spec--persistent_volume_source--flocker))
- `gce_persistent_disk` (Block List, Max: 1) Represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk (see [below for nested schema](#nestedblock--spec--persistent_volume_source--gce_persistent_disk))
- `glusterfs` (Block List, Max: 1) Represents a Glusterfs volume that is attached to a host and exposed to the pod. Provisioned by an admin. More info: https://examples.k8s.io/volumes/glusterfs/README.md (see [below for nested schema](#nestedblock--spec--persistent_volume_source--glusterfs))
- `host_path` (Block List, Max: 1) Represents a directory on the host. Provisioned by a developer or tester. This is useful for single-node development and testing only! On-host storage is not supported in any way and WILL NOT WORK in a multi-node cluster. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath (see [below for nested schema](#nestedblock--spec--persistent_volume_source--host_path))
- `iscsi` (Block List, Max: 1) Represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin. (see [below for nested schema](#nestedblock--spec--persistent_volume_source--iscsi))
- `local` (Block List, Max: 1) Represents a mounted local storage device such as a disk, partition or directory. Local volumes can only be used as a statically created PersistentVolume. Dynamic provisioning is not supported yet. More info: https://kubernetes.io/docs/concepts/storage/volumes#local (see [below for nested schema](#nestedblock--spec--persistent_volume_source--local))
- `nfs` (Block List, Max: 1) Represents an NFS mount on the host. Provisioned by an admin. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs (see [below for nested schema](#nestedblock--spec--persistent_volume_source--nfs))
- `photon_persistent_disk` (Block List, Max: 1) Represents a PhotonController persistent disk attached and mounted on kubelets host machine (see [below for nested schema](#nestedblock--spec--persistent_volume_source--photon_persistent_disk))
- `quobyte` (Block List, Max: 1) Quobyte represents a Quobyte mount on the host that shares a pod's lifetime (see [below for nested schema](#nestedblock--spec--persistent_volume_source--quobyte))
- `rbd` (Block List, Max: 1) Represents a Rados Block Device mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md (see [below for nested schema](#nestedblock--spec--persistent_volume_source--rbd))
- `vsphere_volume` (Block List, Max: 1) Represents a vSphere volume attached and mounted on kubelets host machine (see [below for nested schema](#nestedblock--spec--persistent_volume_source--vsphere_volume))
<a id="nestedblock--spec--persistent_volume_source--aws_elastic_block_store"></a>
### Nested Schema for `spec.persistent_volume_source.aws_elastic_block_store`
Required:
- `volume_id` (String) Unique ID of the persistent disk resource in AWS (Amazon EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
Optional:
- `fs_type` (String) Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
- `partition` (Number) The partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as "1". Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
- `read_only` (Boolean) Whether to set the read-only property in VolumeMounts to "true". If omitted, the default is "false". More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
<a id="nestedblock--spec--persistent_volume_source--azure_disk"></a>
### Nested Schema for `spec.persistent_volume_source.azure_disk`
Required:
- `caching_mode` (String) Host Caching mode: None, Read Only, Read Write.
- `data_disk_uri` (String) The URI the data disk in the blob storage
- `disk_name` (String) The Name of the data disk in the blob storage
Optional:
- `fs_type` (String) Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
- `kind` (String) The type for the data disk. Expected values: Shared, Dedicated, Managed. Defaults to Shared
- `read_only` (Boolean) Whether to force the read-only setting in VolumeMounts. Defaults to false (read/write).
<a id="nestedblock--spec--persistent_volume_source--azure_file"></a>
### Nested Schema for `spec.persistent_volume_source.azure_file`
Required:
- `secret_name` (String) The name of secret that contains Azure Storage Account Name and Key
- `share_name` (String) Share Name
Optional:
- `read_only` (Boolean) Whether to force the read-only setting in VolumeMounts. Defaults to false (read/write).
- `secret_namespace` (String) The namespace of the secret that contains Azure Storage Account Name and Key. For Kubernetes up to 1.18.x the default is the same as the Pod. For Kubernetes 1.19.x and later the default is "default" namespace.
<a id="nestedblock--spec--persistent_volume_source--ceph_fs"></a>
### Nested Schema for `spec.persistent_volume_source.ceph_fs`
Required:
- `monitors` (Set of String) Monitors is a collection of Ceph monitors. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
Optional:
- `path` (String) Used as the mounted root, rather than the full Ceph tree, default is /
- `read_only` (Boolean) Whether to force the read-only setting in VolumeMounts. Defaults to `false` (read/write). More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
- `secret_file` (String) The path to key ring for User, default is `/etc/ceph/user.secret`. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
- `secret_ref` (Block List, Max: 1) Reference to the authentication secret for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it (see [below for nested schema](#nestedblock--spec--persistent_volume_source--ceph_fs--secret_ref))
- `user` (String) User is the rados user name, default is admin. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
<a id="nestedblock--spec--persistent_volume_source--ceph_fs--secret_ref"></a>
### Nested Schema for `spec.persistent_volume_source.ceph_fs.secret_ref`
Optional:
- `name` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
<a id="nestedblock--spec--persistent_volume_source--cinder"></a>
### Nested Schema for `spec.persistent_volume_source.cinder`
Required:
- `volume_id` (String) Volume ID used to identify the volume in Cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md
Optional:
- `fs_type` (String) Filesystem type to mount. Must be a filesystem type supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md
- `read_only` (Boolean) Whether to force the read-only setting in VolumeMounts. Defaults to false (read/write). More info: https://examples.k8s.io/mysql-cinder-pd/README.md
<a id="nestedblock--spec--persistent_volume_source--csi"></a>
### Nested Schema for `spec.persistent_volume_source.csi`
Required:
- `driver` (String) the name of the volume driver to use. More info: https://kubernetes.io/docs/concepts/storage/volumes/#csi
- `volume_handle` (String) A string value that uniquely identifies the volume. More info: https://kubernetes.io/docs/concepts/storage/volumes/#csi
Optional:
- `controller_expand_secret_ref` (Block List, Max: 1) A reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI ControllerExpandVolume call. (see [below for nested schema](#nestedblock--spec--persistent_volume_source--csi--controller_expand_secret_ref))
- `controller_publish_secret_ref` (Block List, Max: 1) A reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI ControllerPublishVolume and ControllerUnpublishVolume calls. (see [below for nested schema](#nestedblock--spec--persistent_volume_source--csi--controller_publish_secret_ref))
- `fs_type` (String) Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
- `node_publish_secret_ref` (Block List, Max: 1) A reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodePublishVolume and NodeUnpublishVolume calls. (see [below for nested schema](#nestedblock--spec--persistent_volume_source--csi--node_publish_secret_ref))
- `node_stage_secret_ref` (Block List, Max: 1) A reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodeStageVolume and NodeStageVolume and NodeUnstageVolume calls. (see [below for nested schema](#nestedblock--spec--persistent_volume_source--csi--node_stage_secret_ref))
- `read_only` (Boolean) Whether to set the read-only property in VolumeMounts to "true". If omitted, the default is "false". More info: https://kubernetes.io/docs/concepts/storage/volumes#csi
- `volume_attributes` (Map of String) Attributes of the volume to publish.
<a id="nestedblock--spec--persistent_volume_source--csi--controller_expand_secret_ref"></a>
### Nested Schema for `spec.persistent_volume_source.csi.controller_expand_secret_ref`
Optional:
- `name` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
<a id="nestedblock--spec--persistent_volume_source--csi--controller_publish_secret_ref"></a>
### Nested Schema for `spec.persistent_volume_source.csi.controller_publish_secret_ref`
Optional:
- `name` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
<a id="nestedblock--spec--persistent_volume_source--csi--node_publish_secret_ref"></a>
### Nested Schema for `spec.persistent_volume_source.csi.node_publish_secret_ref`
Optional:
- `name` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
<a id="nestedblock--spec--persistent_volume_source--csi--node_stage_secret_ref"></a>
### Nested Schema for `spec.persistent_volume_source.csi.node_stage_secret_ref`
Optional:
- `name` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
<a id="nestedblock--spec--persistent_volume_source--fc"></a>
### Nested Schema for `spec.persistent_volume_source.fc`
Required:
- `lun` (Number) FC target lun number
- `target_ww_ns` (Set of String) FC target worldwide names (WWNs)
Optional:
- `fs_type` (String) Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
- `read_only` (Boolean) Whether to force the read-only setting in VolumeMounts. Defaults to false (read/write).
<a id="nestedblock--spec--persistent_volume_source--flex_volume"></a>
### Nested Schema for `spec.persistent_volume_source.flex_volume`
Required:
- `driver` (String) Driver is the name of the driver to use for this volume.
Optional:
- `fs_type` (String) Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
- `options` (Map of String) Extra command options if any.
- `read_only` (Boolean) Whether to force the ReadOnly setting in VolumeMounts. Defaults to false (read/write).
- `secret_ref` (Block List, Max: 1) Reference to the secret object containing sensitive information to pass to the plugin scripts. This may be empty if no secret object is specified. If the secret object contains more than one secret, all secrets are passed to the plugin scripts. (see [below for nested schema](#nestedblock--spec--persistent_volume_source--flex_volume--secret_ref))
<a id="nestedblock--spec--persistent_volume_source--flex_volume--secret_ref"></a>
### Nested Schema for `spec.persistent_volume_source.flex_volume.secret_ref`
Optional:
- `name` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
<a id="nestedblock--spec--persistent_volume_source--flocker"></a>
### Nested Schema for `spec.persistent_volume_source.flocker`
Optional:
- `dataset_name` (String) Name of the dataset stored as metadata -> name on the dataset for Flocker should be considered as deprecated
- `dataset_uuid` (String) UUID of the dataset. This is unique identifier of a Flocker dataset
<a id="nestedblock--spec--persistent_volume_source--gce_persistent_disk"></a>
### Nested Schema for `spec.persistent_volume_source.gce_persistent_disk`
Required:
- `pd_name` (String) Unique name of the PD resource in GCE. Used to identify the disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
Optional:
- `fs_type` (String) Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
- `partition` (Number) The partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as "1". Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
- `read_only` (Boolean) Whether to force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
<a id="nestedblock--spec--persistent_volume_source--glusterfs"></a>
### Nested Schema for `spec.persistent_volume_source.glusterfs`
Required:
- `endpoints_name` (String) The endpoint name that details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
- `path` (String) The Glusterfs volume path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
Optional:
- `read_only` (Boolean) Whether to force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
<a id="nestedblock--spec--persistent_volume_source--host_path"></a>
### Nested Schema for `spec.persistent_volume_source.host_path`
Optional:
- `path` (String) Path of the directory on the host. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
- `type` (String) Type for HostPath volume. Allowed values are "" (default), DirectoryOrCreate, Directory, FileOrCreate, File, Socket, CharDevice and BlockDevice
<a id="nestedblock--spec--persistent_volume_source--iscsi"></a>
### Nested Schema for `spec.persistent_volume_source.iscsi`
Required:
- `iqn` (String) Target iSCSI Qualified Name.
- `target_portal` (String) iSCSI target portal. The portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).
Optional:
- `fs_type` (String) Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
- `iscsi_interface` (String) iSCSI interface name that uses an iSCSI transport. Defaults to 'default' (tcp).
- `lun` (Number) iSCSI target lun number.
- `read_only` (Boolean) Whether to force the read-only setting in VolumeMounts. Defaults to false.
<a id="nestedblock--spec--persistent_volume_source--local"></a>
### Nested Schema for `spec.persistent_volume_source.local`
Optional:
- `path` (String) Path of the directory on the host. More info: https://kubernetes.io/docs/concepts/storage/volumes#local
<a id="nestedblock--spec--persistent_volume_source--nfs"></a>
### Nested Schema for `spec.persistent_volume_source.nfs`
Required:
- `path` (String) Path that is exported by the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
- `server` (String) Server is the hostname or IP address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
Optional:
- `read_only` (Boolean) Whether to force the NFS export to be mounted with read-only permissions. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
<a id="nestedblock--spec--persistent_volume_source--photon_persistent_disk"></a>
### Nested Schema for `spec.persistent_volume_source.photon_persistent_disk`
Required:
- `pd_id` (String) ID that identifies Photon Controller persistent disk
Optional:
- `fs_type` (String) Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
<a id="nestedblock--spec--persistent_volume_source--quobyte"></a>
### Nested Schema for `spec.persistent_volume_source.quobyte`
Required:
- `registry` (String) Registry represents a single or multiple Quobyte Registry services specified as a string as host:port pair (multiple entries are separated with commas) which acts as the central registry for volumes
- `volume` (String) Volume is a string that references an already created Quobyte volume by name.
Optional:
- `group` (String) Group to map volume access to Default is no group
- `read_only` (Boolean) Whether to force the Quobyte volume to be mounted with read-only permissions. Defaults to false.
- `user` (String) User to map volume access to Defaults to serivceaccount user
<a id="nestedblock--spec--persistent_volume_source--rbd"></a>
### Nested Schema for `spec.persistent_volume_source.rbd`
Required:
- `ceph_monitors` (Set of String) A collection of Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
- `rbd_image` (String) The rados image name. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
Optional:
- `fs_type` (String) Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
- `keyring` (String) Keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
- `rados_user` (String) The rados user name. Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
- `rbd_pool` (String) The rados pool name. Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it.
- `read_only` (Boolean) Whether to force the read-only setting in VolumeMounts. Defaults to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
- `secret_ref` (Block List, Max: 1) Name of the authentication secret for RBDUser. If provided overrides keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it (see [below for nested schema](#nestedblock--spec--persistent_volume_source--rbd--secret_ref))
<a id="nestedblock--spec--persistent_volume_source--rbd--secret_ref"></a>
### Nested Schema for `spec.persistent_volume_source.rbd.secret_ref`
Optional:
- `name` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
<a id="nestedblock--spec--persistent_volume_source--vsphere_volume"></a>
### Nested Schema for `spec.persistent_volume_source.vsphere_volume`
Required:
- `volume_path` (String) Path that identifies vSphere volume vmdk
Optional:
- `fs_type` (String) Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
<a id="nestedblock--spec--claim_ref"></a>
### Nested Schema for `spec.claim_ref`
Required:
- `name` (String) The name of the PersistentVolumeClaim
Optional:
- `namespace` (String) The namespace of the PersistentVolumeClaim. Uses 'default' namespace if none is specified.
<a id="nestedblock--spec--node_affinity"></a>
### Nested Schema for `spec.node_affinity`
Optional:
- `required` (Block List, Max: 1) (see [below for nested schema](#nestedblock--spec--node_affinity--required))
<a id="nestedblock--spec--node_affinity--required"></a>
### Nested Schema for `spec.node_affinity.required`
Required:
- `node_selector_term` (Block List, Min: 1) (see [below for nested schema](#nestedblock--spec--node_affinity--required--node_selector_term))
<a id="nestedblock--spec--node_affinity--required--node_selector_term"></a>
### Nested Schema for `spec.node_affinity.required.node_selector_term`
Optional:
- `match_expressions` (Block List) A list of node selector requirements by node's labels. The requirements are ANDed. (see [below for nested schema](#nestedblock--spec--node_affinity--required--node_selector_term--match_expressions))
- `match_fields` (Block List) A list of node selector requirements by node's fields. The requirements are ANDed. (see [below for nested schema](#nestedblock--spec--node_affinity--required--node_selector_term--match_fields))
<a id="nestedblock--spec--node_affinity--required--node_selector_term--match_expressions"></a>
### Nested Schema for `spec.node_affinity.required.node_selector_term.match_expressions`
Required:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists`, `DoesNotExist`, `Gt`, and `Lt`.
Optional:
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
<a id="nestedblock--spec--node_affinity--required--node_selector_term--match_fields"></a>
### Nested Schema for `spec.node_affinity.required.node_selector_term.match_fields`
Required:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists`, `DoesNotExist`, `Gt`, and `Lt`.
Optional:
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
<a id="nestedblock--timeouts"></a>
### Nested Schema for `timeouts`
Optional:
- `create` (String)
## Example Usage
```terraform
@ -77,283 +550,6 @@ resource "azurerm_managed_disk" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard persistent volume's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `spec` - (Required) Spec of the persistent volume owned by the cluster. See below.
## Nested Blocks
### `spec`
#### Arguments
* `access_modes` - (Required) Contains all ways the volume can be mounted. Valid values are `ReadWriteOnce`, `ReadOnlyMany`, `ReadWriteMany`. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes)
* `capacity` - (Required) A description of the persistent volume's resources and capacity. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacity)
* `node_affinity` - (Optional) NodeAffinity defines constraints that limit what nodes this volume can be accessed from. This field influences the scheduling of pods that use this volume.
* `persistent_volume_reclaim_policy` - (Optional) What happens to a persistent volume when released from its claim. Valid options are Retain (default), Delete and Recycle. Recycling must be supported by the volume plugin underlying this persistent volume. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/persistent-volumes#reclaiming)
* `persistent_volume_source` - (Required) The specification of a persistent volume.
* `storage_class_name` - (Optional) The name of the persistent volume's storage class. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#class)
* `mount_options` - (Optional) A Kubernetes administrator can specify additional mount options for when a Persistent Volume is mounted on a node.
~> Not all Persistent Volume types support mount options. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#mount-options)
* `volume_mode` - (Optional) Defines if a volume is used with a formatted filesystem or to remain in raw block state. Possible values are `Block` and `Filesystem`. Default value is `Filesystem`. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#volume-mode)
### `node_affinity`
#### Arguments
* `required` - (Optional) Required specifies hard node constraints that must be met.
### `required`
#### Arguments
* `node_selector_term` - (Required) A list of node selector terms. The terms are ORed.
### `node_selector_term`
#### Arguments
* `match_expressions` - (Optional) A list of node selector requirements by node's labels.
* `match_fields` - (Optional) A list of node selector requirements by node's fields.
### `match_expressions` and `match_fields`
#### Arguments
* `key` - (Required) The label key that the selector applies to.
* `operator` - (Required) Represents a key's relationship to a set of values. Valid operators are `In`, `NotIn`, `Exists`, `DoesNotExist`. `Gt`, and `Lt`.
* `values` - (Optional) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. If the operator is `Gt` or `Lt`, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
### `persistent_volume_source`
#### Arguments
* `aws_elastic_block_store` - (Optional) Represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore)
* `azure_disk` - (Optional) Represents an Azure Data Disk mount on the host and bind mount to the pod.
* `azure_file` - (Optional) Represents an Azure File Service mount on the host and bind mount to the pod.
* `ceph_fs` - (Optional) Represents a Ceph FS mount on the host that shares a pod's lifetime.
* `cinder` - (Optional) Represents a cinder volume attached and mounted on kubelets host machine. For more info see https://github.com/kubernetes/examples/tree/master/mysql-cinder-pd#mysql-installation-with-cinder-volume-plugin.
* `csi` - (Optional) CSI represents storage that is handled by an external CSI driver. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes/#csi).
* `fc` - (Optional) Represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod.
* `flex_volume` - (Optional) Represents a generic volume resource that is provisioned/attached using an exec based plugin. This is an alpha feature and may change in future.
* `flocker` - (Optional) Represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running.
* `gce_persistent_disk` - (Optional) Represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk).
* `glusterfs` - (Optional) Represents a Glusterfs volume that is attached to a host and exposed to the pod. Provisioned by an admin. For more info see https://github.com/kubernetes/examples/tree/master/volumes/glusterfs#glusterfs.
* `host_path` - (Optional) Represents a directory on the host. Provisioned by a developer or tester. This is useful for single-node development and testing only! On-host storage is not supported in any way and WILL NOT WORK in a multi-node cluster. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#hostpath)
* `iscsi` - (Optional) Represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin.
* `local` - (Optional) Represents a local storage volume on the host. Provisioned by an admin. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes/#local).
* `nfs` - (Optional) Represents an NFS mount on the host. Provisioned by an admin. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#nfs).
* `photon_persistent_disk` - (Optional) Represents a PhotonController persistent disk attached and mounted on kubelets host machine.
* `quobyte` - (Optional) Quobyte represents a Quobyte mount on the host that shares a pod's lifetime.
* `rbd` - (Optional) Represents a Rados Block Device mount on the host that shares a pod's lifetime. For more info see https://kubernetes.io/docs/concepts/storage/volumes/#rbd.
* `vsphere_volume` - (Optional) Represents a vSphere volume attached and mounted on kubelets host machine.
### `aws_elastic_block_store`
#### Arguments
* `fs_type` - (Optional) Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore)
* `partition` - (Optional) The partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as "1". Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
* `read_only` - (Optional) Whether to set the read-only property in VolumeMounts to "true". If omitted, the default is "false". For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore)
* `volume_id` - (Required) Unique ID of the persistent disk resource in AWS (Amazon EBS volume). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore)
### `azure_disk`
#### Arguments
* `caching_mode` - (Required) Host Caching mode: None, Read Only, Read Write.
* `data_disk_uri` - (Required) The URI the data disk in the blob storage OR the resource ID of an Azure managed data disk if `kind` is `Managed`.
* `disk_name` - (Required) The Name of the data disk in the blob storage OR the name of an Azure managed data disk if `kind` is `Managed`.
* `fs_type` - (Optional) Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
* `read_only` - (Optional) Whether to force the read-only setting in VolumeMounts. Defaults to false (read/write).
* `kind` - (Optional) The type for the data disk. Expected values: `Shared`, `Dedicated`, `Managed`. Defaults to `Shared`.
### `azure_file`
#### Arguments
* `read_only` - (Optional) Whether to force the read-only setting in VolumeMounts. Defaults to false (read/write).
* `secret_name` - (Required) The name of secret that contains Azure Storage Account Name and Key.
* `secret_namespace` - (Optional) The namespace of the secret that contains Azure Storage Account Name and Key. For Kubernetes up to 1.18.x the default is the same as the Pod. For Kubernetes 1.19.x and later the default is \"default\" namespace.
* `share_name` - (Required) Share Name
### `ceph_fs`
#### Arguments
* `monitors` - (Required) Monitors is a collection of Ceph monitors. For more info see https://github.com/kubernetes/examples/tree/master/volumes/cephfs/#how-to-use-it.
* `path` - (Optional) Used as the mounted root, rather than the full Ceph tree, default is /.
* `read_only` - (Optional) Whether to force the read-only setting in VolumeMounts. Defaults to `false` (read/write). For more info see https://github.com/kubernetes/examples/tree/master/volumes/cephfs/#how-to-use-it.
* `secret_file` - (Optional) The path to key ring for User, default is /etc/ceph/user.secret. For more info see https://github.com/kubernetes/examples/tree/master/volumes/cephfs/#how-to-use-it.
* `secret_ref` - (Optional) Reference to the authentication secret for User, default is empty. sFor more info see https://github.com/kubernetes/examples/tree/master/volumes/cephfs/#how-to-use-it. see [secret_ref](#secret_ref) for more details.
* `user` - (Optional) User is the rados user name, default is admin. For more info see https://github.com/kubernetes/examples/tree/master/volumes/cephfs/#how-to-use-it.
### `cinder`
#### Arguments
* `fs_type` - (Optional) Filesystem type to mount. Must be a filesystem type supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. For more info see https://github.com/kubernetes/examples/blob/master/mysql-cinder-pd/README.md#mysql-installation-with-cinder-volume-plugin.
* `read_only` - (Optional) Whether to force the read-only setting in VolumeMounts. Defaults to false (read/write). For more info see https://github.com/kubernetes/examples/blob/master/mysql-cinder-pd/README.md#mysql-installation-with-cinder-volume-plugin.
* `volume_id` - (Required) Volume ID used to identify the volume in Cinder. For more info see https://github.com/kubernetes/examples/blob/master/mysql-cinder-pd/README.md#mysql-installation-with-cinder-volume-plugin.
### `csi`
#### Arguments
* `driver` - (Required) the name of the volume driver to use. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes/#csi).
* `volume_handle` - (Required) A map that specifies static properties of a volume. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes/#csi).
* `volume_attributes` - (Optional) Attributes of the volume to publish.
* `fs_type` - (Optional) Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. `ext4`, `xfs`, `ntfs`.
* `read_only` - (Optional) Whether to set the read-only property in VolumeMounts to `true`. If omitted, the default is `false`.
* `controller_publish_secret_ref` - (Optional) A reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI ControllerPublishVolume and ControllerUnpublishVolume calls. see [secret_ref](#secret_ref) for more details.
* `node_stage_secret_ref` - (Optional) A reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodeStageVolume and NodeStageVolume and NodeUnstageVolume calls. see [secret_ref](#secret_ref) for more details.
* `node_publish_secret_ref` - (Optional) A reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodePublishVolume and NodeUnpublishVolume calls. see [secret_ref](#secret_ref) for more details.
* `controller_expand_secret_ref` - (Optional) A reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI ControllerExpandVolume call. see [secret_ref](#secret_ref) for more details.
### `fc`
#### Arguments
* `fs_type` - (Optional) Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
* `lun` - (Required) FC target lun number
* `read_only` - (Optional) Whether to force the read-only setting in VolumeMounts. Defaults to false (read/write).
* `target_ww_ns` - (Required) FC target worldwide names (WWNs)
### `flex_volume`
#### Arguments
* `driver` - (Required) Driver is the name of the driver to use for this volume.
* `fs_type` - (Optional) Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
* `options` - (Optional) Extra command options if any.
* `read_only` - (Optional) Whether to force the ReadOnly setting in VolumeMounts. Defaults to false (read/write).
* `secret_ref` - (Optional) Reference to the secret object containing sensitive information to pass to the plugin scripts. This may be empty if no secret object is specified. If the secret object contains more than one secret, all secrets are passed to the plugin scripts. see [secret_ref](#secret_ref) for more details.
### `flocker`
#### Arguments
* `dataset_name` - (Optional) Name of the dataset stored as metadata -> name on the dataset for Flocker should be considered as deprecated
* `dataset_uuid` - (Optional) UUID of the dataset. This is unique identifier of a Flocker dataset
### `gce_persistent_disk`
#### Arguments
* `fs_type` - (Optional) Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk)
* `partition` - (Optional) The partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as "1". Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk)
* `pd_name` - (Required) Unique name of the PD resource in GCE. Used to identify the disk in GCE. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk)
* `read_only` - (Optional) Whether to force the ReadOnly setting in VolumeMounts. Defaults to false. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk)
### `glusterfs`
#### Arguments
* `endpoints_name` - (Required) The endpoint name that details Glusterfs topology. For more info see https://github.com/kubernetes/examples/tree/master/volumes/glusterfs#create-a-pod.
* `path` - (Required) The Glusterfs volume path. For more info see https://github.com/kubernetes/examples/tree/master/volumes/glusterfs#create-a-pod.
* `read_only` - (Optional) Whether to force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. For more info see https://github.com/kubernetes/examples/tree/master/volumes/glusterfs#create-a-pod.
### `host_path`
#### Arguments
* `path` - (Optional) Path of the directory on the host. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#hostpath)
* `type` - (Optional) Type for HostPath volume. Defaults to "". For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#hostpath)
### `iscsi`
#### Arguments
* `fs_type` - (Optional) Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#iscsi)
* `iqn` - (Required) Target iSCSI Qualified Name.
* `iscsi_interface` - (Optional) iSCSI interface name that uses an iSCSI transport. Defaults to 'default' (tcp).
* `lun` - (Optional) iSCSI target lun number.
* `read_only` - (Optional) Whether to force the read-only setting in VolumeMounts. Defaults to false.
* `target_portal` - (Required) iSCSI target portal. The portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).
### `local`
#### Arguments
* `path` - (Optional) Path of the directory on the host. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#local)
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the persistent volume that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the persistent volume. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the persistent volume, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this persistent volume that can be used by clients to determine when persistent volume has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this persistent volume. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `nfs`
#### Arguments
* `path` - (Required) Path that is exported by the NFS server. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#nfs)
* `read_only` - (Optional) Whether to force the NFS export to be mounted with read-only permissions. Defaults to false. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#nfs)
* `server` - (Required) Server is the hostname or IP address of the NFS server. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#nfs)
### `photon_persistent_disk`
#### Arguments
* `fs_type` - (Optional) Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
* `pd_id` - (Required) ID that identifies Photon Controller persistent disk
### `quobyte`
#### Arguments
* `group` - (Optional) Group to map volume access to Default is no group
* `read_only` - (Optional) Whether to force the Quobyte volume to be mounted with read-only permissions. Defaults to false.
* `registry` - (Required) Registry represents a single or multiple Quobyte Registry services specified as a string as host:port pair (multiple entries are separated with commas) which acts as the central registry for volumes
* `user` - (Optional) User to map volume access to Defaults to serivceaccount user
* `volume` - (Required) Volume is a string that references an already created Quobyte volume by name.
### `rbd`
#### Arguments
* `ceph_monitors` - (Required) A collection of Ceph monitors. For more info see https://github.com/kubernetes/examples/tree/master/volumes/cephfs/#how-to-use-it.
* `fs_type` - (Optional) Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/storage/volumes#rbd)
* `keyring` - (Optional) Keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. For more info see https://github.com/kubernetes/examples/tree/master/volumes/cephfs/#how-to-use-it.
* `rados_user` - (Optional) The rados user name. Default is admin. For more info see https://github.com/kubernetes/examples/tree/master/volumes/cephfs/#how-to-use-it.
* `rbd_image` - (Required) The rados image name. For more info see https://github.com/kubernetes/examples/tree/master/volumes/cephfs/#how-to-use-it.
* `rbd_pool` - (Optional) The rados pool name. Default is rbd. For more info see https://github.com/kubernetes/examples/tree/master/volumes/cephfs/#how-to-use-it.
* `read_only` - (Optional) Whether to force the read-only setting in VolumeMounts. Defaults to false. For more info see https://github.com/kubernetes/examples/tree/master/volumes/cephfs/#how-to-use-it.
* `secret_ref` - (Optional) Name of the authentication secret for RBDUser. If provided overrides keyring. Default is nil. For more info see https://github.com/kubernetes/examples/tree/master/volumes/cephfs/#how-to-use-it. see [secret_ref](#secret_ref) for more details.
### `secret_ref`
#### Arguments
* `name` - (Optional) Name of the referent. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
* `namespace` - (Optional) The Namespace of the referent secret.
### `vsphere_volume`
#### Arguments
* `fs_type` - (Optional) Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
* `volume_path` - (Required) Path that identifies vSphere volume vmdk
## Import
Persistent Volume can be imported using its name, e.g.

2982
docs/resources/pod.md
View file

File diff suppressed because it is too large Load diff

105
docs/resources/pod_disruption_budget.md
View file

@ -7,9 +7,71 @@ description: |-
# kubernetes_pod_disruption_budget
A Pod Disruption Budget limits the number of pods of a replicated application that are down simultaneously from voluntary disruptions.
A Pod Disruption Budget limits the number of pods of a replicated application that are down simultaneously from voluntary disruptions. For example, a quorum-based application would like to ensure that the number of replicas running is never brought below the number needed for a quorum. A web front end might want to ensure that the number of replicas serving load never falls below a certain percentage of the total.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard pod disruption budget's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `spec` (Block List, Min: 1, Max: 1) Specification of the desired behavior of the PodDisruptionBudget. (see [below for nested schema](#nestedblock--spec))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the pod disruption budget that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the pod disruption budget. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the pod disruption budget, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the pod disruption budget must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this pod disruption budget that can be used by clients to determine when pod disruption budget has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this pod disruption budget. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--spec"></a>
### Nested Schema for `spec`
Required:
- `selector` (Block List, Min: 1, Max: 1) (see [below for nested schema](#nestedblock--spec--selector))
Optional:
- `max_unavailable` (String)
- `min_available` (String)
<a id="nestedblock--spec--selector"></a>
### Nested Schema for `spec.selector`
Optional:
- `match_expressions` (Block List) A list of label selector requirements. The requirements are ANDed. (see [below for nested schema](#nestedblock--spec--selector--match_expressions))
- `match_labels` (Map of String) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
<a id="nestedblock--spec--selector--match_expressions"></a>
### Nested Schema for `spec.selector.match_expressions`
Optional:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
For example, a quorum-based application would like to ensure that the number of replicas running is never brought below the number needed for a quorum. A web front end might want to ensure that the number of replicas serving load never falls below a certain percentage of the total.
## Example Usage
@ -28,42 +90,3 @@ resource "kubernetes_pod_disruption_budget" "demo" {
}
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard resource's metadata. For more info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
* `spec` - (Required) Spec defines the behavior of a Pod Disruption Budget. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the resource that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. Read more: https://github.com/kubernetes/community/blob/master/contributors/devel/api-conventions.md#idempotency
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the service. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
* `name` - (Optional) Name of the service, must be unique. Cannot be updated. For more info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
* `namespace` - (Optional) Namespace defines the space within which name of the service must be unique.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this service that can be used by clients to determine when service has changed. Read more: https://github.com/kubernetes/community/blob/master/contributors/devel/api-conventions.md#concurrency-control-and-consistency
* `uid` - The unique in time and space value for this service. For more info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
### `spec`
#### Arguments
* `max_unavailable` - (Optional) Specifies the number of pods from the selected set that can be unavailable after the eviction. It can be either an absolute number or a percentage. You can specify only one of max_unavailable and min_available in a single Pod Disruption Budget. max_unavailable can only be used to control the eviction of pods that have an associated controller managing them.
* `min_available` - (Optional) Specifies the number of pods from the selected set that must still be available after the eviction, even in the absence of the evicted pod. min_available can be either an absolute number or a percentage. You can specify only one of min_available and max_unavailable in a single Pod Disruption Budget. min_available can only be used to control the eviction of pods that have an associated controller managing them.
* `selector` - (Optional) A label query over controllers (Deployment, ReplicationController, ReplicaSet, or StatefulSet) that the Pod Disruption Budget should be applied to. For more info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors

103
docs/resources/pod_disruption_budget_v1.md
View file

@ -7,9 +7,71 @@ description: |-
# kubernetes_pod_disruption_budget_v1
A Pod Disruption Budget limits the number of pods of a replicated application that are down simultaneously from voluntary disruptions.
A Pod Disruption Budget limits the number of pods of a replicated application that are down simultaneously from voluntary disruptions. For example, a quorum-based application would like to ensure that the number of replicas running is never brought below the number needed for a quorum. A web front end might want to ensure that the number of replicas serving load never falls below a certain percentage of the total.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard pod disruption budget's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `spec` (Block List, Min: 1, Max: 1) Specification of the desired behavior of the PodDisruptionBudget. (see [below for nested schema](#nestedblock--spec))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the pod disruption budget that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the pod disruption budget. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the pod disruption budget, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the pod disruption budget must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this pod disruption budget that can be used by clients to determine when pod disruption budget has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this pod disruption budget. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--spec"></a>
### Nested Schema for `spec`
Required:
- `selector` (Block List, Min: 1, Max: 1) (see [below for nested schema](#nestedblock--spec--selector))
Optional:
- `max_unavailable` (String)
- `min_available` (String)
<a id="nestedblock--spec--selector"></a>
### Nested Schema for `spec.selector`
Optional:
- `match_expressions` (Block List) A list of label selector requirements. The requirements are ANDed. (see [below for nested schema](#nestedblock--spec--selector--match_expressions))
- `match_labels` (Map of String) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
<a id="nestedblock--spec--selector--match_expressions"></a>
### Nested Schema for `spec.selector.match_expressions`
Optional:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
For example, a quorum-based application would like to ensure that the number of replicas running is never brought below the number needed for a quorum. A web front end might want to ensure that the number of replicas serving load never falls below a certain percentage of the total.
## Example Usage
@ -29,41 +91,4 @@ resource "kubernetes_pod_disruption_budget_v1" "demo" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard resource's metadata. For more info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
* `spec` - (Required) Spec defines the behavior of a Pod Disruption Budget. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the resource that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. Read more: https://github.com/kubernetes/community/blob/master/contributors/devel/api-conventions.md#idempotency
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the service. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
* `name` - (Optional) Name of the service, must be unique. Cannot be updated. For more info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
* `namespace` - (Optional) Namespace defines the space within which name of the service must be unique.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this service that can be used by clients to determine when service has changed. Read more: https://github.com/kubernetes/community/blob/master/contributors/devel/api-conventions.md#concurrency-control-and-consistency
* `uid` - The unique in time and space value for this service. For more info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
### `spec`
#### Arguments
* `max_unavailable` - (Optional) Specifies the number of pods from the selected set that can be unavailable after the eviction. It can be either an absolute number or a percentage. You can specify only one of max_unavailable and min_available in a single Pod Disruption Budget. max_unavailable can only be used to control the eviction of pods that have an associated controller managing them.
* `min_available` - (Optional) Specifies the number of pods from the selected set that must still be available after the eviction, even in the absence of the evicted pod. min_available can be either an absolute number or a percentage. You can specify only one of min_available and max_unavailable in a single Pod Disruption Budget. min_available can only be used to control the eviction of pods that have an associated controller managing them.
* `selector` - (Optional) A label query over controllers (Deployment, ReplicationController, ReplicaSet, or StatefulSet) that the Pod Disruption Budget should be applied to. For more info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors

318
docs/resources/pod_security_policy.md
View file

@ -9,6 +9,212 @@ description: |-
A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard podsecuritypolicy's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `spec` (Block List, Min: 1, Max: 1) spec defines the policy enforced. (see [below for nested schema](#nestedblock--spec))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the podsecuritypolicy that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the podsecuritypolicy. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the podsecuritypolicy, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this podsecuritypolicy that can be used by clients to determine when podsecuritypolicy has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this podsecuritypolicy. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--spec"></a>
### Nested Schema for `spec`
Required:
- `fs_group` (Block List, Min: 1, Max: 1) fsGroup is the strategy that will dictate what fs group is used by the SecurityContext. (see [below for nested schema](#nestedblock--spec--fs_group))
- `run_as_user` (Block List, Min: 1, Max: 1) runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set. (see [below for nested schema](#nestedblock--spec--run_as_user))
- `supplemental_groups` (Block List, Min: 1, Max: 1) supplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext. (see [below for nested schema](#nestedblock--spec--supplemental_groups))
Optional:
- `allow_privilege_escalation` (Boolean) allowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.
- `allowed_capabilities` (List of String) allowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author's discretion. You must not list a capability in both allowedCapabilities and requiredDropCapabilities.
- `allowed_flex_volumes` (Block List) allowedFlexVolumes is an allowlist of Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the "volumes" field. (see [below for nested schema](#nestedblock--spec--allowed_flex_volumes))
- `allowed_host_paths` (Block List) allowedHostPaths is an allowlist of host paths. Empty indicates that all host paths may be used. (see [below for nested schema](#nestedblock--spec--allowed_host_paths))
- `allowed_proc_mount_types` (List of String) AllowedProcMountTypes is an allowlist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled.
- `allowed_unsafe_sysctls` (List of String) allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to allowlist all allowed unsafe sysctls explicitly to avoid rejection.
Examples: e.g. "foo/*" allows "foo/bar", "foo/baz", etc. e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
- `default_add_capabilities` (List of String) defaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capability in both defaultAddCapabilities and requiredDropCapabilities. Capabilities added here are implicitly allowed, and need not be included in the allowedCapabilities list.
- `default_allow_privilege_escalation` (Boolean) defaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process.
- `forbidden_sysctls` (List of String) forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
Examples: e.g. "foo/*" forbids "foo/bar", "foo/baz", etc. e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
- `host_ipc` (Boolean) hostIPC determines if the policy allows the use of HostIPC in the pod spec.
- `host_network` (Boolean) hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
- `host_pid` (Boolean) hostPID determines if the policy allows the use of HostPID in the pod spec.
- `host_ports` (Block List) hostPorts determines which host port ranges are allowed to be exposed. (see [below for nested schema](#nestedblock--spec--host_ports))
- `privileged` (Boolean) privileged determines if a pod can request to be run as privileged.
- `read_only_root_filesystem` (Boolean) readOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.
- `required_drop_capabilities` (List of String) requiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.
- `run_as_group` (Block List, Max: 1) RunAsGroup is the strategy that will dictate the allowable RunAsGroup values that may be set. If this field is omitted, the pod's RunAsGroup can take any value. This field requires the RunAsGroup feature gate to be enabled. (see [below for nested schema](#nestedblock--spec--run_as_group))
- `se_linux` (Block List, Max: 1) seLinux is the strategy that will dictate the allowable labels that may be set. (see [below for nested schema](#nestedblock--spec--se_linux))
- `volumes` (List of String) volumes is an allowlist of volume plugins. Empty indicates that no volumes may be used. To allow all volumes you may use '*'.
<a id="nestedblock--spec--fs_group"></a>
### Nested Schema for `spec.fs_group`
Required:
- `rule` (String) rule is the strategy that will dictate what FSGroup is used in the SecurityContext.
Optional:
- `range` (Block List) ranges are the allowed ranges of fs groups. If you would like to force a single fs group then supply a single range with the same start and end. Required for MustRunAs. (see [below for nested schema](#nestedblock--spec--fs_group--range))
<a id="nestedblock--spec--fs_group--range"></a>
### Nested Schema for `spec.fs_group.range`
Required:
- `max` (Number) max is the end of the range, inclusive.
- `min` (Number) min is the start of the range, inclusive.
<a id="nestedblock--spec--run_as_user"></a>
### Nested Schema for `spec.run_as_user`
Required:
- `rule` (String) rule is the strategy that will dictate the allowable RunAsUser values that may be set.
Optional:
- `range` (Block List) ranges are the allowed ranges of uids that may be used. If you would like to force a single uid then supply a single range with the same start and end. Required for MustRunAs. (see [below for nested schema](#nestedblock--spec--run_as_user--range))
<a id="nestedblock--spec--run_as_user--range"></a>
### Nested Schema for `spec.run_as_user.range`
Required:
- `max` (Number) max is the end of the range, inclusive.
- `min` (Number) min is the start of the range, inclusive.
<a id="nestedblock--spec--supplemental_groups"></a>
### Nested Schema for `spec.supplemental_groups`
Required:
- `rule` (String) rule is the strategy that will dictate what supplemental groups is used in the SecurityContext.
Optional:
- `range` (Block List) ranges are the allowed ranges of supplemental groups. If you would like to force a single supplemental group then supply a single range with the same start and end. Required for MustRunAs. (see [below for nested schema](#nestedblock--spec--supplemental_groups--range))
<a id="nestedblock--spec--supplemental_groups--range"></a>
### Nested Schema for `spec.supplemental_groups.range`
Required:
- `max` (Number) max is the end of the range, inclusive.
- `min` (Number) min is the start of the range, inclusive.
<a id="nestedblock--spec--allowed_flex_volumes"></a>
### Nested Schema for `spec.allowed_flex_volumes`
Required:
- `driver` (String) driver is the name of the Flexvolume driver.
<a id="nestedblock--spec--allowed_host_paths"></a>
### Nested Schema for `spec.allowed_host_paths`
Required:
- `path_prefix` (String) pathPrefix is the path prefix that the host volume must match. It does not support `*`. Trailing slashes are trimmed when validating the path prefix with a host path.
Examples: `/foo` would allow `/foo`, `/foo/` and `/foo/bar` `/foo` would not allow `/food` or `/etc/foo`
Optional:
- `read_only` (Boolean) when set to true, will allow host volumes matching the pathPrefix only if all volume mounts are readOnly.
<a id="nestedblock--spec--host_ports"></a>
### Nested Schema for `spec.host_ports`
Required:
- `max` (Number) max is the end of the range, inclusive.
- `min` (Number) min is the start of the range, inclusive.
<a id="nestedblock--spec--run_as_group"></a>
### Nested Schema for `spec.run_as_group`
Required:
- `rule` (String) rule is the strategy that will dictate the allowable RunAsGroup values that may be set.
Optional:
- `range` (Block List) ranges are the allowed ranges of gids that may be used. If you would like to force a single gid then supply a single range with the same start and end. Required for MustRunAs. (see [below for nested schema](#nestedblock--spec--run_as_group--range))
<a id="nestedblock--spec--run_as_group--range"></a>
### Nested Schema for `spec.run_as_group.range`
Required:
- `max` (Number) max is the end of the range, inclusive.
- `min` (Number) min is the start of the range, inclusive.
<a id="nestedblock--spec--se_linux"></a>
### Nested Schema for `spec.se_linux`
Required:
- `rule` (String) rule is the strategy that will dictate the allowable labels that may be set.
Optional:
- `se_linux_options` (Block List) seLinuxOptions required to run as; required for MustRunAs More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ (see [below for nested schema](#nestedblock--spec--se_linux--se_linux_options))
<a id="nestedblock--spec--se_linux--se_linux_options"></a>
### Nested Schema for `spec.se_linux.se_linux_options`
Required:
- `level` (String)
- `role` (String)
- `type` (String)
- `user` (String)
~> NOTE: With the release of Kubernetes v1.25, PodSecurityPolicy has been removed. You can read more information about the removal of PodSecurityPolicy in the [Kubernetes 1.25 release notes](https://kubernetes.io/blog/2022/08/23/kubernetes-v1-25-release/#pod-security-changes).
## Example Usage
@ -60,118 +266,6 @@ resource "kubernetes_pod_security_policy" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard Pod Security Policy's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/e59e666e3464c7d4851136baa8835a311efdfb8e/contributors/devel/api-conventions.md#metadata)
* `spec` - (Required) Spec contains information for locating and communicating with a server. [Kubernetes reference](https://github.com/kubernetes/community/blob/e59e666e3464c7d4851136baa8835a311efdfb8e/contributors/devel/api-conventions.md#spec-and-status)
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the Pod Security Policy that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/e59e666e3464c7d4851136baa8835a311efdfb8e/contributors/devel/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the Pod Security Policy.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the Pod Security Policy, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this Pod Security Policy that can be used by clients to determine when Pod Security Policy has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/e59e666e3464c7d4851136baa8835a311efdfb8e/contributors/devel/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this Pod Security Policy. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `spec`
#### Arguments
* `allow_privilege_escalation` - (Optional) determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.
* `allowed_capabilities` - (Optional) a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author's discretion. You must not list a capability in both allowedCapabilities and requiredDropCapabilities.
* [`allowed_flex_volumes`](#allowed_flex_volumes) - (Optional) a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the "volumes" field.
* [`allowed_host_paths`](#allowed_host_paths) - (Optional) a white list of allowed host paths. Empty indicates that all host paths may be used.
* `allowed_proc_mount_types` - (Optional) a whitelist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled. Possible values are `"Default"` or `"Unmasked"`
* `allowed_unsafe_sysctls` - (Optional) a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of allowed sysctls. Single* means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection. Examples: "foo/*" allows "foo/bar", "foo/baz", etc. and "foo.*" allows "foo.bar", "foo.baz", etc.
* `default_add_capabilities` - (Optional) the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capability in both defaultAddCapabilities and requiredDropCapabilities. Capabilities added here are implicitly allowed, and need not be included in the allowedCapabilities list.
* `default_allow_privilege_escalation` - (Optional) controls the default setting for whether a process can gain more privileges than its parent process.
* `forbidden_sysctls` - (Optional) forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of forbidden sysctls. Single* means all sysctls are forbidden.
* [`fs_group`](#fs_group) - (Required) the strategy that will dictate what fs group is used by the SecurityContext.
* `host_ipc` - (Optional) determines if the policy allows the use of HostIPC in the pod spec.
* `host_network` - (Optional) determines if the policy allows the use of HostNetwork in the pod spec.
* `host_pid` - (Optional) determines if the policy allows the use of HostPID in the pod spec.
* `host_ports` - (Optional) determines which host port ranges are allowed to be exposed.
* `privileged` - (Optional) determines if a pod can request to be run as privileged.
* `read_only_root_filesystem` - (Optional) when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.
* `required_drop_capabilities` - (Optional) the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.
* [`run_as_user`](#run_as_user) - (Required) the strategy that will dictate the allowable RunAsUser values that may be set.
* [`run_as_group`](#run_as_group) - (Optional) the strategy that will dictate the allowable RunAsGroup values that may be set. If this field is omitted, the pod's RunAsGroup can take any value. This field requires the RunAsGroup feature gate to be enabled.
* [`se_linux`](#se_linux) - (Required) the strategy that will dictate the allowable labels that may be set.
* [`supplemental_groups`](#supplemental_groups) - (Required) the strategy that will dictate what supplemental groups are used by the SecurityContext.
* `volumes` - (Optional) a white list of allowed volume plugins. Empty indicates that no volumes may be used. To allow all volumes you may use '*'.
### allowed_flex_volumes
### Arguments
* `driver` - (Required) the name of the Flexvolume driver.
### allowed_host_paths
### Arguments
* `path_prefix` - (Required) the path prefix that the host volume must match. It does not support `*`. Trailing slashes are trimmed when validating the path prefix with a host path. Examples: `/foo` would allow `/foo`, `/foo/` and `/foo/bar`. `/foo` would not allow `/food` or `/etc/foo`
* `read_only` - (Optional) when set to true, will allow host volumes matching the pathPrefix only if all volume mounts are readOnly.
### `fs_group`
#### Arguments
* `rule` - (Required) the strategy that will dictate what FSGroup is used in the SecurityContext.
* `range` - (Optional) the allowed ranges of fs groups. If you would like to force a single fs group then supply a single range with the same start and end. Required for MustRunAs.
### `run_as_user`
#### Arguments
* `rule` - (Required) the strategy that will dictate the allowable RunAsUser values that may be set.
* `range` - (Optional) the allowed ranges of uids that may be used. If you would like to force a single uid then supply a single range with the same start and end. Required for MustRunAs.
### `run_as_group`
#### Arguments
* `rule` - (Required) the strategy that will dictate the allowable RunAsGroup values that may be set.
* `range` - (Optional) the allowed ranges of gids that may be used. If you would like to force a single gid then supply a single range with the same start and end. Required for MustRunAs.
### `se_linux`
#### Arguments
* `rule` - (Required) the strategy that will dictate the allowable labels that may be set.
* `se_linux_options` - (Optional) required to run as; required for MustRunAs. For more info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
### `supplemental_groups`
#### Arguments
* `rule` - (Required) the strategy that will dictate what supplemental groups is used in the SecurityContext.
* `range` - (Optional) the allowed ranges of supplemental groups. If you would like to force a single supplemental group then supply a single range with the same start and end. Required for MustRunAs.
### `range`
#### Arguments
* `min` - (Required) the start of the range, inclusive.
* `max` - (Required) the end of the range, inclusive.
## Import
Pod Security Policy can be imported using its name, e.g.

318
docs/resources/pod_security_policy_v1beta1.md
View file

@ -9,6 +9,212 @@ description: |-
A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard podsecuritypolicy's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `spec` (Block List, Min: 1, Max: 1) spec defines the policy enforced. (see [below for nested schema](#nestedblock--spec))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the podsecuritypolicy that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the podsecuritypolicy. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the podsecuritypolicy, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this podsecuritypolicy that can be used by clients to determine when podsecuritypolicy has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this podsecuritypolicy. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--spec"></a>
### Nested Schema for `spec`
Required:
- `fs_group` (Block List, Min: 1, Max: 1) fsGroup is the strategy that will dictate what fs group is used by the SecurityContext. (see [below for nested schema](#nestedblock--spec--fs_group))
- `run_as_user` (Block List, Min: 1, Max: 1) runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set. (see [below for nested schema](#nestedblock--spec--run_as_user))
- `supplemental_groups` (Block List, Min: 1, Max: 1) supplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext. (see [below for nested schema](#nestedblock--spec--supplemental_groups))
Optional:
- `allow_privilege_escalation` (Boolean) allowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.
- `allowed_capabilities` (List of String) allowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author's discretion. You must not list a capability in both allowedCapabilities and requiredDropCapabilities.
- `allowed_flex_volumes` (Block List) allowedFlexVolumes is an allowlist of Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the "volumes" field. (see [below for nested schema](#nestedblock--spec--allowed_flex_volumes))
- `allowed_host_paths` (Block List) allowedHostPaths is an allowlist of host paths. Empty indicates that all host paths may be used. (see [below for nested schema](#nestedblock--spec--allowed_host_paths))
- `allowed_proc_mount_types` (List of String) AllowedProcMountTypes is an allowlist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled.
- `allowed_unsafe_sysctls` (List of String) allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to allowlist all allowed unsafe sysctls explicitly to avoid rejection.
Examples: e.g. "foo/*" allows "foo/bar", "foo/baz", etc. e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
- `default_add_capabilities` (List of String) defaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capability in both defaultAddCapabilities and requiredDropCapabilities. Capabilities added here are implicitly allowed, and need not be included in the allowedCapabilities list.
- `default_allow_privilege_escalation` (Boolean) defaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process.
- `forbidden_sysctls` (List of String) forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
Examples: e.g. "foo/*" forbids "foo/bar", "foo/baz", etc. e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
- `host_ipc` (Boolean) hostIPC determines if the policy allows the use of HostIPC in the pod spec.
- `host_network` (Boolean) hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
- `host_pid` (Boolean) hostPID determines if the policy allows the use of HostPID in the pod spec.
- `host_ports` (Block List) hostPorts determines which host port ranges are allowed to be exposed. (see [below for nested schema](#nestedblock--spec--host_ports))
- `privileged` (Boolean) privileged determines if a pod can request to be run as privileged.
- `read_only_root_filesystem` (Boolean) readOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.
- `required_drop_capabilities` (List of String) requiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.
- `run_as_group` (Block List, Max: 1) RunAsGroup is the strategy that will dictate the allowable RunAsGroup values that may be set. If this field is omitted, the pod's RunAsGroup can take any value. This field requires the RunAsGroup feature gate to be enabled. (see [below for nested schema](#nestedblock--spec--run_as_group))
- `se_linux` (Block List, Max: 1) seLinux is the strategy that will dictate the allowable labels that may be set. (see [below for nested schema](#nestedblock--spec--se_linux))
- `volumes` (List of String) volumes is an allowlist of volume plugins. Empty indicates that no volumes may be used. To allow all volumes you may use '*'.
<a id="nestedblock--spec--fs_group"></a>
### Nested Schema for `spec.fs_group`
Required:
- `rule` (String) rule is the strategy that will dictate what FSGroup is used in the SecurityContext.
Optional:
- `range` (Block List) ranges are the allowed ranges of fs groups. If you would like to force a single fs group then supply a single range with the same start and end. Required for MustRunAs. (see [below for nested schema](#nestedblock--spec--fs_group--range))
<a id="nestedblock--spec--fs_group--range"></a>
### Nested Schema for `spec.fs_group.range`
Required:
- `max` (Number) max is the end of the range, inclusive.
- `min` (Number) min is the start of the range, inclusive.
<a id="nestedblock--spec--run_as_user"></a>
### Nested Schema for `spec.run_as_user`
Required:
- `rule` (String) rule is the strategy that will dictate the allowable RunAsUser values that may be set.
Optional:
- `range` (Block List) ranges are the allowed ranges of uids that may be used. If you would like to force a single uid then supply a single range with the same start and end. Required for MustRunAs. (see [below for nested schema](#nestedblock--spec--run_as_user--range))
<a id="nestedblock--spec--run_as_user--range"></a>
### Nested Schema for `spec.run_as_user.range`
Required:
- `max` (Number) max is the end of the range, inclusive.
- `min` (Number) min is the start of the range, inclusive.
<a id="nestedblock--spec--supplemental_groups"></a>
### Nested Schema for `spec.supplemental_groups`
Required:
- `rule` (String) rule is the strategy that will dictate what supplemental groups is used in the SecurityContext.
Optional:
- `range` (Block List) ranges are the allowed ranges of supplemental groups. If you would like to force a single supplemental group then supply a single range with the same start and end. Required for MustRunAs. (see [below for nested schema](#nestedblock--spec--supplemental_groups--range))
<a id="nestedblock--spec--supplemental_groups--range"></a>
### Nested Schema for `spec.supplemental_groups.range`
Required:
- `max` (Number) max is the end of the range, inclusive.
- `min` (Number) min is the start of the range, inclusive.
<a id="nestedblock--spec--allowed_flex_volumes"></a>
### Nested Schema for `spec.allowed_flex_volumes`
Required:
- `driver` (String) driver is the name of the Flexvolume driver.
<a id="nestedblock--spec--allowed_host_paths"></a>
### Nested Schema for `spec.allowed_host_paths`
Required:
- `path_prefix` (String) pathPrefix is the path prefix that the host volume must match. It does not support `*`. Trailing slashes are trimmed when validating the path prefix with a host path.
Examples: `/foo` would allow `/foo`, `/foo/` and `/foo/bar` `/foo` would not allow `/food` or `/etc/foo`
Optional:
- `read_only` (Boolean) when set to true, will allow host volumes matching the pathPrefix only if all volume mounts are readOnly.
<a id="nestedblock--spec--host_ports"></a>
### Nested Schema for `spec.host_ports`
Required:
- `max` (Number) max is the end of the range, inclusive.
- `min` (Number) min is the start of the range, inclusive.
<a id="nestedblock--spec--run_as_group"></a>
### Nested Schema for `spec.run_as_group`
Required:
- `rule` (String) rule is the strategy that will dictate the allowable RunAsGroup values that may be set.
Optional:
- `range` (Block List) ranges are the allowed ranges of gids that may be used. If you would like to force a single gid then supply a single range with the same start and end. Required for MustRunAs. (see [below for nested schema](#nestedblock--spec--run_as_group--range))
<a id="nestedblock--spec--run_as_group--range"></a>
### Nested Schema for `spec.run_as_group.range`
Required:
- `max` (Number) max is the end of the range, inclusive.
- `min` (Number) min is the start of the range, inclusive.
<a id="nestedblock--spec--se_linux"></a>
### Nested Schema for `spec.se_linux`
Required:
- `rule` (String) rule is the strategy that will dictate the allowable labels that may be set.
Optional:
- `se_linux_options` (Block List) seLinuxOptions required to run as; required for MustRunAs More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ (see [below for nested schema](#nestedblock--spec--se_linux--se_linux_options))
<a id="nestedblock--spec--se_linux--se_linux_options"></a>
### Nested Schema for `spec.se_linux.se_linux_options`
Required:
- `level` (String)
- `role` (String)
- `type` (String)
- `user` (String)
~> NOTE: With the release of Kubernetes v1.25, PodSecurityPolicy has been removed. You can read more information about the removal of PodSecurityPolicy in the [Kubernetes 1.25 release notes](https://kubernetes.io/blog/2022/08/23/kubernetes-v1-25-release/#pod-security-changes).
## Example Usage
@ -60,118 +266,6 @@ resource "kubernetes_pod_security_policy_v1beta1" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard Pod Security Policy's metadata. For more info see [Kubernetes reference](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status)
* `spec` - (Required) Spec contains information for locating and communicating with a server. [Kubernetes reference](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status)
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the Pod Security Policy that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/e59e666e3464c7d4851136baa8835a311efdfb8e/contributors/devel/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the Pod Security Policy.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the Pod Security Policy, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this Pod Security Policy that can be used by clients to determine when Pod Security Policy has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/e59e666e3464c7d4851136baa8835a311efdfb8e/contributors/devel/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this Pod Security Policy. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `spec`
#### Arguments
* `allow_privilege_escalation` - (Optional) determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.
* `allowed_capabilities` - (Optional) a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author's discretion. You must not list a capability in both allowedCapabilities and requiredDropCapabilities.
* [`allowed_flex_volumes`](#allowed_flex_volumes) - (Optional) a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the "volumes" field.
* [`allowed_host_paths`](#allowed_host_paths) - (Optional) a white list of allowed host paths. Empty indicates that all host paths may be used.
* `allowed_proc_mount_types` - (Optional) a whitelist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled. Possible values are `"Default"` or `"Unmasked"`
* `allowed_unsafe_sysctls` - (Optional) a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of allowed sysctls. Single* means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection. Examples: "foo/*" allows "foo/bar", "foo/baz", etc. and "foo.*" allows "foo.bar", "foo.baz", etc.
* `default_add_capabilities` - (Optional) the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capability in both defaultAddCapabilities and requiredDropCapabilities. Capabilities added here are implicitly allowed, and need not be included in the allowedCapabilities list.
* `default_allow_privilege_escalation` - (Optional) controls the default setting for whether a process can gain more privileges than its parent process.
* `forbidden_sysctls` - (Optional) forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of forbidden sysctls. Single* means all sysctls are forbidden.
* [`fs_group`](#fs_group) - (Required) the strategy that will dictate what fs group is used by the SecurityContext.
* `host_ipc` - (Optional) determines if the policy allows the use of HostIPC in the pod spec.
* `host_network` - (Optional) determines if the policy allows the use of HostNetwork in the pod spec.
* `host_pid` - (Optional) determines if the policy allows the use of HostPID in the pod spec.
* `host_ports` - (Optional) determines which host port ranges are allowed to be exposed.
* `privileged` - (Optional) determines if a pod can request to be run as privileged.
* `read_only_root_filesystem` - (Optional) when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.
* `required_drop_capabilities` - (Optional) the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.
* [`run_as_user`](#run_as_user) - (Required) the strategy that will dictate the allowable RunAsUser values that may be set.
* [`run_as_group`](#run_as_group) - (Optional) the strategy that will dictate the allowable RunAsGroup values that may be set. If this field is omitted, the pod's RunAsGroup can take any value. This field requires the RunAsGroup feature gate to be enabled.
* [`se_linux`](#se_linux) - (Required) the strategy that will dictate the allowable labels that may be set.
* [`supplemental_groups`](#supplemental_groups) - (Required) the strategy that will dictate what supplemental groups are used by the SecurityContext.
* `volumes` - (Optional) a white list of allowed volume plugins. Empty indicates that no volumes may be used. To allow all volumes you may use '*'.
### allowed_flex_volumes
### Arguments
* `driver` - (Required) the name of the Flexvolume driver.
### allowed_host_paths
### Arguments
* `path_prefix` - (Required) the path prefix that the host volume must match. It does not support `*`. Trailing slashes are trimmed when validating the path prefix with a host path. Examples: `/foo` would allow `/foo`, `/foo/` and `/foo/bar`. `/foo` would not allow `/food` or `/etc/foo`
* `read_only` - (Optional) when set to true, will allow host volumes matching the pathPrefix only if all volume mounts are readOnly.
### `fs_group`
#### Arguments
* `rule` - (Required) the strategy that will dictate what FSGroup is used in the SecurityContext.
* `range` - (Optional) the allowed ranges of fs groups. If you would like to force a single fs group then supply a single range with the same start and end. Required for MustRunAs.
### `run_as_user`
#### Arguments
* `rule` - (Required) the strategy that will dictate the allowable RunAsUser values that may be set.
* `range` - (Optional) the allowed ranges of uids that may be used. If you would like to force a single uid then supply a single range with the same start and end. Required for MustRunAs.
### `run_as_group`
#### Arguments
* `rule` - (Required) the strategy that will dictate the allowable RunAsGroup values that may be set.
* `range` - (Optional) the allowed ranges of gids that may be used. If you would like to force a single gid then supply a single range with the same start and end. Required for MustRunAs.
### `se_linux`
#### Arguments
* `rule` - (Required) the strategy that will dictate the allowable labels that may be set.
* `se_linux_options` - (Optional) required to run as; required for MustRunAs. For more info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
### `supplemental_groups`
#### Arguments
* `rule` - (Required) the strategy that will dictate what supplemental groups is used in the SecurityContext.
* `range` - (Optional) the allowed ranges of supplemental groups. If you would like to force a single supplemental group then supply a single range with the same start and end. Required for MustRunAs.
### `range`
#### Arguments
* `min` - (Required) the start of the range, inclusive.
* `max` - (Required) the end of the range, inclusive.
## Import
Pod Security Policy can be imported using its name, e.g.

2972
docs/resources/pod_v1.md
View file

File diff suppressed because it is too large Load diff

69
docs/resources/priority_class.md
View file

@ -9,6 +9,43 @@ description: |-
A PriorityClass is a non-namespaced object that defines a mapping from a priority class name to the integer value of the priority.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard priority class's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `value` (Number) The value of this priority class. This is the actual priority that pods receive when they have the name of this class in their pod spec.
### Optional
- `description` (String) An arbitrary string that usually provides guidelines on when this priority class should be used.
- `global_default` (Boolean) Specifies whether this PriorityClass should be considered as the default priority for pods that do not have any priority class. Only one PriorityClass can be marked as `globalDefault`. However, if more than one PriorityClasses exists with their `globalDefault` field set to true, the smallest value of such global default PriorityClasses will be used as the default priority.
- `preemption_policy` (String) PreemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. Defaults to PreemptLowerPriority if unset.
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the priority class that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the priority class. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the priority class, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this priority class that can be used by clients to determine when priority class has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this priority class. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
## Example Usage
```terraform
@ -21,38 +58,6 @@ resource "kubernetes_priority_class" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard resource quota's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `value` - (Required, Forces new resource) The value of this priority class. This is the actual priority that pods receive when they have the name of this class in their pod spec.
* `description` - (Optional) An arbitrary string that usually provides guidelines on when this priority class should be used.
* `global_default` - (Optional) Boolean that specifies whether this PriorityClass should be considered as the default priority for pods that do not have any priority class.
* `preemption_policy` - (Optional) PreemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. Defaults to PreemptLowerPriority if unset.
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the resource quota that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the resource quota. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the resource quota, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this resource quota that can be used by clients to determine when resource quota has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this resource quota. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
## Import
Priority Class can be imported using its name, e.g.

70
docs/resources/priority_class_v1.md
View file

@ -9,6 +9,43 @@ description: |-
A PriorityClass is a non-namespaced object that defines a mapping from a priority class name to the integer value of the priority.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard priority class's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `value` (Number) The value of this priority class. This is the actual priority that pods receive when they have the name of this class in their pod spec.
### Optional
- `description` (String) An arbitrary string that usually provides guidelines on when this priority class should be used.
- `global_default` (Boolean) Specifies whether this PriorityClass should be considered as the default priority for pods that do not have any priority class. Only one PriorityClass can be marked as `globalDefault`. However, if more than one PriorityClasses exists with their `globalDefault` field set to true, the smallest value of such global default PriorityClasses will be used as the default priority.
- `preemption_policy` (String) PreemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. Defaults to PreemptLowerPriority if unset.
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the priority class that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the priority class. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the priority class, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this priority class that can be used by clients to determine when priority class has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this priority class. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
## Example Usage
```terraform
@ -21,39 +58,6 @@ resource "kubernetes_priority_class_v1" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard resource quota's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `value` - (Required, Forces new resource) The value of this priority class. This is the actual priority that pods receive when they have the name of this class in their pod spec.
* `description` - (Optional) An arbitrary string that usually provides guidelines on when this priority class should be used.
* `global_default` - (Optional) Boolean that specifies whether this PriorityClass should be considered as the default priority for pods that do not have any priority class.
* `preemption_policy` - (Optional) PreemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. Defaults to PreemptLowerPriority if unset.
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the resource quota that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the resource quota. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the resource quota, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this resource quota that can be used by clients to determine when resource quota has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this resource quota. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
* `preemption_policy` - PreemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. Defaults to PreemptLowerPriority if unset.
## Import
Priority Class can be imported using its name, e.g.

2288
docs/resources/replication_controller.md
View file

File diff suppressed because it is too large Load diff

2288
docs/resources/replication_controller_v1.md
View file

File diff suppressed because it is too large Load diff

128
docs/resources/resource_quota.md
View file

@ -9,6 +9,82 @@ description: |-
A resource quota provides constraints that limit aggregate resource consumption per namespace. It can limit the quantity of objects that can be created in a namespace by type, as well as the total amount of compute resources that may be consumed by resources in that project.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard resource quota's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
### Optional
- `spec` (Block List, Max: 1) Spec defines the desired quota. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status (see [below for nested schema](#nestedblock--spec))
- `timeouts` (Block, Optional) (see [below for nested schema](#nestedblock--timeouts))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the resource quota that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the resource quota. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the resource quota, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the resource quota must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this resource quota that can be used by clients to determine when resource quota has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this resource quota. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--spec"></a>
### Nested Schema for `spec`
Optional:
- `hard` (Map of String) The set of desired hard limits for each named resource. More info: http://releases.k8s.io/HEAD/docs/design/admission_control_resource_quota.md#admissioncontrol-plugin-resourcequota
- `scope_selector` (Block List, Max: 1) A collection of filters like scopes that must match each object tracked by a quota but expressed using ScopeSelectorOperator in combination with possible values. For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched. (see [below for nested schema](#nestedblock--spec--scope_selector))
- `scopes` (Set of String) A collection of filters that must match each object tracked by a quota. If not specified, the quota matches all objects.
<a id="nestedblock--spec--scope_selector"></a>
### Nested Schema for `spec.scope_selector`
Optional:
- `match_expression` (Block List) A list of scope selector requirements by scope of the resources. (see [below for nested schema](#nestedblock--spec--scope_selector--match_expression))
<a id="nestedblock--spec--scope_selector--match_expression"></a>
### Nested Schema for `spec.scope_selector.match_expression`
Required:
- `operator` (String) Represents a scope's relationship to a set of values.
- `scope_name` (String) The name of the scope that the selector applies to.
Optional:
- `values` (Set of String) A list of scope selector requirements by scope of the resources.
<a id="nestedblock--timeouts"></a>
### Nested Schema for `timeouts`
Optional:
- `create` (String)
- `update` (String)
## Example Usage
```terraform
@ -25,58 +101,6 @@ resource "kubernetes_resource_quota" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard resource quota's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `spec` - (Optional) Spec defines the desired quota. [Kubernetes reference](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status)
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the resource quota that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the resource quota. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the resource quota, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
* `namespace` - (Optional) Namespace defines the space within which name of the resource quota must be unique.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this resource quota that can be used by clients to determine when resource quota has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this resource quota. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `spec`
#### Arguments
* `hard` - (Optional) The set of desired hard limits for each named resource. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/policy/resource-quotas)
* `scopes` - (Optional) A collection of filters that must match each object tracked by a quota. If not specified, the quota matches all objects.
* `scope_selector` - (Optional) A collection of filters like scopes that must match each object tracked by a quota but expressed using ScopeSelectorOperator in combination with possible values. See `scope_selector` below for more details.
#### `scope_selector`
##### Arguments
* `match_expression` - (Optional) A list of scope selector requirements by scope of the resources. See `match_expression` below for more details.
##### `match_expression`
###### Arguments
* `scope_name` - (Required) The name of the scope that the selector applies to. Valid values are `Terminating`, `NotTerminating`, `BestEffort`, `NotBestEffort`, and `PriorityClass`.
* `operator` - (Required) Represents a scope's relationship to a set of values. Valid operators are `In`, `NotIn`, `Exists`, `DoesNotExist`.
* `values` - (Optional) A list of scope selector requirements by scope of the resources.
## Import
Resource Quota can be imported using its namespace and name, e.g.

128
docs/resources/resource_quota_v1.md
View file

@ -9,6 +9,82 @@ description: |-
A resource quota provides constraints that limit aggregate resource consumption per namespace. It can limit the quantity of objects that can be created in a namespace by type, as well as the total amount of compute resources that may be consumed by resources in that project.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard resource quota's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
### Optional
- `spec` (Block List, Max: 1) Spec defines the desired quota. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status (see [below for nested schema](#nestedblock--spec))
- `timeouts` (Block, Optional) (see [below for nested schema](#nestedblock--timeouts))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the resource quota that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the resource quota. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the resource quota, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the resource quota must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this resource quota that can be used by clients to determine when resource quota has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this resource quota. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--spec"></a>
### Nested Schema for `spec`
Optional:
- `hard` (Map of String) The set of desired hard limits for each named resource. More info: http://releases.k8s.io/HEAD/docs/design/admission_control_resource_quota.md#admissioncontrol-plugin-resourcequota
- `scope_selector` (Block List, Max: 1) A collection of filters like scopes that must match each object tracked by a quota but expressed using ScopeSelectorOperator in combination with possible values. For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched. (see [below for nested schema](#nestedblock--spec--scope_selector))
- `scopes` (Set of String) A collection of filters that must match each object tracked by a quota. If not specified, the quota matches all objects.
<a id="nestedblock--spec--scope_selector"></a>
### Nested Schema for `spec.scope_selector`
Optional:
- `match_expression` (Block List) A list of scope selector requirements by scope of the resources. (see [below for nested schema](#nestedblock--spec--scope_selector--match_expression))
<a id="nestedblock--spec--scope_selector--match_expression"></a>
### Nested Schema for `spec.scope_selector.match_expression`
Required:
- `operator` (String) Represents a scope's relationship to a set of values.
- `scope_name` (String) The name of the scope that the selector applies to.
Optional:
- `values` (Set of String) A list of scope selector requirements by scope of the resources.
<a id="nestedblock--timeouts"></a>
### Nested Schema for `timeouts`
Optional:
- `create` (String)
- `update` (String)
## Example Usage
```terraform
@ -25,58 +101,6 @@ resource "kubernetes_resource_quota_v1" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard resource quota's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `spec` - (Optional) Spec defines the desired quota. [Kubernetes reference](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status)
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the resource quota that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the resource quota. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the resource quota, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
* `namespace` - (Optional) Namespace defines the space within which name of the resource quota must be unique.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this resource quota that can be used by clients to determine when resource quota has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this resource quota. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `spec`
#### Arguments
* `hard` - (Optional) The set of desired hard limits for each named resource. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/policy/resource-quotas)
* `scopes` - (Optional) A collection of filters that must match each object tracked by a quota. If not specified, the quota matches all objects.
* `scope_selector` - (Optional) A collection of filters like scopes that must match each object tracked by a quota but expressed using ScopeSelectorOperator in combination with possible values. See `scope_selector` below for more details.
#### `scope_selector`
##### Arguments
* `match_expression` - (Optional) A list of scope selector requirements by scope of the resources. See `match_expression` below for more details.
##### `match_expression`
###### Arguments
* `scope_name` - (Required) The name of the scope that the selector applies to. Valid values are `Terminating`, `NotTerminating`, `BestEffort`, `NotBestEffort`, and `PriorityClass`.
* `operator` - (Required) Represents a scope's relationship to a set of values. Valid operators are `In`, `NotIn`, `Exists`, `DoesNotExist`.
* `values` - (Optional) A list of scope selector requirements by scope of the resources.
## Import
Resource Quota can be imported using its namespace and name, e.g.

86
docs/resources/role.md
View file

@ -9,6 +9,52 @@ description: |-
A role contains rules that represent a set of permissions. Permissions are purely additive (there are no “deny” rules).
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard role's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `rule` (Block List, Min: 1) Rule defining a set of permissions for the role (see [below for nested schema](#nestedblock--rule))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the role that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the role. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the role, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the role must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this role that can be used by clients to determine when role has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this role. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--rule"></a>
### Nested Schema for `rule`
Required:
- `api_groups` (Set of String) Name of the APIGroup that contains the resources
- `resources` (Set of String) List of resources that the rule applies to
- `verbs` (Set of String) List of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule
Optional:
- `resource_names` (Set of String) White list of names that the rule applies to
## Example Usage
```terraform
@ -34,46 +80,6 @@ resource "kubernetes_role" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard role's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `rule` - (Required) List of rules that define the set of permissions for this role. For more info see [Kubernetes reference](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the role that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](hhttps://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the role. **Must match `selector`**.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the role, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
* `namespace` - (Optional) Namespace defines the space within which name of the role must be unique.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this role that can be used by clients to determine when role has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this role. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `rule`
#### Arguments
* `api_groups` - (Required) List of APIGroups that contains the resources.
* `resources` - (Required) List of resources that the rule applies to.
* `resource_names` - (Optional) White list of names that the rule applies to.
* `verbs` - (Required) List of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule.
## Import
Role can be imported using the namespace and name, e.g.

108
docs/resources/role_binding.md
View file

@ -5,7 +5,64 @@ description: |-
A RoleBinding may be used to grant permission at the namespace level.
---
# kubernetes_role_binding
# kubernetes_role_binding
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard roleBinding's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `role_ref` (Block List, Min: 1, Max: 1) RoleRef references the Role for this binding (see [below for nested schema](#nestedblock--role_ref))
- `subject` (Block List, Min: 1) Subjects defines the entities to bind a Role to. (see [below for nested schema](#nestedblock--subject))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the roleBinding that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the roleBinding. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the roleBinding, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the roleBinding must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this roleBinding that can be used by clients to determine when roleBinding has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this roleBinding. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--role_ref"></a>
### Nested Schema for `role_ref`
Required:
- `api_group` (String) The API group of the user. The only value possible at the moment is `rbac.authorization.k8s.io`.
- `kind` (String) The kind of resource.
- `name` (String) The name of the User to bind to.
<a id="nestedblock--subject"></a>
### Nested Schema for `subject`
Required:
- `kind` (String) The kind of resource.
- `name` (String) The name of the resource to bind to.
Optional:
- `api_group` (String) The API group of the subject resource.
- `namespace` (String) The Namespace of the subject resource.
A RoleBinding may be used to grant permission at the namespace level
@ -40,55 +97,6 @@ resource "kubernetes_role_binding" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard kubernetes metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `role_ref` - (Required) The Role to bind Subjects to. For more info see [Kubernetes reference](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding)
* `subject` - (Required) The Users, Groups, or ServiceAccounts to grand permissions to. For more info see [Kubernetes reference](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-subjects)
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the role binding that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the role binding.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the role binding, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
* `namespace` - (Optional) Namespace defines the space within which name of the role binding must be unique.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this object that can be used by clients to determine when the object has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this role binding. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `role_ref`
#### Arguments
* `name` - (Required) The name of this Role to bind Subjects to.
* `kind` - (Required) The type of binding to use. This value must be present and defaults to `Role`
* `api_group` - (Required) The API group to drive authorization decisions. This value must be and defaults to `rbac.authorization.k8s.io`
### `subject`
#### Arguments
* `name` - (Required) The name of this Role to bind Subjects to.
* `namespace` - (Optional) Namespace defines the namespace of the ServiceAccount to bind to. This value only applies to kind `ServiceAccount`
* `kind` - (Required) The type of binding to use. This value must be `ServiceAccount`, `User` or `Group`
* `api_group` - (Required) The API group to drive authorization decisions. This value only applies to kind `User` and `Group`. It must be `rbac.authorization.k8s.io`
## Import
RoleBinding can be imported using the name, e.g.

106
docs/resources/role_binding_v1.md
View file

@ -9,6 +9,63 @@ description: |-
A RoleBinding may be used to grant permission at the namespace level
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard roleBinding's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `role_ref` (Block List, Min: 1, Max: 1) RoleRef references the Role for this binding (see [below for nested schema](#nestedblock--role_ref))
- `subject` (Block List, Min: 1) Subjects defines the entities to bind a Role to. (see [below for nested schema](#nestedblock--subject))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the roleBinding that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the roleBinding. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the roleBinding, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the roleBinding must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this roleBinding that can be used by clients to determine when roleBinding has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this roleBinding. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--role_ref"></a>
### Nested Schema for `role_ref`
Required:
- `api_group` (String) The API group of the user. The only value possible at the moment is `rbac.authorization.k8s.io`.
- `kind` (String) The kind of resource.
- `name` (String) The name of the User to bind to.
<a id="nestedblock--subject"></a>
### Nested Schema for `subject`
Required:
- `kind` (String) The kind of resource.
- `name` (String) The name of the resource to bind to.
Optional:
- `api_group` (String) The API group of the subject resource.
- `namespace` (String) The Namespace of the subject resource.
## Example Usage
```terraform
@ -40,55 +97,6 @@ resource "kubernetes_role_binding_v1" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard kubernetes metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `role_ref` - (Required) The Role to bind Subjects to. For more info see [Kubernetes reference](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding)
* `subject` - (Required) The Users, Groups, or ServiceAccounts to grand permissions to. For more info see [Kubernetes reference](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-subjects)
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the role binding that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the role binding.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the role binding, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
* `namespace` - (Optional) Namespace defines the space within which name of the role binding must be unique.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this object that can be used by clients to determine when the object has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this role binding. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `role_ref`
#### Arguments
* `name` - (Required) The name of this Role to bind Subjects to.
* `kind` - (Required) The type of binding to use. This value must be present and defaults to `Role`
* `api_group` - (Required) The API group to drive authorization decisions. This value must be and defaults to `rbac.authorization.k8s.io`
### `subject`
#### Arguments
* `name` - (Required) The name of this Role to bind Subjects to.
* `namespace` - (Optional) Namespace defines the namespace of the ServiceAccount to bind to. This value only applies to kind `ServiceAccount`
* `kind` - (Required) The type of binding to use. This value must be `ServiceAccount`, `User` or `Group`
* `api_group` - (Required) The API group to drive authorization decisions. This value only applies to kind `User` and `Group`. It must be `rbac.authorization.k8s.io`
## Import
RoleBinding can be imported using the name, e.g.

86
docs/resources/role_v1.md
View file

@ -9,6 +9,52 @@ description: |-
A role contains rules that represent a set of permissions. Permissions are purely additive (there are no “deny” rules).
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard role's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `rule` (Block List, Min: 1) Rule defining a set of permissions for the role (see [below for nested schema](#nestedblock--rule))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the role that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the role. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the role, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the role must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this role that can be used by clients to determine when role has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this role. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--rule"></a>
### Nested Schema for `rule`
Required:
- `api_groups` (Set of String) Name of the APIGroup that contains the resources
- `resources` (Set of String) List of resources that the rule applies to
- `verbs` (Set of String) List of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule
Optional:
- `resource_names` (Set of String) White list of names that the rule applies to
## Example Usage
```terraform
@ -34,46 +80,6 @@ resource "kubernetes_role_v1" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard role's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `rule` - (Required) List of rules that define the set of permissions for this role. For more info see [Kubernetes reference](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the role that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](hhttps://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the role. **Must match `selector`**.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the role, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
* `namespace` - (Optional) Namespace defines the space within which name of the role must be unique.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this role that can be used by clients to determine when role has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this role. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `rule`
#### Arguments
* `api_groups` - (Required) List of APIGroups that contains the resources.
* `resources` - (Required) List of resources that the rule applies to.
* `resource_names` - (Optional) White list of names that the rule applies to.
* `verbs` - (Required) List of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule.
## Import
Role can be imported using the namespace and name, e.g.

61
docs/resources/runtime_class_v1.md
View file

@ -9,6 +9,37 @@ description: |-
A runtime class is used to determine which container runtime is used to run all containers in a pod.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `handler` (String) Specifies the underlying runtime and configuration that the CRI implementation will use to handle pods of this class
- `metadata` (Block List, Min: 1, Max: 1) Standard runtimeclass's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the runtimeclass that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the runtimeclass. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the runtimeclass, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this runtimeclass that can be used by clients to determine when runtimeclass has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this runtimeclass. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
## Example usage
```terraform
@ -20,36 +51,6 @@ resource "kubernetes_runtime_class_v1" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard role's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `handler` - (Required) Specifies the underlying runtime and configuration that the CRI implementation will use to handle pods of this class [Kubernetes reference](https://kubernetes.io/docs/concepts/containers/runtime-class/)
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the role that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](hhttps://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the role. **Must match `selector`**.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the role, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this role that can be used by clients to determine when role has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this role. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
## Import
Runtime class can be imported using the name only, e.g.

89
docs/resources/secret.md
View file

@ -13,6 +13,54 @@ The resource provides mechanisms to inject containers with sensitive information
~> **Note:** All arguments including the secret data will be stored in the raw state as plain-text. [Read more about sensitive data in state](/docs/state/sensitive-data.html).
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard secret's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
### Optional
- `binary_data` (Map of String, Sensitive) A map of the secret data in base64 encoding. Use this for binary data.
- `data` (Map of String, Sensitive) A map of the secret data.
- `immutable` (Boolean) Ensures that data stored in the Secret cannot be updated (only object metadata can be modified).
- `timeouts` (Block, Optional) (see [below for nested schema](#nestedblock--timeouts))
- `type` (String) Type of secret
- `wait_for_service_account_token` (Boolean) Terraform will wait for the service account token to be created.
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the secret that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the secret. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the secret, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the secret must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this secret that can be used by clients to determine when secret has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this secret. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--timeouts"></a>
### Nested Schema for `timeouts`
Optional:
- `create` (String)
## Example Usage
```terraform
@ -96,47 +144,6 @@ resource "kubernetes_secret" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `data` - (Optional) A map of the secret data.
* `binary_data` - (Optional) A map base64 encoded map of the secret data.
* `metadata` - (Required) Standard secret's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `type` - (Optional) The secret type. Defaults to `Opaque`. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/c7151dd8dd7e487e96e5ce34c6a416bb3b037609/contributors/design-proposals/auth/secrets.md#proposed-design)
* `immutable` - (Optional) Ensures that data stored in the Secret cannot be updated (only object metadata can be modified). If not set to true, the field can be modified at any time.
* `wait_for_service_account_token` - (Optional) Terraform will wait for the service account token to be created. Defaults to `true`.
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the secret that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the secret. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the secret, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
* `namespace` - (Optional) Namespace defines the space within which name of the secret must be unique.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this secret that can be used by clients to determine when secret has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this secret. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### Timeouts
`kubernetes_secret` provides the following configuration options:
- `create` - Default `1 minute`
## Import
Secret can be imported using its namespace and name, e.g.

89
docs/resources/secret_v1.md
View file

@ -13,6 +13,54 @@ The resource provides mechanisms to inject containers with sensitive information
~> **Note:** All arguments including the secret data will be stored in the raw state as plain-text. [Read more about sensitive data in state](/docs/state/sensitive-data.html).
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard secret's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
### Optional
- `binary_data` (Map of String, Sensitive) A map of the secret data in base64 encoding. Use this for binary data.
- `data` (Map of String, Sensitive) A map of the secret data.
- `immutable` (Boolean) Ensures that data stored in the Secret cannot be updated (only object metadata can be modified).
- `timeouts` (Block, Optional) (see [below for nested schema](#nestedblock--timeouts))
- `type` (String) Type of secret
- `wait_for_service_account_token` (Boolean) Terraform will wait for the service account token to be created.
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the secret that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the secret. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the secret, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the secret must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this secret that can be used by clients to determine when secret has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this secret. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--timeouts"></a>
### Nested Schema for `timeouts`
Optional:
- `create` (String)
## Example Usage
```terraform
@ -96,47 +144,6 @@ resource "kubernetes_secret_v1" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `data` - (Optional) A map of the secret data.
* `binary_data` - (Optional) A map base64 encoded map of the secret data.
* `metadata` - (Required) Standard secret's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `type` - (Optional) The secret type. Defaults to `Opaque`. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/c7151dd8dd7e487e96e5ce34c6a416bb3b037609/contributors/design-proposals/auth/secrets.md#proposed-design)
* `immutable` - (Optional) Ensures that data stored in the Secret cannot be updated (only object metadata can be modified). If not set to true, the field can be modified at any time.
* `wait_for_service_account_token` - (Optional) Terraform will wait for the service account token to be created. Defaults to `true`.
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the secret that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the secret. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the secret, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
* `namespace` - (Optional) Namespace defines the space within which name of the secret must be unique.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this secret that can be used by clients to determine when secret has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this secret. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### Timeouts
`kubernetes_secret_v1` provides the following configuration options:
- `create` - Default `1 minute`
## Import
Secret can be imported using its namespace and name, e.g.

237
docs/resources/service.md
View file

@ -9,6 +9,135 @@ description: |-
A Service is an abstraction which defines a logical set of pods and a policy by which to access them - sometimes called a micro-service.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard service's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `spec` (Block List, Min: 1, Max: 1) Spec defines the behavior of a service. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status (see [below for nested schema](#nestedblock--spec))
### Optional
- `timeouts` (Block, Optional) (see [below for nested schema](#nestedblock--timeouts))
- `wait_for_load_balancer` (Boolean) Terraform will wait for the load balancer to have at least 1 endpoint before considering the resource created.
### Read-Only
- `id` (String) The ID of this resource.
- `status` (List of Object) (see [below for nested schema](#nestedatt--status))
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the service that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the service. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the service, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the service must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this service that can be used by clients to determine when service has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this service. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--spec"></a>
### Nested Schema for `spec`
Optional:
- `allocate_load_balancer_node_ports` (Boolean) Defines if `NodePorts` will be automatically allocated for services with type `LoadBalancer`. It may be set to `false` if the cluster load-balancer does not rely on `NodePorts`. If the caller requests specific `NodePorts` (by specifying a value), those requests will be respected, regardless of this field. This field may only be set for services with type `LoadBalancer`. Default is `true`. More info: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation
- `cluster_ip` (String) The IP address of the service. It is usually assigned randomly by the master. If an address is specified manually and is not in use by others, it will be allocated to the service; otherwise, creation of the service will fail. `None` can be specified for headless services when proxying is not required. Ignored if type is `ExternalName`. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
- `cluster_ips` (List of String) List of IP addresses assigned to this service, and are usually assigned randomly. If an address is specified manually and is not in use by others, it will be allocated to the service; otherwise creation of the service will fail. If this field is not specified, it will be initialized from the `clusterIP` field. If this field is specified, clients must ensure that `clusterIPs[0]` and `clusterIP` have the same value. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
- `external_ips` (Set of String) A list of IP addresses for which nodes in the cluster will also accept traffic for this service. These IPs are not managed by Kubernetes. The user is responsible for ensuring that traffic arrives at a node with this IP. A common example is external load-balancers that are not part of the Kubernetes system.
- `external_name` (String) The external reference that kubedns or equivalent will return as a CNAME record for this service. No proxying will be involved. Must be a valid DNS name and requires `type` to be `ExternalName`.
- `external_traffic_policy` (String) Denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints. `Local` preserves the client source IP and avoids a second hop for LoadBalancer and Nodeport type services, but risks potentially imbalanced traffic spreading. `Cluster` obscures the client source IP and may cause a second hop to another node, but should have good overall load-spreading. More info: https://kubernetes.io/docs/tutorials/services/source-ip/
- `health_check_node_port` (Number) Specifies the Healthcheck NodePort for the service. Only effects when type is set to `LoadBalancer` and external_traffic_policy is set to `Local`.
- `internal_traffic_policy` (String) Specifies if the cluster internal traffic should be routed to all endpoints or node-local endpoints only. `Cluster` routes internal traffic to a Service to all endpoints. `Local` routes traffic to node-local endpoints only, traffic is dropped if no node-local endpoints are ready. The default value is `Cluster`.
- `ip_families` (List of String) IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this service. This field is usually assigned automatically based on cluster configuration and the ipFamilyPolicy field. If this field is specified manually, the requested family is available in the cluster, and ipFamilyPolicy allows it, it will be used; otherwise creation of the service will fail. This field is conditionally mutable: it allows for adding or removing a secondary IP family, but it does not allow changing the primary IP family of the Service.
- `ip_family_policy` (String) IPFamilyPolicy represents the dual-stack-ness requested or required by this Service. If there is no value provided, then this field will be set to SingleStack. Services can be 'SingleStack' (a single IP family), 'PreferDualStack' (two IP families on dual-stack configured clusters or a single IP family on single-stack clusters), or 'RequireDualStack' (two IP families on dual-stack configured clusters, otherwise fail). The ipFamilies and clusterIPs fields depend on the value of this field.
- `load_balancer_class` (String) The class of the load balancer implementation this Service belongs to. If specified, the value of this field must be a label-style identifier, with an optional prefix. This field can only be set when the Service type is `LoadBalancer`. If not set, the default load balancer implementation is used. This field can only be set when creating or updating a Service to type `LoadBalancer`. More info: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class
- `load_balancer_ip` (String) Only applies to `type = LoadBalancer`. LoadBalancer will get created with the IP specified in this field. This feature depends on whether the underlying cloud-provider supports specifying this field when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature.
- `load_balancer_source_ranges` (Set of String) If specified and supported by the platform, this will restrict traffic through the cloud-provider load-balancer will be restricted to the specified client IPs. This field will be ignored if the cloud-provider does not support the feature. More info: http://kubernetes.io/docs/user-guide/services-firewalls
- `port` (Block List) The list of ports that are exposed by this service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies (see [below for nested schema](#nestedblock--spec--port))
- `publish_not_ready_addresses` (Boolean) When set to true, indicates that DNS implementations must publish the `notReadyAddresses` of subsets for the Endpoints associated with the Service. The default value is `false`. The primary use case for setting this field is to use a StatefulSet's Headless Service to propagate `SRV` records for its Pods without respect to their readiness for purpose of peer discovery.
- `selector` (Map of String) Route service traffic to pods with label keys and values matching this selector. Only applies to types `ClusterIP`, `NodePort`, and `LoadBalancer`. More info: https://kubernetes.io/docs/concepts/services-networking/service/
- `session_affinity` (String) Used to maintain session affinity. Supports `ClientIP` and `None`. Defaults to `None`. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
- `session_affinity_config` (Block List, Max: 1) Contains the configurations of session affinity. More info: https://kubernetes.io/docs/concepts/services-networking/service/#proxy-mode-ipvs (see [below for nested schema](#nestedblock--spec--session_affinity_config))
- `type` (String) Determines how the service is exposed. Defaults to `ClusterIP`. Valid options are `ExternalName`, `ClusterIP`, `NodePort`, and `LoadBalancer`. `ExternalName` maps to the specified `external_name`. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
<a id="nestedblock--spec--port"></a>
### Nested Schema for `spec.port`
Required:
- `port` (Number) The port that will be exposed by this service.
Optional:
- `app_protocol` (String) The application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and http://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol.
- `name` (String) The name of this port within the service. All ports within the service must have unique names. Optional if only one ServicePort is defined on this service.
- `node_port` (Number) The port on each node on which this service is exposed when `type` is `NodePort` or `LoadBalancer`. Usually assigned by the system. If specified, it will be allocated to the service if unused or else creation of the service will fail. Default is to auto-allocate a port if the `type` of this service requires one. More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
- `protocol` (String) The IP protocol for this port. Supports `TCP` and `UDP`. Default is `TCP`.
- `target_port` (String) Number or name of the port to access on the pods targeted by the service. Number must be in the range 1 to 65535. This field is ignored for services with `cluster_ip = "None"`. More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
<a id="nestedblock--spec--session_affinity_config"></a>
### Nested Schema for `spec.session_affinity_config`
Optional:
- `client_ip` (Block List, Max: 1) Contains the configurations of Client IP based session affinity. (see [below for nested schema](#nestedblock--spec--session_affinity_config--client_ip))
<a id="nestedblock--spec--session_affinity_config--client_ip"></a>
### Nested Schema for `spec.session_affinity_config.client_ip`
Optional:
- `timeout_seconds` (Number) Specifies the seconds of `ClientIP` type session sticky time. The value must be > 0 and <= 86400(for 1 day) if `ServiceAffinity` == `ClientIP`.
<a id="nestedblock--timeouts"></a>
### Nested Schema for `timeouts`
Optional:
- `create` (String)
<a id="nestedatt--status"></a>
### Nested Schema for `status`
Read-Only:
- `load_balancer` (List of Object) (see [below for nested schema](#nestedobjatt--status--load_balancer))
<a id="nestedobjatt--status--load_balancer"></a>
### Nested Schema for `status.load_balancer`
Read-Only:
- `ingress` (List of Object) (see [below for nested schema](#nestedobjatt--status--load_balancer--ingress))
<a id="nestedobjatt--status--load_balancer--ingress"></a>
### Nested Schema for `status.load_balancer.ingress`
Read-Only:
- `hostname` (String)
- `ip` (String)
## Example Usage
```terraform
@ -112,114 +241,6 @@ output "load_balancer_info" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard service's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `spec` - (Required) Spec defines the behavior of a service. [Kubernetes reference](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status)
* `wait_for_load_balancer` - (Optional) Terraform will wait for the load balancer to have at least 1 endpoint before considering the resource created. Defaults to `true`.
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the service that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the service. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the service, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
* `namespace` - (Optional) Namespace defines the space within which name of the service must be unique.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this service that can be used by clients to determine when service has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this service. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `spec`
#### Arguments
* `allocate_load_balancer_node_ports` - (Optional) Defines if `NodePorts` will be automatically allocated for services with type `LoadBalancer`. It may be set to `false` if the cluster load-balancer does not rely on `NodePorts`. If the caller requests specific `NodePorts` (by specifying a value), those requests will be respected, regardless of this field. This field may only be set for services with type `LoadBalancer`. Default is `true`. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation)
* `cluster_ip` - (Optional) The IP address of the service. It is usually assigned randomly by the master. If an address is specified manually and is not in use by others, it will be allocated to the service; otherwise, creation of the service will fail. `None` can be specified for headless services when proxying is not required. Ignored if type is `ExternalName`. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies)
* `cluster_ips` - (Optional) List of IP addresses assigned to this service, and are usually assigned randomly. If an address is specified manually and is not in use by others, it will be allocated to the service; otherwise creation of the service will fail. If this field is not specified, it will be initialized from the `clusterIP` field. If this field is specified, clients must ensure that `clusterIPs[0]` and `clusterIP` have the same value. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies)
* `external_ips` - (Optional) A list of IP addresses for which nodes in the cluster will also accept traffic for this service. These IPs are not managed by Kubernetes. The user is responsible for ensuring that traffic arrives at a node with this IP. A common example is external load-balancers that are not part of the Kubernetes system.
* `external_name` - (Optional) The external reference that kubedns or equivalent will return as a CNAME record for this service. No proxying will be involved. Must be a valid DNS name and requires `type` to be `ExternalName`.
* `external_traffic_policy` - (Optional) Denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints. `Local` preserves the client source IP and avoids a second hop for LoadBalancer and Nodeport type services, but risks potentially imbalanced traffic spreading. `Cluster` obscures the client source IP and may cause a second hop to another node, but should have good overall load-spreading. For more info see [Kubernetes reference](https://kubernetes.io/docs/tutorials/services/source-ip/)
* `ip_families` - (Optional) A list of IP families (e.g. IPv4, IPv6) assigned to this service. This field is usually assigned automatically based on cluster configuration and the `ip_family_policy` field. If this field is specified manually, the requested family is available in the cluster, and `ip_family_policy` allows it, it will be used; otherwise creation of the service will fail. This field is conditionally mutable: it allows for adding or removing a secondary IP family, but it does not allow changing the primary IP family of the Service. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/services-networking/dual-stack/)
* `ip_family_policy` - (Optional) Represents the dual-stack-ness requested or required by this Service. If there is no value provided, then this field will be set to `SingleStack`. Services can be `SingleStack`(a single IP family), `PreferDualStack`(two IP families on dual-stack configured clusters or a single IP family on single-stack clusters), or `RequireDualStack`(two IP families on dual-stack configured clusters, otherwise fail). The `ip_families` and `cluster_ip` fields depend on the value of this field.
* `internal_traffic_policy` - (Optional) Specifies if the cluster internal traffic should be routed to all endpoints or node-local endpoints only. `Cluster` routes internal traffic to a Service to all endpoints. `Local` routes traffic to node-local endpoints only, traffic is dropped if no node-local endpoints are ready. The default value is `Cluster`.
* `load_balancer_class` - (Optional) The class of the load balancer implementation this Service belongs to. If specified, the value of this field must be a label-style identifier, with an optional prefix. This field can only be set when the Service type is `LoadBalancer`. If not set, the default load balancer implementation is used. This field can only be set when creating or updating a Service to type `LoadBalancer`. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class)
* `load_balancer_ip` - (Optional) Only applies to `type = LoadBalancer`. LoadBalancer will get created with the IP specified in this field. This feature depends on whether the underlying cloud-provider supports specifying this field when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature.
* `load_balancer_source_ranges` - (Optional) If specified and supported by the platform, this will restrict traffic through the cloud-provider load-balancer will be restricted to the specified client IPs. This field will be ignored if the cloud-provider does not support the feature. For more info see [Kubernetes reference](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/).
* `port` - (Optional) The list of ports that are exposed by this service. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies)
* `publish_not_ready_addresses` - (Optional) When set to true, indicates that DNS implementations must publish the `notReadyAddresses` of subsets for the Endpoints associated with the Service. The default value is `false`. The primary use case for setting this field is to use a StatefulSet's Headless Service to propagate `SRV` records for its Pods without respect to their readiness for purpose of peer discovery.
* `selector` - (Optional) Route service traffic to pods with label keys and values matching this selector. Only applies to types `ClusterIP`, `NodePort`, and `LoadBalancer`. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/services-networking/service/)
* `session_affinity` - (Optional) Used to maintain session affinity. Supports `ClientIP` and `None`. Defaults to `None`. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies)
* `session_affinity_config` - (Optional) Contains the configurations of session affinity. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/services-networking/service/#proxy-mode-ipvs)
* `type` - (Optional) Determines how the service is exposed. Defaults to `ClusterIP`. Valid options are `ExternalName`, `ClusterIP`, `NodePort`, and `LoadBalancer`. `ExternalName` maps to the specified `external_name`. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types)
* `health_check_node_port` - (Optional) Specifies the Healthcheck NodePort for the service. Only effects when type is set to `LoadBalancer` and external_traffic_policy is set to `Local`.
### `port`
#### Arguments
* `app_protocol` - (Optional) The application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per [RFC-6335](https://datatracker.ietf.org/doc/html/rfc6335) and [IANA standard service names](https://www.iana.org/assignments/service-names)). Non-standard protocols should use prefixed names such as `mycompany.com/my-custom-protocol`. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol)
* `name` - (Optional) The name of this port within the service. All ports within the service must have unique names. Optional if only one ServicePort is defined on this service.
* `node_port` - (Optional) The port on each node on which this service is exposed when `type` is `NodePort` or `LoadBalancer`. Usually assigned by the system. If specified, it will be allocated to the service if unused or else creation of the service will fail. Default is to auto-allocate a port if the `type` of this service requires one. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport)
* `port` - (Required) The port that will be exposed by this service.
* `protocol` - (Optional) The IP protocol for this port. Supports `TCP` and `UDP`. Default is `TCP`.
* `target_port` - (Optional) Number or name of the port to access on the pods targeted by the service. Number must be in the range 1 to 65535. This field is ignored for services with `cluster_ip = "None"`. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service)
### `session_affinity_config`
#### Arguments
* `client_ip` - (Optional) Contains the configurations of Client IP based session affinity.
### `client_ip`
#### Arguments
* `timeout_seconds` - (Optional) Specifies the seconds of `ClientIP` type session sticky time. The value must be > 0 and <= 86400(for 1 day) if ServiceAffinity == `ClientIP`.
## Attributes
* `status` - Status is a list containing the most recently observed status of the service. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
### `status`
#### Attributes
* `load_balancer` - a list containing the current status of the load-balancer, if one is present.
### `load_balancer`
#### Attributes
* `ingress` - a list containing ingress points for the load-balancer. Traffic intended for the service should be sent to these ingress points.
### `ingress`
#### Attributes
* `ip` - IP is set for load-balancer ingress points that are IP based (typically GCE or OpenStack load-balancers).
* `hostname` - Hostname is set for load-balancer ingress points that are DNS based (typically AWS load-balancers).
### Timeouts
`kubernetes_service` provides the following [Timeouts](/docs/configuration/resources.html#timeouts) configuration options:
- `create` - Default `10 minutes`
## Import
Service can be imported using its namespace and name, e.g.

116
docs/resources/service_account.md
View file

@ -11,6 +11,69 @@ A service account provides an identity for processes that run in a Pod.
Read more at [Kubernetes reference](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/)
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard service account's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
### Optional
- `automount_service_account_token` (Boolean) Enable automatic mounting of the service account token
- `image_pull_secret` (Block Set) A list of references to secrets in the same namespace to use for pulling any images in pods that reference this Service Account. More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod (see [below for nested schema](#nestedblock--image_pull_secret))
- `secret` (Block Set) A list of secrets allowed to be used by pods running using this Service Account. More info: https://kubernetes.io/docs/concepts/configuration/secret (see [below for nested schema](#nestedblock--secret))
- `timeouts` (Block, Optional) (see [below for nested schema](#nestedblock--timeouts))
### Read-Only
- `default_secret_name` (String, Deprecated)
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the service account that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the service account. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the service account, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the service account must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this service account that can be used by clients to determine when service account has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this service account. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--image_pull_secret"></a>
### Nested Schema for `image_pull_secret`
Optional:
- `name` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
<a id="nestedblock--secret"></a>
### Nested Schema for `secret`
Optional:
- `name` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
<a id="nestedblock--timeouts"></a>
### Nested Schema for `timeouts`
Optional:
- `create` (String)
## Example Usage
```terraform
@ -34,59 +97,6 @@ resource "kubernetes_secret" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard service account's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `image_pull_secret` - (Optional) A list of references to secrets in the same namespace to use for pulling any images in pods that reference this Service Account. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod)
* `secret` - (Optional) A list of secrets allowed to be used by pods running using this Service Account. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/configuration/secret)
* `automount_service_account_token` - (Optional) Boolean, `true` to enable automatic mounting of the service account token. Defaults to `true`.
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the service account that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the service account. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the service account, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
* `namespace` - (Optional) Namespace defines the space within which name of the service account must be unique.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this service account that can be used by clients to determine when service account has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this service account. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `image_pull_secret`
#### Arguments
* `name` - (Optional) Name of the referent. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
### `secret`
#### Arguments
* `name` - (Optional) Name of the referent. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
## Attributes Reference
In addition to the arguments listed above, the following computed attributes are exported:
* `default_secret_name` - (Deprecated) Name of the default secret, containing service account token, created & managed by the service. By default, the provider will try to find the secret containing the service account token that Kubernetes automatically created for the service account. Where there are multiple tokens and the provider cannot determine which was created by Kubernetes, this attribute will be empty. When only one token is associated with the service account, the provider will return this single token secret.
Starting from version `1.24.0` by default Kubernetes does not automatically generate tokens for service accounts. That leads to the situation when `default_secret_name` cannot be computed and thus will be an empty string. In order to create a service account token, please [use `kubernetes_secret_v1` resource](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1#example-usage-service-account-token)
## Import
Service account can be imported using the namespace and name, e.g.

118
docs/resources/service_account_v1.md
View file

@ -7,9 +7,70 @@ description: |-
# kubernetes_service_account_v1
A service account provides an identity for processes that run in a Pod.
A service account provides an identity for processes that run in a Pod. Read more at [Kubernetes reference](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/)
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard service account's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
### Optional
- `automount_service_account_token` (Boolean) Enable automatic mounting of the service account token
- `image_pull_secret` (Block Set) A list of references to secrets in the same namespace to use for pulling any images in pods that reference this Service Account. More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod (see [below for nested schema](#nestedblock--image_pull_secret))
- `secret` (Block Set) A list of secrets allowed to be used by pods running using this Service Account. More info: https://kubernetes.io/docs/concepts/configuration/secret (see [below for nested schema](#nestedblock--secret))
- `timeouts` (Block, Optional) (see [below for nested schema](#nestedblock--timeouts))
### Read-Only
- `default_secret_name` (String, Deprecated)
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the service account that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the service account. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the service account, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the service account must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this service account that can be used by clients to determine when service account has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this service account. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--image_pull_secret"></a>
### Nested Schema for `image_pull_secret`
Optional:
- `name` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
<a id="nestedblock--secret"></a>
### Nested Schema for `secret`
Optional:
- `name` (String) Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
<a id="nestedblock--timeouts"></a>
### Nested Schema for `timeouts`
Optional:
- `create` (String)
Read more at [Kubernetes reference](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/)
## Example Usage
@ -34,59 +95,6 @@ resource "kubernetes_secret_v1" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard service account's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `image_pull_secret` - (Optional) A list of references to secrets in the same namespace to use for pulling any images in pods that reference this Service Account. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod)
* `secret` - (Optional) A list of secrets allowed to be used by pods running using this Service Account. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/configuration/secret)
* `automount_service_account_token` - (Optional) Boolean, `true` to enable automatic mounting of the service account token. Defaults to `true`.
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the service account that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the service account. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the service account, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
* `namespace` - (Optional) Namespace defines the space within which name of the service account must be unique.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this service account that can be used by clients to determine when service account has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this service account. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `image_pull_secret`
#### Arguments
* `name` - (Optional) Name of the referent. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
### `secret`
#### Arguments
* `name` - (Optional) Name of the referent. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
## Attributes Reference
In addition to the arguments listed above, the following computed attributes are exported:
* `default_secret_name` - (Deprecated) Name of the default secret, containing service account token, created & managed by the service. By default, the provider will try to find the secret containing the service account token that Kubernetes automatically created for the service account. Where there are multiple tokens and the provider cannot determine which was created by Kubernetes, this attribute will be empty. When only one token is associated with the service account, the provider will return this single token secret.
Starting from version `1.24.0` by default Kubernetes does not automatically generate tokens for service accounts. That leads to the situation when `default_secret_name` cannot be computed and thus will be an empty string. In order to create a service account token, please [use `kubernetes_secret_v1` resource](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1#example-usage-service-account-token)
## Import
Service account can be imported using the namespace and name, e.g.

237
docs/resources/service_v1.md
View file

@ -9,6 +9,135 @@ description: |-
A Service is an abstraction which defines a logical set of pods and a policy by which to access them - sometimes called a micro-service.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard service's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `spec` (Block List, Min: 1, Max: 1) Spec defines the behavior of a service. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status (see [below for nested schema](#nestedblock--spec))
### Optional
- `timeouts` (Block, Optional) (see [below for nested schema](#nestedblock--timeouts))
- `wait_for_load_balancer` (Boolean) Terraform will wait for the load balancer to have at least 1 endpoint before considering the resource created.
### Read-Only
- `id` (String) The ID of this resource.
- `status` (List of Object) (see [below for nested schema](#nestedatt--status))
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the service that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the service. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the service, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the service must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this service that can be used by clients to determine when service has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this service. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--spec"></a>
### Nested Schema for `spec`
Optional:
- `allocate_load_balancer_node_ports` (Boolean) Defines if `NodePorts` will be automatically allocated for services with type `LoadBalancer`. It may be set to `false` if the cluster load-balancer does not rely on `NodePorts`. If the caller requests specific `NodePorts` (by specifying a value), those requests will be respected, regardless of this field. This field may only be set for services with type `LoadBalancer`. Default is `true`. More info: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation
- `cluster_ip` (String) The IP address of the service. It is usually assigned randomly by the master. If an address is specified manually and is not in use by others, it will be allocated to the service; otherwise, creation of the service will fail. `None` can be specified for headless services when proxying is not required. Ignored if type is `ExternalName`. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
- `cluster_ips` (List of String) List of IP addresses assigned to this service, and are usually assigned randomly. If an address is specified manually and is not in use by others, it will be allocated to the service; otherwise creation of the service will fail. If this field is not specified, it will be initialized from the `clusterIP` field. If this field is specified, clients must ensure that `clusterIPs[0]` and `clusterIP` have the same value. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
- `external_ips` (Set of String) A list of IP addresses for which nodes in the cluster will also accept traffic for this service. These IPs are not managed by Kubernetes. The user is responsible for ensuring that traffic arrives at a node with this IP. A common example is external load-balancers that are not part of the Kubernetes system.
- `external_name` (String) The external reference that kubedns or equivalent will return as a CNAME record for this service. No proxying will be involved. Must be a valid DNS name and requires `type` to be `ExternalName`.
- `external_traffic_policy` (String) Denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints. `Local` preserves the client source IP and avoids a second hop for LoadBalancer and Nodeport type services, but risks potentially imbalanced traffic spreading. `Cluster` obscures the client source IP and may cause a second hop to another node, but should have good overall load-spreading. More info: https://kubernetes.io/docs/tutorials/services/source-ip/
- `health_check_node_port` (Number) Specifies the Healthcheck NodePort for the service. Only effects when type is set to `LoadBalancer` and external_traffic_policy is set to `Local`.
- `internal_traffic_policy` (String) Specifies if the cluster internal traffic should be routed to all endpoints or node-local endpoints only. `Cluster` routes internal traffic to a Service to all endpoints. `Local` routes traffic to node-local endpoints only, traffic is dropped if no node-local endpoints are ready. The default value is `Cluster`.
- `ip_families` (List of String) IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this service. This field is usually assigned automatically based on cluster configuration and the ipFamilyPolicy field. If this field is specified manually, the requested family is available in the cluster, and ipFamilyPolicy allows it, it will be used; otherwise creation of the service will fail. This field is conditionally mutable: it allows for adding or removing a secondary IP family, but it does not allow changing the primary IP family of the Service.
- `ip_family_policy` (String) IPFamilyPolicy represents the dual-stack-ness requested or required by this Service. If there is no value provided, then this field will be set to SingleStack. Services can be 'SingleStack' (a single IP family), 'PreferDualStack' (two IP families on dual-stack configured clusters or a single IP family on single-stack clusters), or 'RequireDualStack' (two IP families on dual-stack configured clusters, otherwise fail). The ipFamilies and clusterIPs fields depend on the value of this field.
- `load_balancer_class` (String) The class of the load balancer implementation this Service belongs to. If specified, the value of this field must be a label-style identifier, with an optional prefix. This field can only be set when the Service type is `LoadBalancer`. If not set, the default load balancer implementation is used. This field can only be set when creating or updating a Service to type `LoadBalancer`. More info: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class
- `load_balancer_ip` (String) Only applies to `type = LoadBalancer`. LoadBalancer will get created with the IP specified in this field. This feature depends on whether the underlying cloud-provider supports specifying this field when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature.
- `load_balancer_source_ranges` (Set of String) If specified and supported by the platform, this will restrict traffic through the cloud-provider load-balancer will be restricted to the specified client IPs. This field will be ignored if the cloud-provider does not support the feature. More info: http://kubernetes.io/docs/user-guide/services-firewalls
- `port` (Block List) The list of ports that are exposed by this service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies (see [below for nested schema](#nestedblock--spec--port))
- `publish_not_ready_addresses` (Boolean) When set to true, indicates that DNS implementations must publish the `notReadyAddresses` of subsets for the Endpoints associated with the Service. The default value is `false`. The primary use case for setting this field is to use a StatefulSet's Headless Service to propagate `SRV` records for its Pods without respect to their readiness for purpose of peer discovery.
- `selector` (Map of String) Route service traffic to pods with label keys and values matching this selector. Only applies to types `ClusterIP`, `NodePort`, and `LoadBalancer`. More info: https://kubernetes.io/docs/concepts/services-networking/service/
- `session_affinity` (String) Used to maintain session affinity. Supports `ClientIP` and `None`. Defaults to `None`. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
- `session_affinity_config` (Block List, Max: 1) Contains the configurations of session affinity. More info: https://kubernetes.io/docs/concepts/services-networking/service/#proxy-mode-ipvs (see [below for nested schema](#nestedblock--spec--session_affinity_config))
- `type` (String) Determines how the service is exposed. Defaults to `ClusterIP`. Valid options are `ExternalName`, `ClusterIP`, `NodePort`, and `LoadBalancer`. `ExternalName` maps to the specified `external_name`. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
<a id="nestedblock--spec--port"></a>
### Nested Schema for `spec.port`
Required:
- `port` (Number) The port that will be exposed by this service.
Optional:
- `app_protocol` (String) The application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and http://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol.
- `name` (String) The name of this port within the service. All ports within the service must have unique names. Optional if only one ServicePort is defined on this service.
- `node_port` (Number) The port on each node on which this service is exposed when `type` is `NodePort` or `LoadBalancer`. Usually assigned by the system. If specified, it will be allocated to the service if unused or else creation of the service will fail. Default is to auto-allocate a port if the `type` of this service requires one. More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
- `protocol` (String) The IP protocol for this port. Supports `TCP` and `UDP`. Default is `TCP`.
- `target_port` (String) Number or name of the port to access on the pods targeted by the service. Number must be in the range 1 to 65535. This field is ignored for services with `cluster_ip = "None"`. More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
<a id="nestedblock--spec--session_affinity_config"></a>
### Nested Schema for `spec.session_affinity_config`
Optional:
- `client_ip` (Block List, Max: 1) Contains the configurations of Client IP based session affinity. (see [below for nested schema](#nestedblock--spec--session_affinity_config--client_ip))
<a id="nestedblock--spec--session_affinity_config--client_ip"></a>
### Nested Schema for `spec.session_affinity_config.client_ip`
Optional:
- `timeout_seconds` (Number) Specifies the seconds of `ClientIP` type session sticky time. The value must be > 0 and <= 86400(for 1 day) if `ServiceAffinity` == `ClientIP`.
<a id="nestedblock--timeouts"></a>
### Nested Schema for `timeouts`
Optional:
- `create` (String)
<a id="nestedatt--status"></a>
### Nested Schema for `status`
Read-Only:
- `load_balancer` (List of Object) (see [below for nested schema](#nestedobjatt--status--load_balancer))
<a id="nestedobjatt--status--load_balancer"></a>
### Nested Schema for `status.load_balancer`
Read-Only:
- `ingress` (List of Object) (see [below for nested schema](#nestedobjatt--status--load_balancer--ingress))
<a id="nestedobjatt--status--load_balancer--ingress"></a>
### Nested Schema for `status.load_balancer.ingress`
Read-Only:
- `hostname` (String)
- `ip` (String)
## Example Usage
```terraform
@ -112,114 +241,6 @@ output "load_balancer_info" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard service's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `spec` - (Required) Spec defines the behavior of a service. [Kubernetes reference](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status)
* `wait_for_load_balancer` - (Optional) Terraform will wait for the load balancer to have at least 1 endpoint before considering the resource created. Defaults to `true`.
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the service that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the service. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the service, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
* `namespace` - (Optional) Namespace defines the space within which name of the service must be unique.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this service that can be used by clients to determine when service has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this service. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `spec`
#### Arguments
* `allocate_load_balancer_node_ports` - (Optional) Defines if `NodePorts` will be automatically allocated for services with type `LoadBalancer`. It may be set to `false` if the cluster load-balancer does not rely on `NodePorts`. If the caller requests specific `NodePorts` (by specifying a value), those requests will be respected, regardless of this field. This field may only be set for services with type `LoadBalancer`. Default is `true`. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation)
* `cluster_ip` - (Optional) The IP address of the service. It is usually assigned randomly by the master. If an address is specified manually and is not in use by others, it will be allocated to the service; otherwise, creation of the service will fail. `None` can be specified for headless services when proxying is not required. Ignored if type is `ExternalName`. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies)
* `cluster_ips` - (Optional) List of IP addresses assigned to this service, and are usually assigned randomly. If an address is specified manually and is not in use by others, it will be allocated to the service; otherwise creation of the service will fail. If this field is not specified, it will be initialized from the `clusterIP` field. If this field is specified, clients must ensure that `clusterIPs[0]` and `clusterIP` have the same value. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies)
* `external_ips` - (Optional) A list of IP addresses for which nodes in the cluster will also accept traffic for this service. These IPs are not managed by Kubernetes. The user is responsible for ensuring that traffic arrives at a node with this IP. A common example is external load-balancers that are not part of the Kubernetes system.
* `external_name` - (Optional) The external reference that kubedns or equivalent will return as a CNAME record for this service. No proxying will be involved. Must be a valid DNS name and requires `type` to be `ExternalName`.
* `external_traffic_policy` - (Optional) Denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints. `Local` preserves the client source IP and avoids a second hop for LoadBalancer and Nodeport type services, but risks potentially imbalanced traffic spreading. `Cluster` obscures the client source IP and may cause a second hop to another node, but should have good overall load-spreading. For more info see [Kubernetes reference](https://kubernetes.io/docs/tutorials/services/source-ip/)
* `ip_families` - (Optional) A list of IP families (e.g. IPv4, IPv6) assigned to this service. This field is usually assigned automatically based on cluster configuration and the `ip_family_policy` field. If this field is specified manually, the requested family is available in the cluster, and `ip_family_policy` allows it, it will be used; otherwise creation of the service will fail. This field is conditionally mutable: it allows for adding or removing a secondary IP family, but it does not allow changing the primary IP family of the Service. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/services-networking/dual-stack/)
* `ip_family_policy` - (Optional) Represents the dual-stack-ness requested or required by this Service. If there is no value provided, then this field will be set to `SingleStack`. Services can be `SingleStack`(a single IP family), `PreferDualStack`(two IP families on dual-stack configured clusters or a single IP family on single-stack clusters), or `RequireDualStack`(two IP families on dual-stack configured clusters, otherwise fail). The `ip_families` and `cluster_ip` fields depend on the value of this field.
* `internal_traffic_policy` - (Optional) Specifies if the cluster internal traffic should be routed to all endpoints or node-local endpoints only. `Cluster` routes internal traffic to a Service to all endpoints. `Local` routes traffic to node-local endpoints only, traffic is dropped if no node-local endpoints are ready. The default value is `Cluster`.
* `load_balancer_class` - (Optional) The class of the load balancer implementation this Service belongs to. If specified, the value of this field must be a label-style identifier, with an optional prefix. This field can only be set when the Service type is `LoadBalancer`. If not set, the default load balancer implementation is used. This field can only be set when creating or updating a Service to type `LoadBalancer`. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class)
* `load_balancer_ip` - (Optional) Only applies to `type = LoadBalancer`. LoadBalancer will get created with the IP specified in this field. This feature depends on whether the underlying cloud-provider supports specifying this field when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature.
* `load_balancer_source_ranges` - (Optional) If specified and supported by the platform, this will restrict traffic through the cloud-provider load-balancer will be restricted to the specified client IPs. This field will be ignored if the cloud-provider does not support the feature. For more info see [Kubernetes reference](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/).
* `port` - (Optional) The list of ports that are exposed by this service. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies)
* `publish_not_ready_addresses` - (Optional) When set to true, indicates that DNS implementations must publish the `notReadyAddresses` of subsets for the Endpoints associated with the Service. The default value is `false`. The primary use case for setting this field is to use a StatefulSet's Headless Service to propagate `SRV` records for its Pods without respect to their readiness for purpose of peer discovery.
* `selector` - (Optional) Route service traffic to pods with label keys and values matching this selector. Only applies to types `ClusterIP`, `NodePort`, and `LoadBalancer`. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/services-networking/service/)
* `session_affinity` - (Optional) Used to maintain session affinity. Supports `ClientIP` and `None`. Defaults to `None`. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies)
* `session_affinity_config` - (Optional) Contains the configurations of session affinity. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/services-networking/service/#proxy-mode-ipvs)
* `type` - (Optional) Determines how the service is exposed. Defaults to `ClusterIP`. Valid options are `ExternalName`, `ClusterIP`, `NodePort`, and `LoadBalancer`. `ExternalName` maps to the specified `external_name`. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types)
* `health_check_node_port` - (Optional) Specifies the Healthcheck NodePort for the service. Only effects when type is set to `LoadBalancer` and external_traffic_policy is set to `Local`.
### `port`
#### Arguments
* `app_protocol` - (Optional) The application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per [RFC-6335](https://datatracker.ietf.org/doc/html/rfc6335) and [IANA standard service names](http://www.iana.org/assignments/service-names)). Non-standard protocols should use prefixed names such as `mycompany.com/my-custom-protocol`. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol)
* `name` - (Optional) The name of this port within the service. All ports within the service must have unique names. Optional if only one ServicePort is defined on this service.
* `node_port` - (Optional) The port on each node on which this service is exposed when `type` is `NodePort` or `LoadBalancer`. Usually assigned by the system. If specified, it will be allocated to the service if unused or else creation of the service will fail. Default is to auto-allocate a port if the `type` of this service requires one. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport)
* `port` - (Required) The port that will be exposed by this service.
* `protocol` - (Optional) The IP protocol for this port. Supports `TCP` and `UDP`. Default is `TCP`.
* `target_port` - (Optional) Number or name of the port to access on the pods targeted by the service. Number must be in the range 1 to 65535. This field is ignored for services with `cluster_ip = "None"`. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service)
### `session_affinity_config`
#### Arguments
* `client_ip` - (Optional) Contains the configurations of Client IP based session affinity.
### `client_ip`
#### Arguments
* `timeout_seconds` - (Optional) Specifies the seconds of `ClientIP` type session sticky time. The value must be > 0 and <= 86400(for 1 day) if ServiceAffinity == `ClientIP`.
## Attributes
* `status` - Status is a list containing the most recently observed status of the service. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
### `status`
#### Attributes
* `load_balancer` - a list containing the current status of the load-balancer, if one is present.
### `load_balancer`
#### Attributes
* `ingress` - a list containing ingress points for the load-balancer. Traffic intended for the service should be sent to these ingress points.
### `ingress`
#### Attributes
* `ip` - IP is set for load-balancer ingress points that are IP based (typically GCE or OpenStack load-balancers).
* `hostname` - Hostname is set for load-balancer ingress points that are DNS based (typically AWS load-balancers).
### Timeouts
`kubernetes_service_v1` provides the following [Timeouts](/docs/configuration/resources.html#timeouts) configuration options:
- `create` - Default `10 minutes`
## Import
Service can be imported using its namespace and name, e.g.

2463
docs/resources/stateful_set.md
View file

File diff suppressed because it is too large Load diff

2465
docs/resources/stateful_set_v1.md
View file

File diff suppressed because it is too large Load diff

108
docs/resources/storage_class.md
View file

@ -5,12 +5,69 @@ description: |-
Storage class is the foundation of dynamic provisioning, allowing cluster administrators to define abstractions for the underlying storage platform.
---
# kubernetes_storage_class
# kubernetes_storage_class
Storage class is the foundation of dynamic provisioning, allowing cluster administrators to define abstractions for the underlying storage platform.
Read more at https://kubernetes.io/blog/2017/03/dynamic-provisioning-and-storage-classes-kubernetes/
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard storage class's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `storage_provisioner` (String) Indicates the type of the provisioner
### Optional
- `allow_volume_expansion` (Boolean) Indicates whether the storage class allow volume expand
- `allowed_topologies` (Block List, Max: 1) Restrict the node topologies where volumes can be dynamically provisioned. (see [below for nested schema](#nestedblock--allowed_topologies))
- `mount_options` (Set of String) Persistent Volumes that are dynamically created by a storage class will have the mount options specified
- `parameters` (Map of String) The parameters for the provisioner that should create volumes of this storage class
- `reclaim_policy` (String) Indicates the type of the reclaim policy
- `volume_binding_mode` (String) Indicates when volume binding and dynamic provisioning should occur
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the storage class that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the storage class. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the storage class, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this storage class that can be used by clients to determine when storage class has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this storage class. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--allowed_topologies"></a>
### Nested Schema for `allowed_topologies`
Optional:
- `match_label_expressions` (Block List) A list of topology selector requirements by labels. (see [below for nested schema](#nestedblock--allowed_topologies--match_label_expressions))
<a id="nestedblock--allowed_topologies--match_label_expressions"></a>
### Nested Schema for `allowed_topologies.match_label_expressions`
Optional:
- `key` (String) The label key that the selector applies to.
- `values` (Set of String) An array of string values. One value must match the label to be selected.
## Example Usage
```terraform
@ -27,55 +84,6 @@ resource "kubernetes_storage_class" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard storage class's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `parameters` - (Optional) The parameters for the provisioner that should create volumes of this storage class. Read more about [available parameters](https://kubernetes.io/docs/concepts/storage/storage-classes/#parameters).
* `storage_provisioner` - (Required) Indicates the type of the provisioner
* `reclaim_policy` - (Optional) Indicates the reclaim policy to use. If no reclaimPolicy is specified when a StorageClass object is created, it will default to Delete.
* `volume_binding_mode` - (Optional) Indicates when volume binding and dynamic provisioning should occur.
* `allow_volume_expansion` - (Optional) Indicates whether the storage class allow volume expand, default true.
* `mount_options` - (Optional) Persistent Volumes that are dynamically created by a storage class will have the mount options specified.
* `allowed_topologies` - (Optional) Restrict the node topologies where volumes can be dynamically provisioned. See [allowed_topologies](#allowed_topologies)
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the storage class that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the storage class. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the storage class, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
### `allowed_topologies`
#### Arguments
* `match_label_expressions` - (Optional) A list of topology selector requirements by labels. See [match_label_expressions](#match_label_expressions)
### `match_label_expressions`
#### Arguments
* `key` - (Optional) The label key that the selector applies to.
* `values` - (Optional) An array of string values. One value must match the label to be selected.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this storage class that can be used by clients to determine when storage class has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this storage class. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
## Import
kubernetes_storage_class can be imported using its name, e.g.

108
docs/resources/storage_class_v1.md
View file

@ -7,9 +7,64 @@ description: |-
# kubernetes_storage_class_v1
Storage class is the foundation of dynamic provisioning, allowing cluster administrators to define abstractions for the underlying storage platform.
Storage class is the foundation of dynamic provisioning, allowing cluster administrators to define abstractions for the underlying storage platform. Read more [here] (https://kubernetes.io/blog/2017/03/dynamic-provisioning-and-storage-classes-kubernetes/)
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard storage class's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `storage_provisioner` (String) Indicates the type of the provisioner
### Optional
- `allow_volume_expansion` (Boolean) Indicates whether the storage class allow volume expand
- `allowed_topologies` (Block List, Max: 1) Restrict the node topologies where volumes can be dynamically provisioned. (see [below for nested schema](#nestedblock--allowed_topologies))
- `mount_options` (Set of String) Persistent Volumes that are dynamically created by a storage class will have the mount options specified
- `parameters` (Map of String) The parameters for the provisioner that should create volumes of this storage class
- `reclaim_policy` (String) Indicates the type of the reclaim policy
- `volume_binding_mode` (String) Indicates when volume binding and dynamic provisioning should occur
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the storage class that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the storage class. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the storage class, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this storage class that can be used by clients to determine when storage class has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this storage class. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--allowed_topologies"></a>
### Nested Schema for `allowed_topologies`
Optional:
- `match_label_expressions` (Block List) A list of topology selector requirements by labels. (see [below for nested schema](#nestedblock--allowed_topologies--match_label_expressions))
<a id="nestedblock--allowed_topologies--match_label_expressions"></a>
### Nested Schema for `allowed_topologies.match_label_expressions`
Optional:
- `key` (String) The label key that the selector applies to.
- `values` (Set of String) An array of string values. One value must match the label to be selected.
Read more at https://kubernetes.io/blog/2017/03/dynamic-provisioning-and-storage-classes-kubernetes/
## Example Usage
@ -27,55 +82,6 @@ resource "kubernetes_storage_class_v1" "example" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard storage class's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `parameters` - (Optional) The parameters for the provisioner that should create volumes of this storage class. Read more about [available parameters](https://kubernetes.io/docs/concepts/storage/storage-classes/#parameters).
* `storage_provisioner` - (Required) Indicates the type of the provisioner
* `reclaim_policy` - (Optional) Indicates the reclaim policy to use. If no reclaimPolicy is specified when a StorageClass object is created, it will default to Delete.
* `volume_binding_mode` - (Optional) Indicates when volume binding and dynamic provisioning should occur.
* `allow_volume_expansion` - (Optional) Indicates whether the storage class allow volume expand, default true.
* `mount_options` - (Optional) Persistent Volumes that are dynamically created by a storage class will have the mount options specified.
* `allowed_topologies` - (Optional) Restrict the node topologies where volumes can be dynamically provisioned. See [allowed_topologies](#allowed_topologies)
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the storage class that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the storage class. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the storage class, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
### `allowed_topologies`
#### Arguments
* `match_label_expressions` - (Optional) A list of topology selector requirements by labels. See [match_label_expressions](#match_label_expressions)
### `match_label_expressions`
#### Arguments
* `key` - (Optional) The label key that the selector applies to.
* `values` - (Optional) An array of string values. One value must match the label to be selected.
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this storage class that can be used by clients to determine when storage class has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this storage class. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
## Import
kubernetes_storage_class_v1 can be imported using its name, e.g.

102
docs/resources/token_request_v1.md
View file

@ -9,6 +9,63 @@ description: |-
TokenRequest requests a token for a given service account.
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard token request's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
### Optional
- `spec` (Block List, Max: 1) (see [below for nested schema](#nestedblock--spec))
### Read-Only
- `id` (String) The ID of this resource.
- `token` (String, Sensitive) Token is the opaque bearer token.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the token request that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the token request. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the token request, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- `namespace` (String) Namespace defines the space within which name of the token request must be unique.
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this token request that can be used by clients to determine when token request has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this token request. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--spec"></a>
### Nested Schema for `spec`
Optional:
- `audiences` (List of String) Audiences are the intendend audiences of the token. A recipient of a token must identify themself with an identifier in the list of audiences of the token, and otherwise should reject the token. A token issued for multiple audiences may be used to authenticate against any of the audiences listed but implies a high degree of trust between the target audiences.
- `bound_object_ref` (Block List, Max: 1) BoundObjectRef is a reference to an object that the token will be bound to. The token will only be valid for as long as the bound object exists. NOTE: The API server's TokenReview endpoint will validate the BoundObjectRef, but other audiences may not. Keep ExpirationSeconds small if you want prompt revocation. (see [below for nested schema](#nestedblock--spec--bound_object_ref))
- `expiration_seconds` (Number) expiration_seconds is the requested duration of validity of the request. The token issuer may return a token with a different validity duration so a client needs to check the 'expiration' field in a response. The expiration can't be less than 10 minutes.
<a id="nestedblock--spec--bound_object_ref"></a>
### Nested Schema for `spec.bound_object_ref`
Optional:
- `api_version` (String) API version of the referent.
- `kind` (String) Kind of the referent. Valid kinds are 'Pod' and 'Secret'.
- `name` (String) Name of the referent.
- `uid` (String) UID of the referent.
## Example Usage
```terraform
@ -36,48 +93,3 @@ output "tokenValue" {
}
```
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard role's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `spec` - (Required) Spec holds information about the request being evaluated
### Attributes
* `token` - Token is the opaque bearer token.
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the role that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](hhttps://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the role. **Must match `selector`**.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the role, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
* `namespace` - (Optional) Namespace defines the space within which name of the role must be unique.
### `spec`
#### Arguments
* `audiences` - (Optional) Audiences are the intendend audiences of the token. A recipient of a token must identify themself with an identifier in the list of audiences of the token, and otherwise should reject the token. A token issued for multiple audiences may be used to authenticate against any of the audiences listed but implies a high degree of trust between the target audiences.
* `expiration_seconds` - (Optional) ExpirationSeconds is the requested duration of validity of the request. The token issuer may return a token with a different validity duration so a client needs to check the 'expiration' field in a response.
* `bound_object_ref` - (Optional) BoundObjectRef is a reference to an object that the token will be bound to. The token will only be valid for as long as the bound object exists. NOTE: The API server's TokenReview endpoint will validate the BoundObjectRef, but other audiences may not. Keep ExpirationSeconds small if you want prompt revocation.
### `bound_object_ref`
#### Arguments
* `api_version` - (Optional) API version of the referent.
* `kind` - (Optional) Kind of the referent. Valid kinds are 'Pod' and 'Secret'.
* `name` - (Optional) Name of the referent.
* `uid` - (Optional) UID of the referent.

251
docs/resources/validating_webhook_configuration.md
View file

@ -9,6 +9,185 @@ description: |-
Validating Webhook Configuration configures a [validating admission webhook](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#what-are-admission-webhooks).
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard validating webhook configuration's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `webhook` (Block List, Min: 1) Webhooks is a list of webhooks and the affected resources and operations. (see [below for nested schema](#nestedblock--webhook))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the validating webhook configuration that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the validating webhook configuration. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the validating webhook configuration, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this validating webhook configuration that can be used by clients to determine when validating webhook configuration has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this validating webhook configuration. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--webhook"></a>
### Nested Schema for `webhook`
Required:
- `client_config` (Block List, Min: 1, Max: 1) ClientConfig defines how to communicate with the hook. Required (see [below for nested schema](#nestedblock--webhook--client_config))
- `name` (String) The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where "imagepolicy" is the name of the webhook, and kubernetes.io is the name of the organization. Required.
Optional:
- `admission_review_versions` (List of String) AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` versions the Webhook expects. API server will try to use first version in the list which it supports. If none of the versions specified in this list supported by API server, validation will fail for this object. If a persisted webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail and be subject to the failure policy.
- `failure_policy` (String) FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Fail.
- `match_policy` (String) matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent".
- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
Defaults to "Equivalent"
- `namespace_selector` (Block List, Max: 1) NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.
For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1"; you will set the selector as follows: "namespaceSelector": {
"matchExpressions": [
{
"key": "runlevel",
"operator": "NotIn",
"values": [
"0",
"1"
]
}
]
}
If instead you want to only run the webhook on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": {
"matchExpressions": [
{
"key": "environment",
"operator": "In",
"values": [
"prod",
"staging"
]
}
]
}
See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels for more examples of label selectors.
Default to the empty LabelSelector, which matches everything. (see [below for nested schema](#nestedblock--webhook--namespace_selector))
- `object_selector` (Block List, Max: 1) ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything. (see [below for nested schema](#nestedblock--webhook--object_selector))
- `rule` (Block List) Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects. (see [below for nested schema](#nestedblock--webhook--rule))
- `side_effects` (String) SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission chain and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.
- `timeout_seconds` (Number) TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.
<a id="nestedblock--webhook--client_config"></a>
### Nested Schema for `webhook.client_config`
Optional:
- `ca_bundle` (String) `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.
- `service` (Block List, Max: 1) `service` is a reference to the service for this webhook. Either `service` or `url` must be specified.
If the webhook is running within the cluster, then you should use `service`. (see [below for nested schema](#nestedblock--webhook--client_config--service))
- `url` (String) `url` gives the location of the webhook, in standard URL form (`scheme://host:port/path`). Exactly one of `url` or `service` must be specified.
The `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.
Please note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster.
The scheme must be "https"; the URL must begin with "https://".
A path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier.
Attempting to use a user or basic auth e.g. "user:password@" is not allowed. Fragments ("#...") and query parameters ("?...") are not allowed, either.
<a id="nestedblock--webhook--client_config--service"></a>
### Nested Schema for `webhook.client_config.service`
Required:
- `name` (String) `name` is the name of the service. Required
- `namespace` (String) `namespace` is the namespace of the service. Required
Optional:
- `path` (String) `path` is an optional URL path which will be sent in any request to this service.
- `port` (Number) If specified, the port on the service that hosting webhook. Default to 443 for backward compatibility. `port` should be a valid port number (1-65535, inclusive).
<a id="nestedblock--webhook--namespace_selector"></a>
### Nested Schema for `webhook.namespace_selector`
Optional:
- `match_expressions` (Block List) A list of label selector requirements. The requirements are ANDed. (see [below for nested schema](#nestedblock--webhook--namespace_selector--match_expressions))
- `match_labels` (Map of String) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
<a id="nestedblock--webhook--namespace_selector--match_expressions"></a>
### Nested Schema for `webhook.namespace_selector.match_expressions`
Optional:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
<a id="nestedblock--webhook--object_selector"></a>
### Nested Schema for `webhook.object_selector`
Optional:
- `match_expressions` (Block List) A list of label selector requirements. The requirements are ANDed. (see [below for nested schema](#nestedblock--webhook--object_selector--match_expressions))
- `match_labels` (Map of String) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
<a id="nestedblock--webhook--object_selector--match_expressions"></a>
### Nested Schema for `webhook.object_selector.match_expressions`
Optional:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
<a id="nestedblock--webhook--rule"></a>
### Nested Schema for `webhook.rule`
Required:
- `api_groups` (List of String)
- `api_versions` (List of String)
- `operations` (List of String) Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.
- `resources` (List of String)
Optional:
- `scope` (String)
## Example Usage
```terraform
@ -46,78 +225,6 @@ resource "kubernetes_validating_webhook_configuration" "example" {
The provider supports clusters running either `v1` or `v1beta1` of the Admission Registration API.
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard Validating Webhook Configuration metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `webhook` - (Required) A list of webhooks and the affected resources and operations.
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the Validating Webhook Configuration that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the Validating Webhook Configuration. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the Validating Webhook Configuration, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this Validating Webhook Configuration that can be used by clients to determine when Validating Webhook Configuration has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this Validating Webhook Configuration. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `webhook`
#### Arguments
* `admission_review_versions` - (Optional) AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` versions the Webhook expects. API server will try to use first version in the list which it supports. If none of the versions specified in this list are supported by API server, validation will fail for this object. If a persisted webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail and be subject to the failure policy.
* `client_config` - (Required) ClientConfig defines how to communicate with the hook.
* `failure_policy` - (Optional) FailurePolicy defines how unrecognized errors from the admission endpoint are handled - Allowed values are "Ignore" or "Fail". Defaults to "Fail".
* `match_policy` - (Optional) matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent". - Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. Defaults to "Equivalent"
* `name` - (Required) The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where "imagepolicy" is the name of the webhook, and kubernetes.io is the name of the organization.
* `namespace_selector` - (Optional) NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook. For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1"; you will set the selector as follows: "namespaceSelector": { "matchExpressions": [ { "key": "runlevel", "operator": "NotIn", "values": [ "0", "1" ] } ] } If instead you want to only run the webhook on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": { "matchExpressions": [ { "key": "environment", "operator": "In", "values": [ "prod", "staging" ] } ] } See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels for more examples of label selectors. Default to the empty LabelSelector, which matches everything.
* `object_selector` - (Optional) ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.
* `rule` - (Optional) Describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches *any* Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
* `side_effects` - (Required) SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission change and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.
* `timeout_seconds` - (Optional) TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.
### `client_config`
#### Arguments
* `ca_bundle` - (Optional) A PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.
* `service` - (Optional) A reference to the service for this webhook. Either `service` or `url` must be specified. If the webhook is running within the cluster, then you should use `service`.
* `url` - (Optional) Gives the location of the webhook, in standard URL form (`scheme://host:port/path`). Exactly one of `url` or `service` must be specified. The `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address. Please note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster. The scheme must be "https"; the URL must begin with "https://". A path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier. Attempting to use a user or basic auth e.g. "user:password@" is not allowed. Fragments ("#...") and query parameters ("?...") are not allowed, either.
### `service`
#### Arguments
* `name` - (Required) The name of the service.
* `namespace` - (Required) The namespace of the service.
* `path` - (Optional) The URL path which will be sent in any request to this service.
* `port` - (Optional) If specified, the port on the service that hosting webhook. Default to 443 for backward compatibility. `port` should be a valid port number (1-65535, inclusive).
### `rule`
#### Arguments
* `api_groups` - (Required) The API groups the resources belong to. '\*' is all groups. If '\*' is present, the length of the list must be one.
* `api_versions` - (Required) The API versions the resources belong to. '\*' is all versions. If '\*' is present, the length of the list must be one.
* `operations` - (Required) The operations the admission hook cares about - CREATE, UPDATE, or * for all operations. If '\*' is present, the length of the list must be one.
* `resources` - (Required) A list of resources this rule applies to. For example: 'pods' means pods. 'pods/log' means the log subresource of pods. '\*' means all resources, but not subresources. 'pods/\*' means all subresources of pods. '\*/scale' means all scale subresources. '\*/\*' means all resources and their subresources. If wildcard is present, the validation rule will ensure resources do not overlap with each other. Depending on the enclosing object, subresources might not be allowed.
* `scope` - (Optional) Specifies the scope of this rule. Valid values are "Cluster", "Namespaced", and "*" "Cluster" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. "Namespaced" means that only namespaced resources will match this rule. "*" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is "*".
## Import
Validating Webhook Configuration can be imported using the name, e.g.

251
docs/resources/validating_webhook_configuration_v1.md
View file

@ -9,6 +9,185 @@ description: |-
Validating Webhook Configuration configures a [validating admission webhook](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#what-are-admission-webhooks).
<!-- schema generated by tfplugindocs -->
## Schema
### Required
- `metadata` (Block List, Min: 1, Max: 1) Standard validating webhook configuration's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata (see [below for nested schema](#nestedblock--metadata))
- `webhook` (Block List, Min: 1) Webhooks is a list of webhooks and the affected resources and operations. (see [below for nested schema](#nestedblock--webhook))
### Read-Only
- `id` (String) The ID of this resource.
<a id="nestedblock--metadata"></a>
### Nested Schema for `metadata`
Optional:
- `annotations` (Map of String) An unstructured key value map stored with the validating webhook configuration that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- `generate_name` (String) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency
- `labels` (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) the validating webhook configuration. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- `name` (String) Name of the validating webhook configuration, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Read-Only:
- `generation` (Number) A sequence number representing a specific generation of the desired state.
- `resource_version` (String) An opaque value that represents the internal version of this validating webhook configuration that can be used by clients to determine when validating webhook configuration has changed. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
- `uid` (String) The unique in time and space value for this validating webhook configuration. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
<a id="nestedblock--webhook"></a>
### Nested Schema for `webhook`
Required:
- `client_config` (Block List, Min: 1, Max: 1) ClientConfig defines how to communicate with the hook. Required (see [below for nested schema](#nestedblock--webhook--client_config))
- `name` (String) The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where "imagepolicy" is the name of the webhook, and kubernetes.io is the name of the organization. Required.
Optional:
- `admission_review_versions` (List of String) AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` versions the Webhook expects. API server will try to use first version in the list which it supports. If none of the versions specified in this list supported by API server, validation will fail for this object. If a persisted webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail and be subject to the failure policy.
- `failure_policy` (String) FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Fail.
- `match_policy` (String) matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent".
- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
Defaults to "Equivalent"
- `namespace_selector` (Block List, Max: 1) NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.
For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1"; you will set the selector as follows: "namespaceSelector": {
"matchExpressions": [
{
"key": "runlevel",
"operator": "NotIn",
"values": [
"0",
"1"
]
}
]
}
If instead you want to only run the webhook on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": {
"matchExpressions": [
{
"key": "environment",
"operator": "In",
"values": [
"prod",
"staging"
]
}
]
}
See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels for more examples of label selectors.
Default to the empty LabelSelector, which matches everything. (see [below for nested schema](#nestedblock--webhook--namespace_selector))
- `object_selector` (Block List, Max: 1) ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything. (see [below for nested schema](#nestedblock--webhook--object_selector))
- `rule` (Block List) Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects. (see [below for nested schema](#nestedblock--webhook--rule))
- `side_effects` (String) SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission chain and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.
- `timeout_seconds` (Number) TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.
<a id="nestedblock--webhook--client_config"></a>
### Nested Schema for `webhook.client_config`
Optional:
- `ca_bundle` (String) `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.
- `service` (Block List, Max: 1) `service` is a reference to the service for this webhook. Either `service` or `url` must be specified.
If the webhook is running within the cluster, then you should use `service`. (see [below for nested schema](#nestedblock--webhook--client_config--service))
- `url` (String) `url` gives the location of the webhook, in standard URL form (`scheme://host:port/path`). Exactly one of `url` or `service` must be specified.
The `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.
Please note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster.
The scheme must be "https"; the URL must begin with "https://".
A path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier.
Attempting to use a user or basic auth e.g. "user:password@" is not allowed. Fragments ("#...") and query parameters ("?...") are not allowed, either.
<a id="nestedblock--webhook--client_config--service"></a>
### Nested Schema for `webhook.client_config.service`
Required:
- `name` (String) `name` is the name of the service. Required
- `namespace` (String) `namespace` is the namespace of the service. Required
Optional:
- `path` (String) `path` is an optional URL path which will be sent in any request to this service.
- `port` (Number) If specified, the port on the service that hosting webhook. Default to 443 for backward compatibility. `port` should be a valid port number (1-65535, inclusive).
<a id="nestedblock--webhook--namespace_selector"></a>
### Nested Schema for `webhook.namespace_selector`
Optional:
- `match_expressions` (Block List) A list of label selector requirements. The requirements are ANDed. (see [below for nested schema](#nestedblock--webhook--namespace_selector--match_expressions))
- `match_labels` (Map of String) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
<a id="nestedblock--webhook--namespace_selector--match_expressions"></a>
### Nested Schema for `webhook.namespace_selector.match_expressions`
Optional:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
<a id="nestedblock--webhook--object_selector"></a>
### Nested Schema for `webhook.object_selector`
Optional:
- `match_expressions` (Block List) A list of label selector requirements. The requirements are ANDed. (see [below for nested schema](#nestedblock--webhook--object_selector--match_expressions))
- `match_labels` (Map of String) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of `match_expressions`, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
<a id="nestedblock--webhook--object_selector--match_expressions"></a>
### Nested Schema for `webhook.object_selector.match_expressions`
Optional:
- `key` (String) The label key that the selector applies to.
- `operator` (String) A key's relationship to a set of values. Valid operators ard `In`, `NotIn`, `Exists` and `DoesNotExist`.
- `values` (Set of String) An array of string values. If the operator is `In` or `NotIn`, the values array must be non-empty. If the operator is `Exists` or `DoesNotExist`, the values array must be empty. This array is replaced during a strategic merge patch.
<a id="nestedblock--webhook--rule"></a>
### Nested Schema for `webhook.rule`
Required:
- `api_groups` (List of String)
- `api_versions` (List of String)
- `operations` (List of String) Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.
- `resources` (List of String)
Optional:
- `scope` (String)
## Example Usage
```terraform
@ -46,78 +225,6 @@ resource "kubernetes_validating_webhook_configuration_v1" "example" {
The provider supports clusters running either `v1` or `v1beta1` of the Admission Registration API.
## Argument Reference
The following arguments are supported:
* `metadata` - (Required) Standard Validating Webhook Configuration metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
* `webhook` - (Required) A list of webhooks and the affected resources and operations.
## Nested Blocks
### `metadata`
#### Arguments
* `annotations` - (Optional) An unstructured key value map stored with the Validating Webhook Configuration that may be used to store arbitrary metadata.
~> By default, the provider ignores any annotations whose key names end with *kubernetes.io*. This is necessary because such annotations can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such annotations in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
* `generate_name` - (Optional) Prefix, used by the server, to generate a unique name ONLY IF the `name` field has not been provided. This value will also be combined with a unique suffix. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#idempotency)
* `labels` - (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the Validating Webhook Configuration. May match selectors of replication controllers and services.
~> By default, the provider ignores any labels whose key names end with *kubernetes.io*. This is necessary because such labels can be mutated by server-side components and consequently cause a perpetual diff in the Terraform plan output. If you explicitly specify any such labels in the configuration template then Terraform will consider these as normal resource attributes and manage them as expected (while still avoiding the perpetual diff problem). For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
* `name` - (Optional) Name of the Validating Webhook Configuration, must be unique. Cannot be updated. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)
#### Attributes
* `generation` - A sequence number representing a specific generation of the desired state.
* `resource_version` - An opaque value that represents the internal version of this Validating Webhook Configuration that can be used by clients to determine when Validating Webhook Configuration has changed. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency)
* `uid` - The unique in time and space value for this Validating Webhook Configuration. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids)
### `webhook`
#### Arguments
* `admission_review_versions` - (Optional) AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` versions the Webhook expects. API server will try to use first version in the list which it supports. If none of the versions specified in this list are supported by API server, validation will fail for this object. If a persisted webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail and be subject to the failure policy.
* `client_config` - (Required) ClientConfig defines how to communicate with the hook.
* `failure_policy` - (Optional) FailurePolicy defines how unrecognized errors from the admission endpoint are handled - Allowed values are "Ignore" or "Fail". Defaults to "Fail".
* `match_policy` - (Optional) matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent". - Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. Defaults to "Equivalent"
* `name` - (Required) The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where "imagepolicy" is the name of the webhook, and kubernetes.io is the name of the organization.
* `namespace_selector` - (Optional) NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook. For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1"; you will set the selector as follows: "namespaceSelector": { "matchExpressions": [ { "key": "runlevel", "operator": "NotIn", "values": [ "0", "1" ] } ] } If instead you want to only run the webhook on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": { "matchExpressions": [ { "key": "environment", "operator": "In", "values": [ "prod", "staging" ] } ] } See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels for more examples of label selectors. Default to the empty LabelSelector, which matches everything.
* `object_selector` - (Optional) ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.
* `rule` - (Optional) Describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches *any* Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
* `side_effects` - (Required) SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission change and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.
* `timeout_seconds` - (Optional) TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.
### `client_config`
#### Arguments
* `ca_bundle` - (Optional) A PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.
* `service` - (Optional) A reference to the service for this webhook. Either `service` or `url` must be specified. If the webhook is running within the cluster, then you should use `service`.
* `url` - (Optional) Gives the location of the webhook, in standard URL form (`scheme://host:port/path`). Exactly one of `url` or `service` must be specified. The `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address. Please note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster. The scheme must be "https"; the URL must begin with "https://". A path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier. Attempting to use a user or basic auth e.g. "user:password@" is not allowed. Fragments ("#...") and query parameters ("?...") are not allowed, either.
### `service`
#### Arguments
* `name` - (Required) The name of the service.
* `namespace` - (Required) The namespace of the service.
* `path` - (Optional) The URL path which will be sent in any request to this service.
* `port` - (Optional) If specified, the port on the service that hosting webhook. Default to 443 for backward compatibility. `port` should be a valid port number (1-65535, inclusive).
### `rule`
#### Arguments
* `api_groups` - (Required) The API groups the resources belong to. '\*' is all groups. If '\*' is present, the length of the list must be one.
* `api_versions` - (Required) The API versions the resources belong to. '\*' is all versions. If '\*' is present, the length of the list must be one.
* `operations` - (Required) The operations the admission hook cares about - CREATE, UPDATE, or * for all operations. If '\*' is present, the length of the list must be one.
* `resources` - (Required) A list of resources this rule applies to. For example: 'pods' means pods. 'pods/log' means the log subresource of pods. '\*' means all resources, but not subresources. 'pods/\*' means all subresources of pods. '\*/scale' means all scale subresources. '\*/\*' means all resources and their subresources. If wildcard is present, the validation rule will ensure resources do not overlap with each other. Depending on the enclosing object, subresources might not be allowed.
* `scope` - (Optional) Specifies the scope of this rule. Valid values are "Cluster", "Namespaced", and "*" "Cluster" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. "Namespaced" means that only namespaced resources will match this rule. "*" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is "*".
## Import
Validating Webhook Configuration can be imported using the name, e.g.

3
examples/data-sources/all_namespaces/example_1.tf
View file

@ -1,6 +1,3 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
data "kubernetes_all_namespaces" "allns" {}
output "all-ns" {

3
examples/data-sources/all_namespaces/example_2.tf
View file

@ -1,6 +1,3 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
data "kubernetes_all_namespaces" "allns" {}
output "all-ns" {

3
examples/data-sources/config_map/example_1.tf
View file

@ -1,6 +1,3 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
data "kubernetes_config_map" "example" {
metadata {
name = "my-config"

3
examples/data-sources/config_map/example_2.tf
View file

@ -1,6 +1,3 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
data "kubernetes_config_map" "example" {
metadata {
name = "my-config"

3
examples/data-sources/config_map_v1/example_1.tf
View file

@ -1,6 +1,3 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
data "kubernetes_config_map_v1" "example" {
metadata {
name = "my-config"

3
examples/data-sources/config_map_v1/example_2.tf
View file

@ -1,6 +1,3 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
data "kubernetes_config_map_v1" "example" {
metadata {
name = "my-config"

3
examples/data-sources/endpoints_v1/example_1.tf
View file

@ -1,6 +1,3 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
data "kubernetes_endpoints_v1" "api_endpoints" {
metadata {
name = "kubernetes"

3
examples/data-sources/endpoints_v1/example_2.tf
View file

@ -1,6 +1,3 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
data "kubernetes_endpoints_v1" "api_endpoints" {
metadata {
name = "kubernetes"

3
examples/data-sources/ingress/example_1.tf
View file

@ -1,6 +1,3 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
data "kubernetes_ingress" "example" {
metadata {
name = "terraform-example"

3
examples/data-sources/ingress/example_2.tf
View file

@ -1,6 +1,3 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
data "kubernetes_ingress" "example" {
metadata {
name = "terraform-example"

3
examples/data-sources/ingress_v1/example_1.tf
View file

@ -1,6 +1,3 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
data "kubernetes_ingress_v1" "example" {
metadata {
name = "terraform-example"

3
examples/data-sources/ingress_v1/example_2.tf
View file

@ -1,6 +1,3 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
data "kubernetes_ingress_v1" "example" {
metadata {
name = "terraform-example"

3
examples/data-sources/mutating_webhook_configuration_v1/example_1.tf
View file

@ -1,6 +1,3 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
data "kubernetes_mutating_webhook_configuration_v1" "example" {
metadata {
name = "terraform-example"

3
examples/data-sources/mutating_webhook_configuration_v1/example_2.tf
View file

@ -1,6 +1,3 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
data "kubernetes_mutating_webhook_configuration_v1" "example" {
metadata {
name = "terraform-example"

3
examples/data-sources/namespace/example_1.tf
View file

@ -1,6 +1,3 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
data "kubernetes_namespace" "example" {
metadata {
name = "kube-system"

3
examples/data-sources/namespace/example_2.tf
View file

@ -1,6 +1,3 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
data "kubernetes_namespace" "example" {
metadata {
name = "kube-system"

3
examples/data-sources/namespace_v1/example_1.tf
View file

@ -1,6 +1,3 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
data "kubernetes_namespace_v1" "example" {
metadata {
name = "kube-system"

Some files were not shown because too many files have changed in this diff Show more