You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -213,7 +216,8 @@ The filtering is done on the controller side and might not be as efficient as th
213
216
Filtered objects are dropped before any caching or processing. + | |
214
217
| *`stripManagedFields`* __boolean__ | StripManagedFields removes the managedFields from the watched resource. +
215
218
managedFields are not used in Espejote and if the template does not use them, they can be removed to significantly reduce the size of cached objects. +
216
-
Defaults to true if not set. + | |
219
+
Defaults to true if not set. + | | Optional: \{} +
220
+
217
221
|===
218
222
219
223
@@ -333,7 +337,8 @@ ManagedResourceSpec defines the desired state of ManagedResource
333
337
| Field | Description | Default | Validation
334
338
| *`triggers`* __xref:{anchor_prefix}-github-com-vshn-espejote-api-v1alpha1-managedresourcetrigger[$$ManagedResourceTrigger$$] array__ | Triggers define the resources that trigger the reconciliation of the ManagedResource +
335
339
Trigger information will be injected when rendering the template. +
336
-
This can be used to only partially render the template based on the trigger. + | |
340
+
This can be used to only partially render the template based on the trigger. + | | Optional: \{} +
341
+
337
342
| *`context`* __xref:{anchor_prefix}-github-com-vshn-espejote-api-v1alpha1-managedresourcecontext[$$ManagedResourceContext$$] array__ | Context defines the context for the ManagedResource + | |
338
343
| *`serviceAccountRef`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#localobjectreference-v1-core[$$LocalObjectReference$$]__ | ServiceAccountRef is the service account this managed resource runs as. +
339
344
The service account must have the necessary permissions to manage the resources referenced in the template. +
@@ -356,6 +361,7 @@ If the initial sync does not complete within this time, the ManagedResource is m
356
361
This usually happens because of missing RBAC permissions. +
357
362
After the initial sync, the ManagedResource is reconciled normally. +
358
363
Defaults to 2 minutes. + | | Format: duration +
364
+
Optional: \{} +
359
365
360
366
| *`applyOptions`* __xref:{anchor_prefix}-github-com-vshn-espejote-api-v1alpha1-applyoptions[$$ApplyOptions$$]__ | ApplyOptions defines the options for applying the ManagedResource + | |
361
367
|===
@@ -406,7 +412,8 @@ More information can be found by inspecting the ManagedResource's events with ei
406
412
407
413
| *`watchResource`* __xref:{anchor_prefix}-github-com-vshn-espejote-api-v1alpha1-triggerwatchresource[$$TriggerWatchResource$$]__ | WatchResource defines one or multiple resources that trigger the reconciliation of the ManagedResource. +
408
414
Resource information is injected when rendering the template and can be retrieved using `(import "espejote.libsonnet").getTrigger()`. +
409
-
`local esp = import "espejote.libsonnet"; esp.triggerType() == esp.TriggerTypeWatchResource` will be true if the render was triggered by a definition in this block. + | |
415
+
`local esp = import "espejote.libsonnet"; esp.triggerType() == esp.TriggerTypeWatchResource` will be true if the render was triggered by a definition in this block. + | | Optional: \{} +
416
+
410
417
| *`watchContextResource`* __xref:{anchor_prefix}-github-com-vshn-espejote-api-v1alpha1-watchcontextresource[$$WatchContextResource$$]__ | WatchContextResource works the same as WatchResource, but it uses and already existing context resource. +
411
418
This is useful when you require both full (when the template changes) and partial (a context resource changes) reconciliation of the same resource. +
412
419
Check the example below. Both a context resource and a trigger are defined. If the trigger is not known in the template all network policies are reconciled. +
@@ -486,7 +493,8 @@ The filtering is done on the controller side and might not be as efficient as th
486
493
Filtered objects are dropped before any caching or processing. + | |
487
494
| *`stripManagedFields`* __boolean__ | StripManagedFields removes the managedFields from the watched resource. +
488
495
managedFields are not used in Espejote and if the template does not use them, they can be removed to significantly reduce the size of cached objects. +
489
-
Defaults to true if not set. + | |
496
+
Defaults to true if not set. + | | Optional: \{} +
497
+
490
498
|===
491
499
492
500
@@ -536,7 +544,8 @@ from putting the cluster in a state which cannot be recovered from without compl
536
544
disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called +
537
545
on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects. + | |
538
546
| *`failurePolicy`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#failurepolicytype-v1-admissionregistration[$$FailurePolicyType$$]__ | FailurePolicy defines how unrecognized errors from the admission endpoint are handled - +
539
-
allowed values are Ignore or Fail. Defaults to Fail. + | |
547
+
allowed values are Ignore or Fail. Defaults to Fail. + | | Optional: \{} +
548
+
540
549
| *`matchPolicy`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#matchpolicytype-v1-admissionregistration[$$MatchPolicyType$$]__ | matchPolicy defines how the "rules" list is used to match incoming requests. +
541
550
Allowed values are "Exact" or "Equivalent". +
542
551
@@ -550,7 +559,8 @@ For example, if deployments can be modified via apps/v1, apps/v1beta1, and exten
550
559
and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, +
551
560
a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. +
552
561
553
-
Defaults to "Equivalent" + | |
562
+
Defaults to "Equivalent" + | | Optional: \{} +
563
+
554
564
| *`objectSelector`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#labelselector-v1-meta[$$LabelSelector$$]__ | ObjectSelector decides whether to run the webhook based on if the +
555
565
object has matching labels. objectSelector is evaluated against both +
556
566
the oldObject and newObject that would be sent to the webhook, and +
@@ -561,7 +571,8 @@ DeploymentRollback or a PodProxyOptions object) is not considered to +
561
571
match. +
562
572
Use the object selector only if the webhook is opt-in, because end +
563
573
users may skip the admission webhook by setting the labels. +
564
-
Default to the empty LabelSelector, which matches everything. + | |
574
+
Default to the empty LabelSelector, which matches everything. + | | Optional: \{} +
575
+
565
576
| *`reinvocationPolicy`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#reinvocationpolicytype-v1-admissionregistration[$$ReinvocationPolicyType$$]__ | reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation. +
566
577
Allowed values are "Never" and "IfNeeded". +
567
578
@@ -576,7 +587,8 @@ Note: +
576
587
* webhooks that use this option may be reordered to minimize the number of additional invocations. +
577
588
* to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead. +
578
589
579
-
Defaults to "Never". + | |
590
+
Defaults to "Never". + | | Optional: \{} +
591
+
580
592
| *`matchConditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#matchcondition-v1-admissionregistration[$$MatchCondition$$] array__ | MatchConditions is a list of conditions that must be met for a request to be sent to this +
581
593
webhook. Match conditions filter requests that have already been matched by the rules, +
582
594
namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. +
@@ -587,7 +599,8 @@ The exact matching logic is (in order): +
587
599
2. If ALL matchConditions evaluate to TRUE, the webhook is called. +
588
600
3. If any matchCondition evaluates to an error (but none are FALSE): +
589
601
- If failurePolicy=Fail, reject the request +
590
-
- If failurePolicy=Ignore, the error is ignored and the webhook is skipped + | |
602
+
- If failurePolicy=Ignore, the error is ignored and the webhook is skipped + | | Optional: \{} +
Default to the empty LabelSelector, which matches everything. + | |
666
+
Default to the empty LabelSelector, which matches everything. + | | Optional: \{} +
667
+
654
668
| *`rules`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#rulewithoperations-v1-admissionregistration[$$RuleWithOperations$$] array__ | Rules describes what operations on what resources/subresources the webhook cares about. +
655
669
The webhook cares about an operation if it matches _any_ Rule. +
656
670
However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks +
657
671
from putting the cluster in a state which cannot be recovered from without completely +
658
672
disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called +
659
673
on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects. + | |
660
674
| *`failurePolicy`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#failurepolicytype-v1-admissionregistration[$$FailurePolicyType$$]__ | FailurePolicy defines how unrecognized errors from the admission endpoint are handled - +
661
-
allowed values are Ignore or Fail. Defaults to Fail. + | |
675
+
allowed values are Ignore or Fail. Defaults to Fail. + | | Optional: \{} +
676
+
662
677
| *`matchPolicy`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#matchpolicytype-v1-admissionregistration[$$MatchPolicyType$$]__ | matchPolicy defines how the "rules" list is used to match incoming requests. +
663
678
Allowed values are "Exact" or "Equivalent". +
664
679
@@ -672,7 +687,8 @@ For example, if deployments can be modified via apps/v1, apps/v1beta1, and exten
672
687
and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, +
673
688
a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. +
674
689
675
-
Defaults to "Equivalent" + | |
690
+
Defaults to "Equivalent" + | | Optional: \{} +
691
+
676
692
| *`objectSelector`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#labelselector-v1-meta[$$LabelSelector$$]__ | ObjectSelector decides whether to run the webhook based on if the +
677
693
object has matching labels. objectSelector is evaluated against both +
678
694
the oldObject and newObject that would be sent to the webhook, and +
@@ -683,7 +699,8 @@ DeploymentRollback or a PodProxyOptions object) is not considered to +
683
699
match. +
684
700
Use the object selector only if the webhook is opt-in, because end +
685
701
users may skip the admission webhook by setting the labels. +
686
-
Default to the empty LabelSelector, which matches everything. + | |
702
+
Default to the empty LabelSelector, which matches everything. + | | Optional: \{} +
703
+
687
704
| *`reinvocationPolicy`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#reinvocationpolicytype-v1-admissionregistration[$$ReinvocationPolicyType$$]__ | reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation. +
688
705
Allowed values are "Never" and "IfNeeded". +
689
706
@@ -698,7 +715,8 @@ Note: +
698
715
* webhooks that use this option may be reordered to minimize the number of additional invocations. +
699
716
* to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead. +
700
717
701
-
Defaults to "Never". + | |
718
+
Defaults to "Never". + | | Optional: \{} +
719
+
702
720
| *`matchConditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#matchcondition-v1-admissionregistration[$$MatchCondition$$] array__ | MatchConditions is a list of conditions that must be met for a request to be sent to this +
703
721
webhook. Match conditions filter requests that have already been matched by the rules, +
704
722
namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. +
@@ -709,7 +727,8 @@ The exact matching logic is (in order): +
709
727
2. If ALL matchConditions evaluate to TRUE, the webhook is called. +
710
728
3. If any matchCondition evaluates to an error (but none are FALSE): +
711
729
- If failurePolicy=Fail, reject the request +
712
-
- If failurePolicy=Ignore, the error is ignored and the webhook is skipped + | |
730
+
- If failurePolicy=Ignore, the error is ignored and the webhook is skipped + | | Optional: \{} +
0 commit comments