diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml index 0626a98881a1..faddebc59783 100644 --- a/_topic_maps/_topic_map.yml +++ b/_topic_maps/_topic_map.yml @@ -4035,6 +4035,8 @@ Topics: File: authentication-config-openshift-io-v1 - Name: 'Build [config.openshift.io/v1]' File: build-config-openshift-io-v1 + - Name: 'ClusterImagePolicy [config.openshift.io/v1]' + File: clusterimagepolicy-config-openshift-io-v1 - Name: 'ClusterOperator [config.openshift.io/v1]' File: clusteroperator-config-openshift-io-v1 - Name: 'ClusterVersion [config.openshift.io/v1]' @@ -4053,6 +4055,8 @@ Topics: File: imagedigestmirrorset-config-openshift-io-v1 - Name: 'ImageContentPolicy [config.openshift.io/v1]' File: imagecontentpolicy-config-openshift-io-v1 + - Name: 'ImagePolicy [config.openshift.io/v1]' + File: imagepolicy-config-openshift-io-v1 - Name: 'ImageTagMirrorSet [config.openshift.io/v1]' File: imagetagmirrorset-config-openshift-io-v1 - Name: 'Infrastructure [config.openshift.io/v1]' @@ -4546,6 +4550,8 @@ Topics: File: storageversionmigration-migration-k8s-io-v1alpha1 - Name: 'VolumeAttachment [storage.k8s.io/v1]' File: volumeattachment-storage-k8s-io-v1 + - Name: 'VolumePopulator [populator.storage.k8s.io/v1beta1]' + File: volumepopulator-populator-storage-k8s-io-v1beta1 - Name: 'VolumeSnapshot [snapshot.storage.k8s.io/v1]' File: volumesnapshot-snapshot-storage-k8s-io-v1 - Name: 'VolumeSnapshotClass [snapshot.storage.k8s.io/v1]' diff --git a/api-config.yaml b/api-config.yaml index 3b127376c0b6..e6d77dca2cc0 100644 --- a/api-config.yaml +++ b/api-config.yaml @@ -131,9 +131,9 @@ apiMap: - kind: Build group: config.openshift.io version: v1 -# - kind: ClusterImagePolicy -# group: config.openshift.io -# version: v1alpha1 + - kind: ClusterImagePolicy + group: config.openshift.io + version: v1 - kind: ClusterOperator group: config.openshift.io version: v1 @@ -161,6 +161,9 @@ apiMap: - kind: ImageContentPolicy group: config.openshift.io version: v1 + - kind: ImagePolicy + group: config.openshift.io + version: v1 - kind: ImageTagMirrorSet group: config.openshift.io version: v1 @@ -843,15 +846,9 @@ apiMap: - kind: VolumeAttachment group: storage.k8s.io version: v1 -# - kind: VolumeGroupSnapshot -# group: groupsnapshot.storage.k8s.io -# version: v1alpha1 -# - kind: VolumeGroupSnapshotClass -# group: groupsnapshot.storage.k8s.io -# version: v1alpha1 -# - kind: VolumeGroupSnapshotContent -# group: groupsnapshot.storage.k8s.io -# version: v1alpha1 + - kind: VolumePopulator + group: populator.storage.k8s.io + version: v1beta1 - kind: VolumeSnapshot group: snapshot.storage.k8s.io version: v1 diff --git a/rest_api/config_apis/clusterimagepolicy-config-openshift-io-v1.adoc b/rest_api/config_apis/clusterimagepolicy-config-openshift-io-v1.adoc new file mode 100644 index 000000000000..d59f32df2c7f --- /dev/null +++ b/rest_api/config_apis/clusterimagepolicy-config-openshift-io-v1.adoc @@ -0,0 +1,807 @@ +// Automatically generated by 'openshift-apidocs-gen'. Do not edit. +:_mod-docs-content-type: ASSEMBLY +[id="clusterimagepolicy-config-openshift-io-v1"] += ClusterImagePolicy [config.openshift.io/v1] +:toc: macro +:toc-title: + +toc::[] + + +Description:: ++ +-- +ClusterImagePolicy holds cluster-wide configuration for image signature verification + +Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). +-- + +Type:: + `object` + +Required:: + - `spec` + + +== Specification + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `apiVersion` +| `string` +| APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + +| `kind` +| `string` +| Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + +| `metadata` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-ObjectMeta[`ObjectMeta`] +| Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + +| `spec` +| `object` +| spec contains the configuration for the cluster image policy. + +| `status` +| `object` +| status contains the observed state of the resource. + +|=== +=== .spec +Description:: ++ +-- +spec contains the configuration for the cluster image policy. +-- + +Type:: + `object` + +Required:: + - `policy` + - `scopes` + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `policy` +| `object` +| policy is a required field that contains configuration to allow scopes to be verified, and defines how +images not matching the verification policy will be treated. + +| `scopes` +| `array (string)` +| scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". +Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). +More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository +namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). +Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. +This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. +In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories +quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. +If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. +For additional details about the format, please refer to the document explaining the docker transport field, +which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker + +|=== +=== .spec.policy +Description:: ++ +-- +policy is a required field that contains configuration to allow scopes to be verified, and defines how +images not matching the verification policy will be treated. +-- + +Type:: + `object` + +Required:: + - `rootOfTrust` + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `rootOfTrust` +| `object` +| rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. +This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. + +| `signedIdentity` +| `object` +| signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. +The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". + +|=== +=== .spec.policy.rootOfTrust +Description:: ++ +-- +rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. +This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. +-- + +Type:: + `object` + +Required:: + - `policyType` + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `fulcioCAWithRekor` +| `object` +| fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. +fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise +For more information about Fulcio and Rekor, please refer to the document at: +https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor + +| `policyType` +| `string` +| policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. +Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". +When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. +When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. +When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + +| `publicKey` +| `object` +| publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. +publicKey is required when policyType is PublicKey, and forbidden otherwise. + +|=== +=== .spec.policy.rootOfTrust.fulcioCAWithRekor +Description:: ++ +-- +fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. +fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise +For more information about Fulcio and Rekor, please refer to the document at: +https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor +-- + +Type:: + `object` + +Required:: + - `fulcioCAData` + - `fulcioSubject` + - `rekorKeyData` + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `fulcioCAData` +| `string` +| fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. +fulcioCAData must be at most 8192 characters. + +| `fulcioSubject` +| `object` +| fulcioSubject is a required field specifies OIDC issuer and the email of the Fulcio authentication configuration. + +| `rekorKeyData` +| `string` +| rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. +rekorKeyData must be at most 8192 characters. + +|=== +=== .spec.policy.rootOfTrust.fulcioCAWithRekor.fulcioSubject +Description:: ++ +-- +fulcioSubject is a required field specifies OIDC issuer and the email of the Fulcio authentication configuration. +-- + +Type:: + `object` + +Required:: + - `oidcIssuer` + - `signedEmail` + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `oidcIssuer` +| `string` +| oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. +It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. +When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. +Example: "https://expected.OIDC.issuer/" + +| `signedEmail` +| `string` +| signedEmail is a required field holds the email address that the Fulcio certificate is issued for. +The signedEmail must be a valid email address and at most 320 characters in length. +Example: "expected-signing-user@example.com" + +|=== +=== .spec.policy.rootOfTrust.publicKey +Description:: ++ +-- +publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. +publicKey is required when policyType is PublicKey, and forbidden otherwise. +-- + +Type:: + `object` + +Required:: + - `keyData` + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `keyData` +| `string` +| keyData is a required field contains inline base64-encoded data for the PEM format public key. +keyData must be at most 8192 characters. + +| `rekorKeyData` +| `string` +| rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. +rekorKeyData must be at most 8192 characters. + +|=== +=== .spec.policy.signedIdentity +Description:: ++ +-- +signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. +The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". +-- + +Type:: + `object` + +Required:: + - `matchPolicy` + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `exactRepository` +| `object` +| exactRepository specifies the repository that must be exactly matched by the identity in the signature. +exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity. + +| `matchPolicy` +| `string` +| matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. +Allowed values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". +When set to "MatchRepoDigestOrExact", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. +When set to "MatchRepository", the identity in the signature must be in the same repository as the image identity. +When set to "ExactRepository", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by "repository". +When set to "RemapIdentity", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. + +| `remapIdentity` +| `object` +| remapIdentity specifies the prefix remapping rule for verifying image identity. +remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image. + +|=== +=== .spec.policy.signedIdentity.exactRepository +Description:: ++ +-- +exactRepository specifies the repository that must be exactly matched by the identity in the signature. +exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity. +-- + +Type:: + `object` + +Required:: + - `repository` + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `repository` +| `string` +| repository is the reference of the image identity to be matched. +repository is required if matchPolicy is set to "ExactRepository". +The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox + +|=== +=== .spec.policy.signedIdentity.remapIdentity +Description:: ++ +-- +remapIdentity specifies the prefix remapping rule for verifying image identity. +remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image. +-- + +Type:: + `object` + +Required:: + - `prefix` + - `signedPrefix` + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `prefix` +| `string` +| prefix is required if matchPolicy is set to "RemapIdentity". +prefix is the prefix of the image identity to be matched. +If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). +This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. +The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, +or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. +For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + +| `signedPrefix` +| `string` +| signedPrefix is required if matchPolicy is set to "RemapIdentity". +signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, +or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. +For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + +|=== +=== .status +Description:: ++ +-- +status contains the observed state of the resource. +-- + +Type:: + `object` + + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `conditions` +| `array` +| conditions provide details on the status of this API Resource. + +| `conditions[]` +| `object` +| Condition contains details for one aspect of the current state of this API Resource. + +|=== +=== .status.conditions +Description:: ++ +-- +conditions provide details on the status of this API Resource. +-- + +Type:: + `array` + + + + +=== .status.conditions[] +Description:: ++ +-- +Condition contains details for one aspect of the current state of this API Resource. +-- + +Type:: + `object` + +Required:: + - `lastTransitionTime` + - `message` + - `reason` + - `status` + - `type` + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `lastTransitionTime` +| `string` +| lastTransitionTime is the last time the condition transitioned from one status to another. +This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + +| `message` +| `string` +| message is a human readable message indicating details about the transition. +This may be an empty string. + +| `observedGeneration` +| `integer` +| observedGeneration represents the .metadata.generation that the condition was set based upon. +For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date +with respect to the current state of the instance. + +| `reason` +| `string` +| reason contains a programmatic identifier indicating the reason for the condition's last transition. +Producers of specific condition types may define expected values and meanings for this field, +and whether the values are considered a guaranteed API. +The value should be a CamelCase string. +This field may not be empty. + +| `status` +| `string` +| status of the condition, one of True, False, Unknown. + +| `type` +| `string` +| type of condition in CamelCase or in foo.example.com/CamelCase. + +|=== + +== API endpoints + +The following API endpoints are available: + +* `/apis/config.openshift.io/v1/clusterimagepolicies` +- `DELETE`: delete collection of ClusterImagePolicy +- `GET`: list objects of kind ClusterImagePolicy +- `POST`: create a ClusterImagePolicy +* `/apis/config.openshift.io/v1/clusterimagepolicies/{name}` +- `DELETE`: delete a ClusterImagePolicy +- `GET`: read the specified ClusterImagePolicy +- `PATCH`: partially update the specified ClusterImagePolicy +- `PUT`: replace the specified ClusterImagePolicy +* `/apis/config.openshift.io/v1/clusterimagepolicies/{name}/status` +- `GET`: read status of the specified ClusterImagePolicy +- `PATCH`: partially update status of the specified ClusterImagePolicy +- `PUT`: replace status of the specified ClusterImagePolicy + + +=== /apis/config.openshift.io/v1/clusterimagepolicies + + + +HTTP method:: + `DELETE` + +Description:: + delete collection of ClusterImagePolicy + + + + +.HTTP responses +[cols="1,1",options="header"] +|=== +| HTTP code | Reponse body +| 200 - OK +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-Status[`Status`] schema +| 401 - Unauthorized +| Empty +|=== + +HTTP method:: + `GET` + +Description:: + list objects of kind ClusterImagePolicy + + + + +.HTTP responses +[cols="1,1",options="header"] +|=== +| HTTP code | Reponse body +| 200 - OK +| xref:../objects/index.adoc#io-openshift-config-v1-ClusterImagePolicyList[`ClusterImagePolicyList`] schema +| 401 - Unauthorized +| Empty +|=== + +HTTP method:: + `POST` + +Description:: + create a ClusterImagePolicy + + +.Query parameters +[cols="1,1,2",options="header"] +|=== +| Parameter | Type | Description +| `dryRun` +| `string` +| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed +| `fieldValidation` +| `string` +| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. +|=== + +.Body parameters +[cols="1,1,2",options="header"] +|=== +| Parameter | Type | Description +| `body` +| xref:../config_apis/clusterimagepolicy-config-openshift-io-v1.adoc#clusterimagepolicy-config-openshift-io-v1[`ClusterImagePolicy`] schema +| +|=== + +.HTTP responses +[cols="1,1",options="header"] +|=== +| HTTP code | Reponse body +| 200 - OK +| xref:../config_apis/clusterimagepolicy-config-openshift-io-v1.adoc#clusterimagepolicy-config-openshift-io-v1[`ClusterImagePolicy`] schema +| 201 - Created +| xref:../config_apis/clusterimagepolicy-config-openshift-io-v1.adoc#clusterimagepolicy-config-openshift-io-v1[`ClusterImagePolicy`] schema +| 202 - Accepted +| xref:../config_apis/clusterimagepolicy-config-openshift-io-v1.adoc#clusterimagepolicy-config-openshift-io-v1[`ClusterImagePolicy`] schema +| 401 - Unauthorized +| Empty +|=== + + +=== /apis/config.openshift.io/v1/clusterimagepolicies/{name} + +.Global path parameters +[cols="1,1,2",options="header"] +|=== +| Parameter | Type | Description +| `name` +| `string` +| name of the ClusterImagePolicy +|=== + + +HTTP method:: + `DELETE` + +Description:: + delete a ClusterImagePolicy + + +.Query parameters +[cols="1,1,2",options="header"] +|=== +| Parameter | Type | Description +| `dryRun` +| `string` +| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed +|=== + + +.HTTP responses +[cols="1,1",options="header"] +|=== +| HTTP code | Reponse body +| 200 - OK +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-Status[`Status`] schema +| 202 - Accepted +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-Status[`Status`] schema +| 401 - Unauthorized +| Empty +|=== + +HTTP method:: + `GET` + +Description:: + read the specified ClusterImagePolicy + + + + +.HTTP responses +[cols="1,1",options="header"] +|=== +| HTTP code | Reponse body +| 200 - OK +| xref:../config_apis/clusterimagepolicy-config-openshift-io-v1.adoc#clusterimagepolicy-config-openshift-io-v1[`ClusterImagePolicy`] schema +| 401 - Unauthorized +| Empty +|=== + +HTTP method:: + `PATCH` + +Description:: + partially update the specified ClusterImagePolicy + + +.Query parameters +[cols="1,1,2",options="header"] +|=== +| Parameter | Type | Description +| `dryRun` +| `string` +| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed +| `fieldValidation` +| `string` +| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. +|=== + + +.HTTP responses +[cols="1,1",options="header"] +|=== +| HTTP code | Reponse body +| 200 - OK +| xref:../config_apis/clusterimagepolicy-config-openshift-io-v1.adoc#clusterimagepolicy-config-openshift-io-v1[`ClusterImagePolicy`] schema +| 401 - Unauthorized +| Empty +|=== + +HTTP method:: + `PUT` + +Description:: + replace the specified ClusterImagePolicy + + +.Query parameters +[cols="1,1,2",options="header"] +|=== +| Parameter | Type | Description +| `dryRun` +| `string` +| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed +| `fieldValidation` +| `string` +| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. +|=== + +.Body parameters +[cols="1,1,2",options="header"] +|=== +| Parameter | Type | Description +| `body` +| xref:../config_apis/clusterimagepolicy-config-openshift-io-v1.adoc#clusterimagepolicy-config-openshift-io-v1[`ClusterImagePolicy`] schema +| +|=== + +.HTTP responses +[cols="1,1",options="header"] +|=== +| HTTP code | Reponse body +| 200 - OK +| xref:../config_apis/clusterimagepolicy-config-openshift-io-v1.adoc#clusterimagepolicy-config-openshift-io-v1[`ClusterImagePolicy`] schema +| 201 - Created +| xref:../config_apis/clusterimagepolicy-config-openshift-io-v1.adoc#clusterimagepolicy-config-openshift-io-v1[`ClusterImagePolicy`] schema +| 401 - Unauthorized +| Empty +|=== + + +=== /apis/config.openshift.io/v1/clusterimagepolicies/{name}/status + +.Global path parameters +[cols="1,1,2",options="header"] +|=== +| Parameter | Type | Description +| `name` +| `string` +| name of the ClusterImagePolicy +|=== + + +HTTP method:: + `GET` + +Description:: + read status of the specified ClusterImagePolicy + + + + +.HTTP responses +[cols="1,1",options="header"] +|=== +| HTTP code | Reponse body +| 200 - OK +| xref:../config_apis/clusterimagepolicy-config-openshift-io-v1.adoc#clusterimagepolicy-config-openshift-io-v1[`ClusterImagePolicy`] schema +| 401 - Unauthorized +| Empty +|=== + +HTTP method:: + `PATCH` + +Description:: + partially update status of the specified ClusterImagePolicy + + +.Query parameters +[cols="1,1,2",options="header"] +|=== +| Parameter | Type | Description +| `dryRun` +| `string` +| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed +| `fieldValidation` +| `string` +| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. +|=== + + +.HTTP responses +[cols="1,1",options="header"] +|=== +| HTTP code | Reponse body +| 200 - OK +| xref:../config_apis/clusterimagepolicy-config-openshift-io-v1.adoc#clusterimagepolicy-config-openshift-io-v1[`ClusterImagePolicy`] schema +| 401 - Unauthorized +| Empty +|=== + +HTTP method:: + `PUT` + +Description:: + replace status of the specified ClusterImagePolicy + + +.Query parameters +[cols="1,1,2",options="header"] +|=== +| Parameter | Type | Description +| `dryRun` +| `string` +| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed +| `fieldValidation` +| `string` +| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. +|=== + +.Body parameters +[cols="1,1,2",options="header"] +|=== +| Parameter | Type | Description +| `body` +| xref:../config_apis/clusterimagepolicy-config-openshift-io-v1.adoc#clusterimagepolicy-config-openshift-io-v1[`ClusterImagePolicy`] schema +| +|=== + +.HTTP responses +[cols="1,1",options="header"] +|=== +| HTTP code | Reponse body +| 200 - OK +| xref:../config_apis/clusterimagepolicy-config-openshift-io-v1.adoc#clusterimagepolicy-config-openshift-io-v1[`ClusterImagePolicy`] schema +| 201 - Created +| xref:../config_apis/clusterimagepolicy-config-openshift-io-v1.adoc#clusterimagepolicy-config-openshift-io-v1[`ClusterImagePolicy`] schema +| 401 - Unauthorized +| Empty +|=== + + diff --git a/rest_api/config_apis/config-apis-index.adoc b/rest_api/config_apis/config-apis-index.adoc index 6ea42aadef60..14a23fc9bd91 100644 --- a/rest_api/config_apis/config-apis-index.adoc +++ b/rest_api/config_apis/config-apis-index.adoc @@ -49,6 +49,19 @@ The canonical name is "cluster" Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). -- +Type:: + `object` + +== ClusterImagePolicy [config.openshift.io/v1] + +Description:: ++ +-- +ClusterImagePolicy holds cluster-wide configuration for image signature verification + +Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). +-- + Type:: `object` @@ -178,6 +191,19 @@ When multiple policies are defined, the outcome of the behavior is defined on ea Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). -- +Type:: + `object` + +== ImagePolicy [config.openshift.io/v1] + +Description:: ++ +-- +ImagePolicy holds namespace-wide configuration for image signature verification + +Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). +-- + Type:: `object` diff --git a/rest_api/config_apis/imagepolicy-config-openshift-io-v1.adoc b/rest_api/config_apis/imagepolicy-config-openshift-io-v1.adoc new file mode 100644 index 000000000000..c430444a4db4 --- /dev/null +++ b/rest_api/config_apis/imagepolicy-config-openshift-io-v1.adoc @@ -0,0 +1,833 @@ +// Automatically generated by 'openshift-apidocs-gen'. Do not edit. +:_mod-docs-content-type: ASSEMBLY +[id="imagepolicy-config-openshift-io-v1"] += ImagePolicy [config.openshift.io/v1] +:toc: macro +:toc-title: + +toc::[] + + +Description:: ++ +-- +ImagePolicy holds namespace-wide configuration for image signature verification + +Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). +-- + +Type:: + `object` + +Required:: + - `spec` + + +== Specification + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `apiVersion` +| `string` +| APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + +| `kind` +| `string` +| Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + +| `metadata` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-ObjectMeta[`ObjectMeta`] +| Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + +| `spec` +| `object` +| spec holds user settable values for configuration + +| `status` +| `object` +| status contains the observed state of the resource. + +|=== +=== .spec +Description:: ++ +-- +spec holds user settable values for configuration +-- + +Type:: + `object` + +Required:: + - `policy` + - `scopes` + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `policy` +| `object` +| policy is a required field that contains configuration to allow scopes to be verified, and defines how +images not matching the verification policy will be treated. + +| `scopes` +| `array (string)` +| scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". +Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). +More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository +namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). +Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. +This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. +In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories +quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. +If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. +For additional details about the format, please refer to the document explaining the docker transport field, +which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker + +|=== +=== .spec.policy +Description:: ++ +-- +policy is a required field that contains configuration to allow scopes to be verified, and defines how +images not matching the verification policy will be treated. +-- + +Type:: + `object` + +Required:: + - `rootOfTrust` + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `rootOfTrust` +| `object` +| rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. +This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. + +| `signedIdentity` +| `object` +| signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. +The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". + +|=== +=== .spec.policy.rootOfTrust +Description:: ++ +-- +rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. +This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. +-- + +Type:: + `object` + +Required:: + - `policyType` + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `fulcioCAWithRekor` +| `object` +| fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. +fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise +For more information about Fulcio and Rekor, please refer to the document at: +https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor + +| `policyType` +| `string` +| policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. +Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". +When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. +When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. +When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + +| `publicKey` +| `object` +| publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. +publicKey is required when policyType is PublicKey, and forbidden otherwise. + +|=== +=== .spec.policy.rootOfTrust.fulcioCAWithRekor +Description:: ++ +-- +fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. +fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise +For more information about Fulcio and Rekor, please refer to the document at: +https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor +-- + +Type:: + `object` + +Required:: + - `fulcioCAData` + - `fulcioSubject` + - `rekorKeyData` + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `fulcioCAData` +| `string` +| fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. +fulcioCAData must be at most 8192 characters. + +| `fulcioSubject` +| `object` +| fulcioSubject is a required field specifies OIDC issuer and the email of the Fulcio authentication configuration. + +| `rekorKeyData` +| `string` +| rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. +rekorKeyData must be at most 8192 characters. + +|=== +=== .spec.policy.rootOfTrust.fulcioCAWithRekor.fulcioSubject +Description:: ++ +-- +fulcioSubject is a required field specifies OIDC issuer and the email of the Fulcio authentication configuration. +-- + +Type:: + `object` + +Required:: + - `oidcIssuer` + - `signedEmail` + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `oidcIssuer` +| `string` +| oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. +It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. +When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. +Example: "https://expected.OIDC.issuer/" + +| `signedEmail` +| `string` +| signedEmail is a required field holds the email address that the Fulcio certificate is issued for. +The signedEmail must be a valid email address and at most 320 characters in length. +Example: "expected-signing-user@example.com" + +|=== +=== .spec.policy.rootOfTrust.publicKey +Description:: ++ +-- +publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. +publicKey is required when policyType is PublicKey, and forbidden otherwise. +-- + +Type:: + `object` + +Required:: + - `keyData` + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `keyData` +| `string` +| keyData is a required field contains inline base64-encoded data for the PEM format public key. +keyData must be at most 8192 characters. + +| `rekorKeyData` +| `string` +| rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. +rekorKeyData must be at most 8192 characters. + +|=== +=== .spec.policy.signedIdentity +Description:: ++ +-- +signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. +The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". +-- + +Type:: + `object` + +Required:: + - `matchPolicy` + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `exactRepository` +| `object` +| exactRepository specifies the repository that must be exactly matched by the identity in the signature. +exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity. + +| `matchPolicy` +| `string` +| matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. +Allowed values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". +When set to "MatchRepoDigestOrExact", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. +When set to "MatchRepository", the identity in the signature must be in the same repository as the image identity. +When set to "ExactRepository", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by "repository". +When set to "RemapIdentity", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. + +| `remapIdentity` +| `object` +| remapIdentity specifies the prefix remapping rule for verifying image identity. +remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image. + +|=== +=== .spec.policy.signedIdentity.exactRepository +Description:: ++ +-- +exactRepository specifies the repository that must be exactly matched by the identity in the signature. +exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity. +-- + +Type:: + `object` + +Required:: + - `repository` + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `repository` +| `string` +| repository is the reference of the image identity to be matched. +repository is required if matchPolicy is set to "ExactRepository". +The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox + +|=== +=== .spec.policy.signedIdentity.remapIdentity +Description:: ++ +-- +remapIdentity specifies the prefix remapping rule for verifying image identity. +remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image. +-- + +Type:: + `object` + +Required:: + - `prefix` + - `signedPrefix` + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `prefix` +| `string` +| prefix is required if matchPolicy is set to "RemapIdentity". +prefix is the prefix of the image identity to be matched. +If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). +This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. +The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, +or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. +For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + +| `signedPrefix` +| `string` +| signedPrefix is required if matchPolicy is set to "RemapIdentity". +signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, +or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. +For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + +|=== +=== .status +Description:: ++ +-- +status contains the observed state of the resource. +-- + +Type:: + `object` + + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `conditions` +| `array` +| conditions provide details on the status of this API Resource. +condition type 'Pending' indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid. + +| `conditions[]` +| `object` +| Condition contains details for one aspect of the current state of this API Resource. + +|=== +=== .status.conditions +Description:: ++ +-- +conditions provide details on the status of this API Resource. +condition type 'Pending' indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid. +-- + +Type:: + `array` + + + + +=== .status.conditions[] +Description:: ++ +-- +Condition contains details for one aspect of the current state of this API Resource. +-- + +Type:: + `object` + +Required:: + - `lastTransitionTime` + - `message` + - `reason` + - `status` + - `type` + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `lastTransitionTime` +| `string` +| lastTransitionTime is the last time the condition transitioned from one status to another. +This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + +| `message` +| `string` +| message is a human readable message indicating details about the transition. +This may be an empty string. + +| `observedGeneration` +| `integer` +| observedGeneration represents the .metadata.generation that the condition was set based upon. +For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date +with respect to the current state of the instance. + +| `reason` +| `string` +| reason contains a programmatic identifier indicating the reason for the condition's last transition. +Producers of specific condition types may define expected values and meanings for this field, +and whether the values are considered a guaranteed API. +The value should be a CamelCase string. +This field may not be empty. + +| `status` +| `string` +| status of the condition, one of True, False, Unknown. + +| `type` +| `string` +| type of condition in CamelCase or in foo.example.com/CamelCase. + +|=== + +== API endpoints + +The following API endpoints are available: + +* `/apis/config.openshift.io/v1/imagepolicies` +- `GET`: list objects of kind ImagePolicy +* `/apis/config.openshift.io/v1/namespaces/{namespace}/imagepolicies` +- `DELETE`: delete collection of ImagePolicy +- `GET`: list objects of kind ImagePolicy +- `POST`: create an ImagePolicy +* `/apis/config.openshift.io/v1/namespaces/{namespace}/imagepolicies/{name}` +- `DELETE`: delete an ImagePolicy +- `GET`: read the specified ImagePolicy +- `PATCH`: partially update the specified ImagePolicy +- `PUT`: replace the specified ImagePolicy +* `/apis/config.openshift.io/v1/namespaces/{namespace}/imagepolicies/{name}/status` +- `GET`: read status of the specified ImagePolicy +- `PATCH`: partially update status of the specified ImagePolicy +- `PUT`: replace status of the specified ImagePolicy + + +=== /apis/config.openshift.io/v1/imagepolicies + + + +HTTP method:: + `GET` + +Description:: + list objects of kind ImagePolicy + + +.HTTP responses +[cols="1,1",options="header"] +|=== +| HTTP code | Reponse body +| 200 - OK +| xref:../objects/index.adoc#io-openshift-config-v1-ImagePolicyList[`ImagePolicyList`] schema +| 401 - Unauthorized +| Empty +|=== + + +=== /apis/config.openshift.io/v1/namespaces/{namespace}/imagepolicies + + + +HTTP method:: + `DELETE` + +Description:: + delete collection of ImagePolicy + + + + +.HTTP responses +[cols="1,1",options="header"] +|=== +| HTTP code | Reponse body +| 200 - OK +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-Status[`Status`] schema +| 401 - Unauthorized +| Empty +|=== + +HTTP method:: + `GET` + +Description:: + list objects of kind ImagePolicy + + + + +.HTTP responses +[cols="1,1",options="header"] +|=== +| HTTP code | Reponse body +| 200 - OK +| xref:../objects/index.adoc#io-openshift-config-v1-ImagePolicyList[`ImagePolicyList`] schema +| 401 - Unauthorized +| Empty +|=== + +HTTP method:: + `POST` + +Description:: + create an ImagePolicy + + +.Query parameters +[cols="1,1,2",options="header"] +|=== +| Parameter | Type | Description +| `dryRun` +| `string` +| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed +| `fieldValidation` +| `string` +| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. +|=== + +.Body parameters +[cols="1,1,2",options="header"] +|=== +| Parameter | Type | Description +| `body` +| xref:../config_apis/imagepolicy-config-openshift-io-v1.adoc#imagepolicy-config-openshift-io-v1[`ImagePolicy`] schema +| +|=== + +.HTTP responses +[cols="1,1",options="header"] +|=== +| HTTP code | Reponse body +| 200 - OK +| xref:../config_apis/imagepolicy-config-openshift-io-v1.adoc#imagepolicy-config-openshift-io-v1[`ImagePolicy`] schema +| 201 - Created +| xref:../config_apis/imagepolicy-config-openshift-io-v1.adoc#imagepolicy-config-openshift-io-v1[`ImagePolicy`] schema +| 202 - Accepted +| xref:../config_apis/imagepolicy-config-openshift-io-v1.adoc#imagepolicy-config-openshift-io-v1[`ImagePolicy`] schema +| 401 - Unauthorized +| Empty +|=== + + +=== /apis/config.openshift.io/v1/namespaces/{namespace}/imagepolicies/{name} + +.Global path parameters +[cols="1,1,2",options="header"] +|=== +| Parameter | Type | Description +| `name` +| `string` +| name of the ImagePolicy +|=== + + +HTTP method:: + `DELETE` + +Description:: + delete an ImagePolicy + + +.Query parameters +[cols="1,1,2",options="header"] +|=== +| Parameter | Type | Description +| `dryRun` +| `string` +| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed +|=== + + +.HTTP responses +[cols="1,1",options="header"] +|=== +| HTTP code | Reponse body +| 200 - OK +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-Status[`Status`] schema +| 202 - Accepted +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-Status[`Status`] schema +| 401 - Unauthorized +| Empty +|=== + +HTTP method:: + `GET` + +Description:: + read the specified ImagePolicy + + + + +.HTTP responses +[cols="1,1",options="header"] +|=== +| HTTP code | Reponse body +| 200 - OK +| xref:../config_apis/imagepolicy-config-openshift-io-v1.adoc#imagepolicy-config-openshift-io-v1[`ImagePolicy`] schema +| 401 - Unauthorized +| Empty +|=== + +HTTP method:: + `PATCH` + +Description:: + partially update the specified ImagePolicy + + +.Query parameters +[cols="1,1,2",options="header"] +|=== +| Parameter | Type | Description +| `dryRun` +| `string` +| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed +| `fieldValidation` +| `string` +| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. +|=== + + +.HTTP responses +[cols="1,1",options="header"] +|=== +| HTTP code | Reponse body +| 200 - OK +| xref:../config_apis/imagepolicy-config-openshift-io-v1.adoc#imagepolicy-config-openshift-io-v1[`ImagePolicy`] schema +| 401 - Unauthorized +| Empty +|=== + +HTTP method:: + `PUT` + +Description:: + replace the specified ImagePolicy + + +.Query parameters +[cols="1,1,2",options="header"] +|=== +| Parameter | Type | Description +| `dryRun` +| `string` +| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed +| `fieldValidation` +| `string` +| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. +|=== + +.Body parameters +[cols="1,1,2",options="header"] +|=== +| Parameter | Type | Description +| `body` +| xref:../config_apis/imagepolicy-config-openshift-io-v1.adoc#imagepolicy-config-openshift-io-v1[`ImagePolicy`] schema +| +|=== + +.HTTP responses +[cols="1,1",options="header"] +|=== +| HTTP code | Reponse body +| 200 - OK +| xref:../config_apis/imagepolicy-config-openshift-io-v1.adoc#imagepolicy-config-openshift-io-v1[`ImagePolicy`] schema +| 201 - Created +| xref:../config_apis/imagepolicy-config-openshift-io-v1.adoc#imagepolicy-config-openshift-io-v1[`ImagePolicy`] schema +| 401 - Unauthorized +| Empty +|=== + + +=== /apis/config.openshift.io/v1/namespaces/{namespace}/imagepolicies/{name}/status + +.Global path parameters +[cols="1,1,2",options="header"] +|=== +| Parameter | Type | Description +| `name` +| `string` +| name of the ImagePolicy +|=== + + +HTTP method:: + `GET` + +Description:: + read status of the specified ImagePolicy + + + + +.HTTP responses +[cols="1,1",options="header"] +|=== +| HTTP code | Reponse body +| 200 - OK +| xref:../config_apis/imagepolicy-config-openshift-io-v1.adoc#imagepolicy-config-openshift-io-v1[`ImagePolicy`] schema +| 401 - Unauthorized +| Empty +|=== + +HTTP method:: + `PATCH` + +Description:: + partially update status of the specified ImagePolicy + + +.Query parameters +[cols="1,1,2",options="header"] +|=== +| Parameter | Type | Description +| `dryRun` +| `string` +| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed +| `fieldValidation` +| `string` +| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. +|=== + + +.HTTP responses +[cols="1,1",options="header"] +|=== +| HTTP code | Reponse body +| 200 - OK +| xref:../config_apis/imagepolicy-config-openshift-io-v1.adoc#imagepolicy-config-openshift-io-v1[`ImagePolicy`] schema +| 401 - Unauthorized +| Empty +|=== + +HTTP method:: + `PUT` + +Description:: + replace status of the specified ImagePolicy + + +.Query parameters +[cols="1,1,2",options="header"] +|=== +| Parameter | Type | Description +| `dryRun` +| `string` +| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed +| `fieldValidation` +| `string` +| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. +|=== + +.Body parameters +[cols="1,1,2",options="header"] +|=== +| Parameter | Type | Description +| `body` +| xref:../config_apis/imagepolicy-config-openshift-io-v1.adoc#imagepolicy-config-openshift-io-v1[`ImagePolicy`] schema +| +|=== + +.HTTP responses +[cols="1,1",options="header"] +|=== +| HTTP code | Reponse body +| 200 - OK +| xref:../config_apis/imagepolicy-config-openshift-io-v1.adoc#imagepolicy-config-openshift-io-v1[`ImagePolicy`] schema +| 201 - Created +| xref:../config_apis/imagepolicy-config-openshift-io-v1.adoc#imagepolicy-config-openshift-io-v1[`ImagePolicy`] schema +| 401 - Unauthorized +| Empty +|=== + + diff --git a/rest_api/image_apis/imagestreamimport-image-openshift-io-v1.adoc b/rest_api/image_apis/imagestreamimport-image-openshift-io-v1.adoc index df4a34dcbd07..6d0b8258ca52 100644 --- a/rest_api/image_apis/imagestreamimport-image-openshift-io-v1.adoc +++ b/rest_api/image_apis/imagestreamimport-image-openshift-io-v1.adoc @@ -138,7 +138,7 @@ Required:: | TagReferencePolicy describes how pull-specs for images in this image stream tag are generated when image change triggers in deployment configs or builds are resolved. This allows the image stream author to control how images are accessed. | `to` -| `LocalObjectReference_v2` +| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`] | To is a tag in the current image stream to assign the imported image to, if name is not specified the default tag from from.name will be used |=== @@ -2524,7 +2524,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../image_apis/imagestreamimport-image-openshift-io-v1.adoc#imagestreamimport-image-openshift-io-v1[`ImageStreamImport`] schema -| +| |=== .HTTP responses diff --git a/rest_api/machine_apis/machinehealthcheck-machine-openshift-io-v1beta1.adoc b/rest_api/machine_apis/machinehealthcheck-machine-openshift-io-v1beta1.adoc index e3ac54f488cb..a7675b270ebc 100644 --- a/rest_api/machine_apis/machinehealthcheck-machine-openshift-io-v1beta1.adoc +++ b/rest_api/machine_apis/machinehealthcheck-machine-openshift-io-v1beta1.adoc @@ -71,6 +71,7 @@ Type:: Expects either a postive integer value or a percentage value. Percentage values must be positive whole numbers and are capped at 100%. Both 0 and 0% are valid and will block all remediation. +Defaults to 100% if not set. | `nodeStartupTimeout` | `string` diff --git a/rest_api/monitoring_apis/podmonitor-monitoring-coreos-com-v1.adoc b/rest_api/monitoring_apis/podmonitor-monitoring-coreos-com-v1.adoc index 805b36bf2c5d..cde368fd85f7 100644 --- a/rest_api/monitoring_apis/podmonitor-monitoring-coreos-com-v1.adoc +++ b/rest_api/monitoring_apis/podmonitor-monitoring-coreos-com-v1.adoc @@ -386,7 +386,7 @@ Cannot be set at the same time as `authorization`, or `basicAuth`. | `params{}` | `array (string)` -| +| | `path` | `string` @@ -436,7 +436,7 @@ metadata labels. The Operator automatically adds relabelings for a few standard Kubernetes fields. -The original scrape job's name is available via the `\__tmp_prometheus_job_name` label. +The original scrape job's name is available via the `__tmp_prometheus_job_name` label. More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config @@ -835,7 +835,7 @@ It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. | `proxyConnectHeader{}` | `array` -| +| | `proxyConnectHeader{}[]` | `object` @@ -1436,7 +1436,7 @@ metadata labels. The Operator automatically adds relabelings for a few standard Kubernetes fields. -The original scrape job's name is available via the `\__tmp_prometheus_job_name` label. +The original scrape job's name is available via the `__tmp_prometheus_job_name` label. More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config -- @@ -1986,7 +1986,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../monitoring_apis/podmonitor-monitoring-coreos-com-v1.adoc#podmonitor-monitoring-coreos-com-v1[`PodMonitor`] schema -| +| |=== .HTTP responses @@ -2119,7 +2119,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../monitoring_apis/podmonitor-monitoring-coreos-com-v1.adoc#podmonitor-monitoring-coreos-com-v1[`PodMonitor`] schema -| +| |=== .HTTP responses diff --git a/rest_api/monitoring_apis/probe-monitoring-coreos-com-v1.adoc b/rest_api/monitoring_apis/probe-monitoring-coreos-com-v1.adoc index 7609ad1e5b6b..fa53a6b0a2bc 100644 --- a/rest_api/monitoring_apis/probe-monitoring-coreos-com-v1.adoc +++ b/rest_api/monitoring_apis/probe-monitoring-coreos-com-v1.adoc @@ -554,7 +554,7 @@ It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. | `proxyConnectHeader{}` | `array` -| +| | `proxyConnectHeader{}[]` | `object` @@ -1304,9 +1304,9 @@ Type:: | RelabelConfigs to apply to the label set of the target before it gets scraped. The original ingress address is available via the -`\__tmp_prometheus_ingress_address` label. It can be used to customize the +`__tmp_prometheus_ingress_address` label. It can be used to customize the probed URL. -The original scrape job's name is available via the `\__tmp_prometheus_job_name` label. +The original scrape job's name is available via the `__tmp_prometheus_job_name` label. More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config | `relabelingConfigs[]` @@ -1355,9 +1355,9 @@ Description:: RelabelConfigs to apply to the label set of the target before it gets scraped. The original ingress address is available via the -`\__tmp_prometheus_ingress_address` label. It can be used to customize the +`__tmp_prometheus_ingress_address` label. It can be used to customize the probed URL. -The original scrape job's name is available via the `\__tmp_prometheus_job_name` label. +The original scrape job's name is available via the `__tmp_prometheus_job_name` label. More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config -- @@ -2029,7 +2029,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../monitoring_apis/probe-monitoring-coreos-com-v1.adoc#probe-monitoring-coreos-com-v1[`Probe`] schema -| +| |=== .HTTP responses @@ -2162,7 +2162,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../monitoring_apis/probe-monitoring-coreos-com-v1.adoc#probe-monitoring-coreos-com-v1[`Probe`] schema -| +| |=== .HTTP responses diff --git a/rest_api/monitoring_apis/prometheus-monitoring-coreos-com-v1.adoc b/rest_api/monitoring_apis/prometheus-monitoring-coreos-com-v1.adoc index a0a6215ebf2f..f504dc011596 100644 --- a/rest_api/monitoring_apis/prometheus-monitoring-coreos-com-v1.adoc +++ b/rest_api/monitoring_apis/prometheus-monitoring-coreos-com-v1.adoc @@ -865,7 +865,7 @@ in a breaking way. | `scrapeClasses[]` | `object` -| +| | `scrapeClassicHistograms` | `boolean` @@ -1021,7 +1021,7 @@ ServiceMonitor and ScrapeConfig resources. * The `__param_target__` label for Probe resources. Users can define their own sharding implementation by setting the -`\__tmp_hash` label during the target discovery with relabeling +`__tmp_hash` label during the target discovery with relabeling configuration (either in the monitoring resources or via scrape class). You can also disable sharding on a specific target by setting the @@ -1071,7 +1071,7 @@ the triple using the matching operator . | `topologySpreadConstraints[]` | `object` -| +| | `tracingConfig` | `object` @@ -3144,7 +3144,7 @@ It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. | `proxyConnectHeader{}` | `array` -| +| | `proxyConnectHeader{}[]` | `object` @@ -4660,7 +4660,7 @@ Type:: | `deny` | `boolean` -| +| |=== === .spec.containers @@ -10538,7 +10538,7 @@ It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. | `proxyConnectHeader{}` | `array` -| +| | `proxyConnectHeader{}[]` | `object` @@ -10812,7 +10812,7 @@ It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. | `proxyConnectHeader{}` | `array` -| +| | `proxyConnectHeader{}[]` | `object` @@ -11821,7 +11821,7 @@ It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. | `proxyConnectHeader{}` | `array` -| +| | `proxyConnectHeader{}[]` | `object` @@ -12340,7 +12340,7 @@ It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. | `proxyConnectHeader{}` | `array` -| +| | `proxyConnectHeader{}[]` | `object` @@ -13911,7 +13911,7 @@ More info: https://prometheus.io/docs/prometheus/latest/configuration/configurat | Relabelings configures the relabeling rules to apply to all scrape targets. The Operator automatically adds relabelings for a few standard Kubernetes fields -like `\__meta_kubernetes_namespace` and `\__meta_kubernetes_service_name`. +like `__meta_kubernetes_namespace` and `__meta_kubernetes_service_name`. Then the Operator adds the scrape class relabelings defined here. Then the Operator adds the target-specific relabelings defined in the scrape object. @@ -14124,7 +14124,7 @@ Description:: Relabelings configures the relabeling rules to apply to all scrape targets. The Operator automatically adds relabelings for a few standard Kubernetes fields -like `\__meta_kubernetes_namespace` and `\__meta_kubernetes_service_name`. +like `__meta_kubernetes_namespace` and `__meta_kubernetes_service_name`. Then the Operator adds the scrape class relabelings defined here. Then the Operator adds the target-specific relabelings defined in the scrape object. @@ -21599,7 +21599,7 @@ being performed. Only delete actions will be performed. | `shardStatuses[]` | `object` -| +| | `shards` | `integer` @@ -21853,7 +21853,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../monitoring_apis/prometheus-monitoring-coreos-com-v1.adoc#prometheus-monitoring-coreos-com-v1[`Prometheus`] schema -| +| |=== .HTTP responses @@ -21986,7 +21986,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../monitoring_apis/prometheus-monitoring-coreos-com-v1.adoc#prometheus-monitoring-coreos-com-v1[`Prometheus`] schema -| +| |=== .HTTP responses @@ -22088,7 +22088,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../autoscale_apis/scale-autoscaling-v1.adoc#scale-autoscaling-v1[`Scale`] schema -| +| |=== .HTTP responses @@ -22190,7 +22190,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../monitoring_apis/prometheus-monitoring-coreos-com-v1.adoc#prometheus-monitoring-coreos-com-v1[`Prometheus`] schema -| +| |=== .HTTP responses diff --git a/rest_api/monitoring_apis/servicemonitor-monitoring-coreos-com-v1.adoc b/rest_api/monitoring_apis/servicemonitor-monitoring-coreos-com-v1.adoc index fc9bbbea1ded..d5895f3d5fb6 100644 --- a/rest_api/monitoring_apis/servicemonitor-monitoring-coreos-com-v1.adoc +++ b/rest_api/monitoring_apis/servicemonitor-monitoring-coreos-com-v1.adoc @@ -385,7 +385,7 @@ Cannot be set at the same time as `authorization`, or `basicAuth`. | `params{}` | `array (string)` -| +| | `path` | `string` @@ -431,7 +431,7 @@ metadata labels. The Operator automatically adds relabelings for a few standard Kubernetes fields. -The original scrape job's name is available via the `\__tmp_prometheus_job_name` label. +The original scrape job's name is available via the `__tmp_prometheus_job_name` label. More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config @@ -828,7 +828,7 @@ It requires Prometheus >= v2.43.0, Alertmanager >= v0.25.0 or Thanos >= v0.32.0. | `proxyConnectHeader{}` | `array` -| +| | `proxyConnectHeader{}[]` | `object` @@ -1429,7 +1429,7 @@ metadata labels. The Operator automatically adds relabelings for a few standard Kubernetes fields. -The original scrape job's name is available via the `\__tmp_prometheus_job_name` label. +The original scrape job's name is available via the `__tmp_prometheus_job_name` label. More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config -- @@ -2177,7 +2177,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../monitoring_apis/servicemonitor-monitoring-coreos-com-v1.adoc#servicemonitor-monitoring-coreos-com-v1[`ServiceMonitor`] schema -| +| |=== .HTTP responses @@ -2310,7 +2310,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../monitoring_apis/servicemonitor-monitoring-coreos-com-v1.adoc#servicemonitor-monitoring-coreos-com-v1[`ServiceMonitor`] schema -| +| |=== .HTTP responses diff --git a/rest_api/network_apis/gateway-gateway-networking-k8s-io-v1.adoc b/rest_api/network_apis/gateway-gateway-networking-k8s-io-v1.adoc index 77d20afaaea2..a0dc7ea9d9fa 100644 --- a/rest_api/network_apis/gateway-gateway-networking-k8s-io-v1.adoc +++ b/rest_api/network_apis/gateway-gateway-networking-k8s-io-v1.adoc @@ -113,7 +113,7 @@ Support: Extended logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified. -Distinct Listeners +## Distinct Listeners Each Listener in a set of Listeners (for example, in a single Gateway) MUST be _distinct_, in that a traffic flow MUST be able to be assigned to @@ -190,20 +190,20 @@ values to choose the correct Listener and its associated set of Routes. Exact matches MUST be processed before wildcard matches, and wildcard matches MUST be processed before fallback (empty Hostname value) matches. For example, `"foo.example.com"` takes precedence over -`"\*.example.com"`, and `"\*.example.com"` takes precedence over `""`. +`"*.example.com"`, and `"*.example.com"` takes precedence over `""`. Additionally, if there are multiple wildcard entries, more specific wildcard entries must be processed before less specific wildcard entries. -For example, `"\*.foo.example.com"` takes precedence over `"\*.example.com"`. +For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`. The precise definition here is that the higher the number of dots in the hostname to the right of the wildcard character, the higher the precedence. The wildcard character will match any number of characters _and dots_ to -the left, however, so `"\*.example.com"` will match both +the left, however, so `"*.example.com"` will match both `"foo.bar.example.com"` _and_ `"bar.example.com"`. -Handling indistinct Listeners +## Handling indistinct Listeners If a set of Listeners contains Listeners that are not distinct, then those Listeners are _Conflicted_, and the implementation MUST set the "Conflicted" @@ -231,7 +231,7 @@ indicate in the Message which Listeners are conflicted, and which are Accepted. Additionally, the Listener status for those listeners SHOULD indicate which Listeners are conflicted and not Accepted. -General Listener behavior +## General Listener behavior Note that, for all distinct Listeners, requests SHOULD match at most one Listener. For example, if Listeners are defined for "foo.example.com" and "*.example.com", a @@ -247,7 +247,7 @@ Implementations that _do_ support Listener Isolation SHOULD claim support for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated conformance tests. -Compatible Listeners +## Compatible Listeners A Gateway's Listeners are considered _compatible_ if: @@ -538,17 +538,17 @@ values to choose the correct Listener and its associated set of Routes. Exact matches MUST be processed before wildcard matches, and wildcard matches MUST be processed before fallback (empty Hostname value) matches. For example, `"foo.example.com"` takes precedence over -`"\*.example.com"`, and `"\*.example.com"` takes precedence over `""`. +`"*.example.com"`, and `"*.example.com"` takes precedence over `""`. Additionally, if there are multiple wildcard entries, more specific wildcard entries must be processed before less specific wildcard entries. -For example, `"\*.foo.example.com"` takes precedence over `"\*.example.com"`. +For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`. The precise definition here is that the higher the number of dots in the hostname to the right of the wildcard character, the higher the precedence. The wildcard character will match any number of characters _and dots_ to -the left, however, so `"\*.example.com"` will match both +the left, however, so `"*.example.com"` will match both `"foo.bar.example.com"` _and_ `"bar.example.com"`. ## Handling indistinct Listeners @@ -719,7 +719,7 @@ there MUST be an intersection between the values for a Route to be accepted. For more information, refer to the Route specific Hostnames documentation. -Hostnames that are prefixed with a wildcard label (`\*.`) are interpreted +Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. @@ -1697,7 +1697,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../network_apis/gateway-gateway-networking-k8s-io-v1.adoc#gateway-gateway-networking-k8s-io-v1[`Gateway`] schema -| +| |=== .HTTP responses @@ -1830,7 +1830,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../network_apis/gateway-gateway-networking-k8s-io-v1.adoc#gateway-gateway-networking-k8s-io-v1[`Gateway`] schema -| +| |=== .HTTP responses @@ -1932,7 +1932,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../network_apis/gateway-gateway-networking-k8s-io-v1.adoc#gateway-gateway-networking-k8s-io-v1[`Gateway`] schema -| +| |=== .HTTP responses diff --git a/rest_api/network_apis/grpcroute-gateway-networking-k8s-io-v1.adoc b/rest_api/network_apis/grpcroute-gateway-networking-k8s-io-v1.adoc index b85f7a7db519..07a28e47d7da 100644 --- a/rest_api/network_apis/grpcroute-gateway-networking-k8s-io-v1.adoc +++ b/rest_api/network_apis/grpcroute-gateway-networking-k8s-io-v1.adoc @@ -96,7 +96,7 @@ Host header to select a GRPCRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: 1. IPs are not allowed. -2. A hostname may be prefixed with a wildcard label (`\*.`). The wildcard +2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label MUST appear by itself as the first label. If a hostname is specified by both the Listener and GRPCRoute, there @@ -106,13 +106,13 @@ attached to the Listener. For example: * A Listener with `test.example.com` as the hostname matches GRPCRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. -* A Listener with `\*.example.com` as the hostname matches GRPCRoutes +* A Listener with `*.example.com` as the hostname matches GRPCRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, - `test.example.com` and `\*.example.com` would both match. On the other + `test.example.com` and `*.example.com` would both match. On the other hand, `example.com` and `test.example.net` would not match. -Hostnames that are prefixed with a wildcard label (`\*.`) are interpreted +Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. @@ -1277,11 +1277,11 @@ Required:: | `denominator` | `integer` -| +| | `numerator` | `integer` -| +| |=== === .spec.rules[].backendRefs[].filters[].responseHeaderModifier @@ -2061,11 +2061,11 @@ Required:: | `denominator` | `integer` -| +| | `numerator` | `integer` -| +| |=== === .spec.rules[].filters[].responseHeaderModifier @@ -2938,7 +2938,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../network_apis/grpcroute-gateway-networking-k8s-io-v1.adoc#grpcroute-gateway-networking-k8s-io-v1[`GRPCRoute`] schema -| +| |=== .HTTP responses @@ -3071,7 +3071,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../network_apis/grpcroute-gateway-networking-k8s-io-v1.adoc#grpcroute-gateway-networking-k8s-io-v1[`GRPCRoute`] schema -| +| |=== .HTTP responses @@ -3173,7 +3173,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../network_apis/grpcroute-gateway-networking-k8s-io-v1.adoc#grpcroute-gateway-networking-k8s-io-v1[`GRPCRoute`] schema -| +| |=== .HTTP responses diff --git a/rest_api/network_apis/httproute-gateway-networking-k8s-io-v1.adoc b/rest_api/network_apis/httproute-gateway-networking-k8s-io-v1.adoc index 060880d52c70..4c1c08b807ae 100644 --- a/rest_api/network_apis/httproute-gateway-networking-k8s-io-v1.adoc +++ b/rest_api/network_apis/httproute-gateway-networking-k8s-io-v1.adoc @@ -80,7 +80,7 @@ Valid values for Hostnames are determined by RFC 1123 definition of a hostname with 2 notable exceptions: 1. IPs are not allowed. -2. A hostname may be prefixed with a wildcard label (`\*.`). The wildcard +2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. If a hostname is specified by both the Listener and HTTPRoute, there @@ -90,14 +90,14 @@ attached to the Listener. For example: * A Listener with `test.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. -* A Listener with `\*.example.com` as the hostname matches HTTPRoutes +* A Listener with `*.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, - `\*.example.com`, `test.example.com`, and `foo.test.example.com` would + `*.example.com`, `test.example.com`, and `foo.test.example.com` would all match. On the other hand, `example.com` and `test.example.net` would not match. -Hostnames that are prefixed with a wildcard label (`\*.`) are interpreted +Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. @@ -1319,11 +1319,11 @@ Required:: | `denominator` | `integer` -| +| | `numerator` | `integer` -| +| |=== === .spec.rules[].backendRefs[].filters[].requestRedirect @@ -2379,11 +2379,11 @@ Required:: | `denominator` | `integer` -| +| | `numerator` | `integer` -| +| |=== === .spec.rules[].filters[].requestRedirect @@ -3675,7 +3675,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../network_apis/httproute-gateway-networking-k8s-io-v1.adoc#httproute-gateway-networking-k8s-io-v1[`HTTPRoute`] schema -| +| |=== .HTTP responses @@ -3808,7 +3808,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../network_apis/httproute-gateway-networking-k8s-io-v1.adoc#httproute-gateway-networking-k8s-io-v1[`HTTPRoute`] schema -| +| |=== .HTTP responses @@ -3910,7 +3910,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../network_apis/httproute-gateway-networking-k8s-io-v1.adoc#httproute-gateway-networking-k8s-io-v1[`HTTPRoute`] schema -| +| |=== .HTTP responses diff --git a/rest_api/objects/index.adoc b/rest_api/objects/index.adoc index f8080cf517c0..73a29b4c835b 100644 --- a/rest_api/objects/index.adoc +++ b/rest_api/objects/index.adoc @@ -1307,7 +1307,7 @@ Required:: | `items` | xref:../oauth_apis/useroauthaccesstoken-oauth-openshift-io-v1.adoc#useroauthaccesstoken-oauth-openshift-io-v1[`array (UserOAuthAccessToken)`] -| +| | `kind` | `string` @@ -1775,12 +1775,12 @@ Type:: | Property | Type | Description | `owned` -| `array (APIServiceDescription)` -| +| xref:../objects/index.adoc#com-github-operator-framework-api-pkg-operators-v1alpha1-APIServiceDescription[`array (APIServiceDescription)`] +| | `required` -| `array (APIServiceDescription)` -| +| xref:../objects/index.adoc#com-github-operator-framework-api-pkg-operators-v1alpha1-APIServiceDescription[`array (APIServiceDescription)`] +| |=== @@ -1807,12 +1807,12 @@ Type:: | Property | Type | Description | `owned` -| `array (CRDDescription)` -| +| xref:../objects/index.adoc#com-github-operator-framework-api-pkg-operators-v1alpha1-CRDDescription[`array (CRDDescription)`] +| | `required` -| `array (CRDDescription)` -| +| xref:../objects/index.adoc#com-github-operator-framework-api-pkg-operators-v1alpha1-CRDDescription[`array (CRDDescription)`] +| |=== @@ -1841,11 +1841,11 @@ Required:: | `supported` | `boolean` -| +| | `type` | `string` -| +| |=== @@ -1877,7 +1877,7 @@ Required:: | `items` | xref:../operatorhub_apis/packagemanifest-packages-operators-coreos-com-v1.adoc#packagemanifest-packages-operators-coreos-com-v1[`array (PackageManifest)`] -| +| | `kind` | `string` @@ -1885,7 +1885,7 @@ Required:: | `metadata` | xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-ListMeta[`ListMeta`] -| +| |=== @@ -2645,7 +2645,7 @@ Required:: | `metadata` | xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-ListMeta[`ListMeta`] -| +| |=== @@ -2796,7 +2796,7 @@ Type:: | defaultMode is optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set. | `items` -| `array (KeyToPath)` +| xref:../objects/index.adoc#io-k8s-api-core-v1-KeyToPath[`array (KeyToPath)`] | items if unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. | `name` @@ -2840,7 +2840,7 @@ Required:: | fsType to mount. Ex. "ext4", "xfs", "ntfs". If not provided, the empty value is passed to the associated CSI driver which will determine the default filesystem to apply. | `nodePublishSecretRef` -| `LocalObjectReference` +| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference[`LocalObjectReference`] | nodePublishSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodePublishVolume and NodeUnpublishVolume calls. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secret references are passed. | `readOnly` @@ -2924,7 +2924,7 @@ Required:: | Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "". | `valueFrom` -| `EnvVarSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-EnvVarSource[`EnvVarSource`] | Source for the environment variable's value. Cannot be used if value is not empty. |=== @@ -3090,15 +3090,15 @@ Required:: | `lastTransitionTime` | xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-Time[`Time`] -| +| | `message` | `string` -| +| | `reason` | `string` -| +| | `status` | `string` @@ -3730,15 +3730,15 @@ Type:: | accessModes contains all ways the volume can be mounted. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes | `awsElasticBlockStore` -| `AWSElasticBlockStoreVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-AWSElasticBlockStoreVolumeSource[`AWSElasticBlockStoreVolumeSource`] | awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore | `azureDisk` -| `AzureDiskVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-AzureDiskVolumeSource[`AzureDiskVolumeSource`] | azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type are redirected to the disk.csi.azure.com CSI driver. | `azureFile` -| `AzureFilePersistentVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-AzureFilePersistentVolumeSource[`AzureFilePersistentVolumeSource`] | azureFile represents an Azure File Service mount on the host and bind mount to the pod. Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type are redirected to the file.csi.azure.com CSI driver. | `capacity` @@ -3746,11 +3746,11 @@ Type:: | capacity is the description of the persistent volume's resources and capacity. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacity | `cephfs` -| `CephFSPersistentVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-CephFSPersistentVolumeSource[`CephFSPersistentVolumeSource`] | cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported. | `cinder` -| `CinderPersistentVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-CinderPersistentVolumeSource[`CinderPersistentVolumeSource`] | cinder represents a cinder volume attached and mounted on kubelets host machine. Deprecated: Cinder is deprecated. All operations for the in-tree cinder type are redirected to the cinder.csi.openstack.org CSI driver. More info: https://examples.k8s.io/mysql-cinder-pd/README.md | `claimRef` @@ -3758,39 +3758,39 @@ Type:: | claimRef is part of a bi-directional binding between PersistentVolume and PersistentVolumeClaim. Expected to be non-nil when bound. claim.VolumeName is the authoritative bind between PV and PVC. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#binding | `csi` -| `CSIPersistentVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-CSIPersistentVolumeSource[`CSIPersistentVolumeSource`] | csi represents storage that is handled by an external CSI driver. | `fc` -| `FCVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-FCVolumeSource[`FCVolumeSource`] | fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod. | `flexVolume` -| `FlexPersistentVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-FlexPersistentVolumeSource[`FlexPersistentVolumeSource`] | flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead. | `flocker` -| `FlockerVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-FlockerVolumeSource[`FlockerVolumeSource`] | flocker represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running. Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported. | `gcePersistentDisk` -| `GCEPersistentDiskVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-GCEPersistentDiskVolumeSource[`GCEPersistentDiskVolumeSource`] | gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin. Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk | `glusterfs` -| `GlusterfsPersistentVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-GlusterfsPersistentVolumeSource[`GlusterfsPersistentVolumeSource`] | glusterfs represents a Glusterfs volume that is attached to a host and exposed to the pod. Provisioned by an admin. Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. More info: https://examples.k8s.io/volumes/glusterfs/README.md | `hostPath` -| `HostPathVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-HostPathVolumeSource[`HostPathVolumeSource`] | hostPath represents a directory on the host. Provisioned by a developer or tester. This is useful for single-node development and testing only! On-host storage is not supported in any way and WILL NOT WORK in a multi-node cluster. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath | `iscsi` -| `ISCSIPersistentVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-ISCSIPersistentVolumeSource[`ISCSIPersistentVolumeSource`] | iscsi represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin. | `local` -| `LocalVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalVolumeSource[`LocalVolumeSource`] | local represents directly-attached storage with node affinity | `mountOptions` @@ -3798,11 +3798,11 @@ Type:: | mountOptions is the list of mount options, e.g. ["ro", "soft"]. Not validated - mount will simply fail if one is invalid. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#mount-options | `nfs` -| `NFSVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-NFSVolumeSource[`NFSVolumeSource`] | nfs represents an NFS mount on the host. Provisioned by an admin. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs | `nodeAffinity` -| `VolumeNodeAffinity` +| xref:../objects/index.adoc#io-k8s-api-core-v1-VolumeNodeAffinity[`VolumeNodeAffinity`] | nodeAffinity defines constraints that limit what nodes this volume can be accessed from. This field influences the scheduling of pods that use this volume. | `persistentVolumeReclaimPolicy` @@ -3815,23 +3815,23 @@ Possible enum values: - `"Retain"` means the volume will be left in its current phase (Released) for manual reclamation by the administrator. The default policy is Retain. | `photonPersistentDisk` -| `PhotonPersistentDiskVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-PhotonPersistentDiskVolumeSource[`PhotonPersistentDiskVolumeSource`] | photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported. | `portworxVolume` -| `PortworxVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-PortworxVolumeSource[`PortworxVolumeSource`] | portworxVolume represents a portworx volume attached and mounted on kubelets host machine. Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate is on. | `quobyte` -| `QuobyteVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-QuobyteVolumeSource[`QuobyteVolumeSource`] | quobyte represents a Quobyte mount on the host that shares a pod's lifetime. Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported. | `rbd` -| `RBDPersistentVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-RBDPersistentVolumeSource[`RBDPersistentVolumeSource`] | rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. More info: https://examples.k8s.io/volumes/rbd/README.md | `scaleIO` -| `ScaleIOPersistentVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-ScaleIOPersistentVolumeSource[`ScaleIOPersistentVolumeSource`] | scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported. | `storageClassName` @@ -3839,7 +3839,7 @@ Possible enum values: | storageClassName is the name of StorageClass to which this persistent volume belongs. Empty value means that this volume does not belong to any StorageClass. | `storageos` -| `StorageOSPersistentVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-StorageOSPersistentVolumeSource[`StorageOSPersistentVolumeSource`] | storageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod. Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported. More info: https://examples.k8s.io/volumes/storageos/README.md | `volumeAttributesClassName` @@ -3855,7 +3855,7 @@ Possible enum values: - `"Filesystem"` means the volume will be or is formatted with a filesystem. | `vsphereVolume` -| `VsphereVirtualDiskVolumeSource` +| xref:../objects/index.adoc#io-k8s-api-core-v1-VsphereVirtualDiskVolumeSource[`VsphereVirtualDiskVolumeSource`] | vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type are redirected to the csi.vsphere.vmware.com CSI driver. |=== @@ -3965,7 +3965,7 @@ Type:: | Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata | `spec` -| `PodSpec` +| xref:../objects/index.adoc#io-k8s-api-core-v1-PodSpec[`PodSpec`] | Specification of the desired behavior of the pod. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status |=== @@ -4075,7 +4075,7 @@ Type:: | hard is the set of desired hard limits for each named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/ | `scopeSelector` -| `ScopeSelector_v2` +| xref:../objects/index.adoc#io-k8s-api-core-v1-ScopeSelector_v2[`ScopeSelector_v2`] | scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota but expressed using ScopeSelectorOperator in combination with possible values. For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched. | `scopes` @@ -4135,7 +4135,7 @@ Type:: | Property | Type | Description | `claims` -| `array (ResourceClaim)` +| xref:../objects/index.adoc#io-k8s-api-core-v1-ResourceClaim[`array (ResourceClaim)`] | Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. @@ -4269,7 +4269,7 @@ Type:: | defaultMode is Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set. | `items` -| `array (KeyToPath)` +| xref:../objects/index.adoc#io-k8s-api-core-v1-KeyToPath[`array (KeyToPath)`] | items If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. | `optional` @@ -4434,7 +4434,7 @@ Type:: | Property | Type | Description | `matchLabelExpressions` -| `array (TopologySelectorLabelRequirement)` +| xref:../objects/index.adoc#io-k8s-api-core-v1-TopologySelectorLabelRequirement[`array (TopologySelectorLabelRequirement)`] | A list of topology selector requirements by labels. |=== @@ -4937,7 +4937,7 @@ Type:: | Property | Type | Description | `clusterRoleSelectors` -| `array (LabelSelector_v3)` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-LabelSelector_v3[`array (LabelSelector_v3)`] | ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. If any of the selectors match, then the ClusterRole's permissions will be added |=== @@ -5404,63 +5404,63 @@ Type:: | `$ref` | `string` -| +| | `$schema` | `string` -| +| | `additionalItems` -| `` -| +| xref:../objects/index.adoc#io-k8s-apiextensions-apiserver-pkg-apis-apiextensions-v1-JSONSchemaPropsOrBool[``] +| | `additionalProperties` -| `` -| +| xref:../objects/index.adoc#io-k8s-apiextensions-apiserver-pkg-apis-apiextensions-v1-JSONSchemaPropsOrBool[``] +| | `allOf` | xref:../objects/index.adoc#io-k8s-apiextensions-apiserver-pkg-apis-apiextensions-v1-JSONSchemaProps[`array (undefined)`] -| +| | `anyOf` | xref:../objects/index.adoc#io-k8s-apiextensions-apiserver-pkg-apis-apiextensions-v1-JSONSchemaProps[`array (undefined)`] -| +| | `default` -| `JSON` +| xref:../objects/index.adoc#io-k8s-apiextensions-apiserver-pkg-apis-apiextensions-v1-JSON[`JSON`] | default is a default value for undefined object fields. Defaulting is a beta feature under the CustomResourceDefaulting feature gate. Defaulting requires spec.preserveUnknownFields to be false. | `definitions` | xref:../objects/index.adoc#io-k8s-apiextensions-apiserver-pkg-apis-apiextensions-v1-JSONSchemaProps[`object (undefined)`] -| +| | `dependencies` -| `object (undefined)` -| +| xref:../objects/index.adoc#io-k8s-apiextensions-apiserver-pkg-apis-apiextensions-v1-JSONSchemaPropsOrStringArray[`object (undefined)`] +| | `description` | `string` -| +| | `enum` -| `array (JSON)` -| +| xref:../objects/index.adoc#io-k8s-apiextensions-apiserver-pkg-apis-apiextensions-v1-JSON[`array (JSON)`] +| | `example` -| `JSON` -| +| xref:../objects/index.adoc#io-k8s-apiextensions-apiserver-pkg-apis-apiextensions-v1-JSON[`JSON`] +| | `exclusiveMaximum` | `boolean` -| +| | `exclusiveMinimum` | `boolean` -| +| | `externalDocs` -| `ExternalDocumentation` -| +| xref:../objects/index.adoc#io-k8s-apiextensions-apiserver-pkg-apis-apiextensions-v1-ExternalDocumentation[`ExternalDocumentation`] +| | `format` | `string` @@ -5470,87 +5470,87 @@ Type:: | `id` | `string` -| +| | `items` -| `` -| +| xref:../objects/index.adoc#io-k8s-apiextensions-apiserver-pkg-apis-apiextensions-v1-JSONSchemaPropsOrArray[``] +| | `maxItems` | `integer` -| +| | `maxLength` | `integer` -| +| | `maxProperties` | `integer` -| +| | `maximum` | `number` -| +| | `minItems` | `integer` -| +| | `minLength` | `integer` -| +| | `minProperties` | `integer` -| +| | `minimum` | `number` -| +| | `multipleOf` | `number` -| +| | `not` | xref:../objects/index.adoc#io-k8s-apiextensions-apiserver-pkg-apis-apiextensions-v1-JSONSchemaProps[``] -| +| | `nullable` | `boolean` -| +| | `oneOf` | xref:../objects/index.adoc#io-k8s-apiextensions-apiserver-pkg-apis-apiextensions-v1-JSONSchemaProps[`array (undefined)`] -| +| | `pattern` | `string` -| +| | `patternProperties` | xref:../objects/index.adoc#io-k8s-apiextensions-apiserver-pkg-apis-apiextensions-v1-JSONSchemaProps[`object (undefined)`] -| +| | `properties` | xref:../objects/index.adoc#io-k8s-apiextensions-apiserver-pkg-apis-apiextensions-v1-JSONSchemaProps[`object (undefined)`] -| +| | `required` | `array (string)` -| +| | `title` | `string` -| +| | `type` | `string` -| +| | `uniqueItems` | `boolean` -| +| | `x-kubernetes-embedded-resource` | `boolean` @@ -5610,7 +5610,7 @@ Defaults to atomic for arrays. | x-kubernetes-preserve-unknown-fields stops the API server decoding step from pruning fields which are not specified in the validation schema. This affects fields recursively, but switches back to normal pruning behaviour if nested properties or additionalProperties are specified in the schema. This can either be true or undefined. False is forbidden. | `x-kubernetes-validations` -| `array (ValidationRule)` +| xref:../objects/index.adoc#io-k8s-apiextensions-apiserver-pkg-apis-apiextensions-v1-ValidationRule[`array (ValidationRule)`] | x-kubernetes-validations describes a list of validation rules written in the CEL expression language. |=== @@ -5638,7 +5638,7 @@ The serialization format is: (Note that 1024 = 1Ki but 1000 = 1k; I didn't choose the capitalization.) - ::= "e" \| "E" + ::= "e" \| "E" No matter which of the three exponent forms is used, no quantity may represent a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal places. Numbers larger or more precise will be capped or rounded up. (E.g.: 0.1m will rounded up to 1m.) This may be extended in the future if we require larger or smaller quantities. @@ -5763,7 +5763,7 @@ Type:: | Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both. | `preconditions` -| `Preconditions` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-Preconditions[`Preconditions`] | Must be fulfilled before a deletion is carried out. If not possible, a 409 Conflict status will be returned. | `propagationPolicy` @@ -5850,15 +5850,15 @@ Required:: | `group` | `string` -| +| | `kind` | `string` -| +| | `version` | `string` -| +| |=== @@ -5913,7 +5913,7 @@ Type:: | Property | Type | Description | `matchExpressions` -| `array (LabelSelectorRequirement_v2)` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-LabelSelectorRequirement_v2[`array (LabelSelectorRequirement_v2)`] | matchExpressions is a list of label selector requirements. The requirements are ANDed. | `matchLabels` @@ -6073,7 +6073,7 @@ Applied only if Name is not specified. More info: https://git.k8s.io/community/c | Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels | `managedFields` -| `array (ManagedFieldsEntry)` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-ManagedFieldsEntry[`array (ManagedFieldsEntry)`] | ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like "ci-cd". The set of fields is always in the version that the workflow used when modifying the object. | `name` @@ -6087,7 +6087,7 @@ Applied only if Name is not specified. More info: https://git.k8s.io/community/c Must be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces | `ownerReferences` -| `array (OwnerReference)` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-OwnerReference[`array (OwnerReference)`] | List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller. | `resourceVersion` @@ -6169,7 +6169,7 @@ Applied only if Name is not specified. More info: https://git.k8s.io/community/c | Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels | `managedFields` -| `array (ManagedFieldsEntry)` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-ManagedFieldsEntry[`array (ManagedFieldsEntry)`] | ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like "ci-cd". The set of fields is always in the version that the workflow used when modifying the object. | `name` @@ -6183,7 +6183,7 @@ Applied only if Name is not specified. More info: https://git.k8s.io/community/c Must be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces | `ownerReferences` -| `array (OwnerReference)` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-OwnerReference[`array (OwnerReference)`] | List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller. | `resourceVersion` @@ -6233,7 +6233,7 @@ Type:: | Suggested HTTP return code for this status, 0 if not set. | `details` -| `StatusDetails` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-StatusDetails[`StatusDetails`] | Extended data associated with the reason. Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type. | `kind` @@ -6287,7 +6287,7 @@ Type:: | Suggested HTTP return code for this status, 0 if not set. | `details` -| `StatusDetails_v2` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-StatusDetails_v2[`StatusDetails_v2`] | Extended data associated with the reason. Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type. | `kind` @@ -6341,7 +6341,7 @@ Type:: | Suggested HTTP return code for this status, 0 if not set. | `details` -| `StatusDetails_v2` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-StatusDetails_v2[`StatusDetails_v2`] | Extended data associated with the reason. Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type. | `kind` @@ -6395,7 +6395,7 @@ Type:: | Suggested HTTP return code for this status, 0 if not set. | `details` -| `StatusDetails_v2` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-StatusDetails_v2[`StatusDetails_v2`] | Extended data associated with the reason. Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type. | `kind` @@ -6449,7 +6449,7 @@ Type:: | Suggested HTTP return code for this status, 0 if not set. | `details` -| `StatusDetails_v2` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-StatusDetails_v2[`StatusDetails_v2`] | Extended data associated with the reason. Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type. | `kind` @@ -6503,7 +6503,7 @@ Type:: | Suggested HTTP return code for this status, 0 if not set. | `details` -| `StatusDetails_v2` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-StatusDetails_v2[`StatusDetails_v2`] | Extended data associated with the reason. Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type. | `kind` @@ -6557,7 +6557,7 @@ Type:: | Suggested HTTP return code for this status, 0 if not set. | `details` -| `StatusDetails_v2` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-StatusDetails_v2[`StatusDetails_v2`] | Extended data associated with the reason. Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type. | `kind` @@ -6611,7 +6611,7 @@ Type:: | Suggested HTTP return code for this status, 0 if not set. | `details` -| `StatusDetails_v2` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-StatusDetails_v2[`StatusDetails_v2`] | Extended data associated with the reason. Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type. | `kind` @@ -6665,7 +6665,7 @@ Type:: | Suggested HTTP return code for this status, 0 if not set. | `details` -| `StatusDetails_v2` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-StatusDetails_v2[`StatusDetails_v2`] | Extended data associated with the reason. Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type. | `kind` @@ -6738,7 +6738,7 @@ Required:: | `type` | `string` -| +| |=== @@ -7289,6 +7289,46 @@ Required:: |=== +[id="io-k8s-storage-populator-v1beta1-VolumePopulatorList"] +== io.k8s.storage.populator.v1beta1.VolumePopulatorList schema + + +Description:: ++ +-- +VolumePopulatorList is a list of VolumePopulator +-- + +Type:: + `object` + +Required:: + - `items` + +=== Schema + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `apiVersion` +| `string` +| APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + +| `items` +| xref:../storage_apis/volumepopulator-populator-storage-k8s-io-v1beta1.adoc#volumepopulator-populator-storage-k8s-io-v1beta1[`array (VolumePopulator)`] +| List of volumepopulators. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md + +| `kind` +| `string` +| Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + +| `metadata` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-ListMeta[`ListMeta`] +| Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + +|=== + [id="io-k8s-storage-snapshot-v1-VolumeSnapshotClassList"] == io.k8s.storage.snapshot.v1.VolumeSnapshotClassList schema @@ -8129,6 +8169,46 @@ Required:: |=== +[id="io-openshift-config-v1-ClusterImagePolicyList"] +== io.openshift.config.v1.ClusterImagePolicyList schema + + +Description:: ++ +-- +ClusterImagePolicyList is a list of ClusterImagePolicy +-- + +Type:: + `object` + +Required:: + - `items` + +=== Schema + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `apiVersion` +| `string` +| APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + +| `items` +| xref:../config_apis/clusterimagepolicy-config-openshift-io-v1.adoc#clusterimagepolicy-config-openshift-io-v1[`array (ClusterImagePolicy)`] +| List of clusterimagepolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md + +| `kind` +| `string` +| Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + +| `metadata` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-ListMeta[`ListMeta`] +| Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + +|=== + [id="io-openshift-config-v1-ClusterOperatorList"] == io.openshift.config.v1.ClusterOperatorList schema @@ -8449,6 +8529,46 @@ Required:: |=== +[id="io-openshift-config-v1-ImagePolicyList"] +== io.openshift.config.v1.ImagePolicyList schema + + +Description:: ++ +-- +ImagePolicyList is a list of ImagePolicy +-- + +Type:: + `object` + +Required:: + - `items` + +=== Schema + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `apiVersion` +| `string` +| APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + +| `items` +| xref:../config_apis/imagepolicy-config-openshift-io-v1.adoc#imagepolicy-config-openshift-io-v1[`array (ImagePolicy)`] +| List of imagepolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md + +| `kind` +| `string` +| Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + +| `metadata` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-ListMeta[`ListMeta`] +| Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + +|=== + [id="io-openshift-config-v1-ImageTagMirrorSetList"] == io.openshift.config.v1.ImageTagMirrorSetList schema diff --git a/rest_api/operator_apis/ingresscontroller-operator-openshift-io-v1.adoc b/rest_api/operator_apis/ingresscontroller-operator-openshift-io-v1.adoc index 809332f32e49..548ee1d84b8f 100644 --- a/rest_api/operator_apis/ingresscontroller-operator-openshift-io-v1.adoc +++ b/rest_api/operator_apis/ingresscontroller-operator-openshift-io-v1.adoc @@ -1059,7 +1059,7 @@ Type:: | `string` | protocol specifies whether the load balancer uses PROXY protocol to forward connections to the IngressController. See "service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features: -"proxy-protocol"" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas +"proxy-protocol"" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas" PROXY protocol can be used with load balancers that support it to communicate the source addresses of client connections when @@ -3014,11 +3014,11 @@ This should be when the underlying condition changed. If that is not known, the | `message` | `string` -| +| | `reason` | `string` -| +| | `status` | `string` @@ -3614,7 +3614,7 @@ Type:: | `string` | protocol specifies whether the load balancer uses PROXY protocol to forward connections to the IngressController. See "service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features: -"proxy-protocol"" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas +"proxy-protocol"" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas" PROXY protocol can be used with load balancers that support it to communicate the source addresses of client connections when @@ -4078,7 +4078,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../operator_apis/ingresscontroller-operator-openshift-io-v1.adoc#ingresscontroller-operator-openshift-io-v1[`IngressController`] schema -| +| |=== .HTTP responses @@ -4211,7 +4211,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../operator_apis/ingresscontroller-operator-openshift-io-v1.adoc#ingresscontroller-operator-openshift-io-v1[`IngressController`] schema -| +| |=== .HTTP responses @@ -4313,7 +4313,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../autoscale_apis/scale-autoscaling-v1.adoc#scale-autoscaling-v1[`Scale`] schema -| +| |=== .HTTP responses @@ -4415,7 +4415,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../operator_apis/ingresscontroller-operator-openshift-io-v1.adoc#ingresscontroller-operator-openshift-io-v1[`IngressController`] schema -| +| |=== .HTTP responses diff --git a/rest_api/operatorhub_apis/clustercatalog-olm-operatorframework-io-v1.adoc b/rest_api/operatorhub_apis/clustercatalog-olm-operatorframework-io-v1.adoc index d2cfb6e7c029..eaf1cab2115e 100644 --- a/rest_api/operatorhub_apis/clustercatalog-olm-operatorframework-io-v1.adoc +++ b/rest_api/operatorhub_apis/clustercatalog-olm-operatorframework-io-v1.adoc @@ -229,7 +229,7 @@ The port must be the last value in the domain. Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". The name is typically the repository in the registry where an image is located. -It must contain lowercase alphanumeric characters separated only by the ".", "\_", "\__", "-" characters. +It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. Multiple names can be concatenated with the "/" character. The domain and name are combined using the "/" character. Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". @@ -243,11 +243,11 @@ An identifier is required in the reference. Digest-based references must contain an algorithm reference immediately after the "@" separator. The algorithm reference must be followed by the ":" character and an encoded string. -The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "\_", "+", and "." characters. +The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. -Tag-based references must begin with a word character (alphanumeric + "\_") followed by word characters or ".", and "-" characters. +Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. The tag must not be longer than 127 characters. An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" @@ -587,7 +587,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../operatorhub_apis/clustercatalog-olm-operatorframework-io-v1.adoc#clustercatalog-olm-operatorframework-io-v1[`ClusterCatalog`] schema -| +| |=== .HTTP responses @@ -720,7 +720,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../operatorhub_apis/clustercatalog-olm-operatorframework-io-v1.adoc#clustercatalog-olm-operatorframework-io-v1[`ClusterCatalog`] schema -| +| |=== .HTTP responses @@ -822,7 +822,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../operatorhub_apis/clustercatalog-olm-operatorframework-io-v1.adoc#clustercatalog-olm-operatorframework-io-v1[`ClusterCatalog`] schema -| +| |=== .HTTP responses diff --git a/rest_api/overview/index.adoc b/rest_api/overview/index.adoc index 01aa067c9ed7..24516d8284cb 100644 --- a/rest_api/overview/index.adoc +++ b/rest_api/overview/index.adoc @@ -66,6 +66,8 @@ | operator.openshift.io/v1 | xref:../operatorhub_apis/clusterextension-olm-operatorframework-io-v1.adoc#clusterextension-olm-operatorframework-io-v1[ClusterExtension] | olm.operatorframework.io/v1 +| xref:../config_apis/clusterimagepolicy-config-openshift-io-v1.adoc#clusterimagepolicy-config-openshift-io-v1[ClusterImagePolicy] +| config.openshift.io/v1 | xref:../config_apis/clusteroperator-config-openshift-io-v1.adoc#clusteroperator-config-openshift-io-v1[ClusterOperator] | config.openshift.io/v1 | xref:../schedule_and_quota_apis/clusterresourcequota-quota-openshift-io-v1.adoc#clusterresourcequota-quota-openshift-io-v1[ClusterResourceQuota] @@ -218,6 +220,8 @@ | operator.openshift.io/v1alpha1 | xref:../config_apis/imagedigestmirrorset-config-openshift-io-v1.adoc#imagedigestmirrorset-config-openshift-io-v1[ImageDigestMirrorSet] | config.openshift.io/v1 +| xref:../config_apis/imagepolicy-config-openshift-io-v1.adoc#imagepolicy-config-openshift-io-v1[ImagePolicy] +| config.openshift.io/v1 | xref:../operator_apis/imagepruner-imageregistry-operator-openshift-io-v1.adoc#imagepruner-imageregistry-operator-openshift-io-v1[ImagePruner] | imageregistry.operator.openshift.io/v1 | xref:../image_apis/imagesignature-image-openshift-io-v1.adoc#imagesignature-image-openshift-io-v1[ImageSignature] @@ -514,6 +518,8 @@ | admissionregistration.k8s.io/v1 | xref:../storage_apis/volumeattachment-storage-k8s-io-v1.adoc#volumeattachment-storage-k8s-io-v1[VolumeAttachment] | storage.k8s.io/v1 +| xref:../storage_apis/volumepopulator-populator-storage-k8s-io-v1beta1.adoc#volumepopulator-populator-storage-k8s-io-v1beta1[VolumePopulator] +| populator.storage.k8s.io/v1beta1 | xref:../storage_apis/volumesnapshot-snapshot-storage-k8s-io-v1.adoc#volumesnapshot-snapshot-storage-k8s-io-v1[VolumeSnapshot] | snapshot.storage.k8s.io/v1 | xref:../storage_apis/volumesnapshotclass-snapshot-storage-k8s-io-v1.adoc#volumesnapshotclass-snapshot-storage-k8s-io-v1[VolumeSnapshotClass] diff --git a/rest_api/security_apis/securitycontextconstraints-security-openshift-io-v1.adoc b/rest_api/security_apis/securitycontextconstraints-security-openshift-io-v1.adoc index 925ad39b5d05..a472da8942a1 100644 --- a/rest_api/security_apis/securitycontextconstraints-security-openshift-io-v1.adoc +++ b/rest_api/security_apis/securitycontextconstraints-security-openshift-io-v1.adoc @@ -85,13 +85,13 @@ is allowed in the "Volumes" field. | `allowedUnsafeSysctls` | `` | allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. -Each entry is either a plain sysctl name or ends in "\*" in which case it is considered -as a prefix of allowed sysctls. Single \* means all unsafe sysctls are allowed. +Each entry is either a plain sysctl name or ends in "*" in which case it is considered +as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection. Examples: -e.g. "foo/\*" allows "foo/bar", "foo/baz", etc. -e.g. "foo.\*" allows "foo.bar", "foo.baz", etc. +e.g. "foo/*" allows "foo/bar", "foo/baz", etc. +e.g. "foo.*" allows "foo.bar", "foo.baz", etc. | `apiVersion` | `string` @@ -111,8 +111,8 @@ process can gain more privileges than its parent process. | `forbiddenSysctls` | `` | forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. -Each entry is either a plain sysctl name or ends in "\*" in which case it is considered -as a prefix of forbidden sysctls. Single \* means all sysctls are forbidden. +Each entry is either a plain sysctl name or ends in "*" in which case it is considered +as a prefix of forbidden sysctls. Single * means all sysctls are forbidden. Examples: e.g. "foo/*" forbids "foo/bar", "foo/baz", etc. @@ -282,7 +282,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../security_apis/securitycontextconstraints-security-openshift-io-v1.adoc#securitycontextconstraints-security-openshift-io-v1[`SecurityContextConstraints`] schema -| +| |=== .HTTP responses @@ -437,7 +437,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../security_apis/securitycontextconstraints-security-openshift-io-v1.adoc#securitycontextconstraints-security-openshift-io-v1[`SecurityContextConstraints`] schema -| +| |=== .HTTP responses diff --git a/rest_api/storage_apis/storage-apis-index.adoc b/rest_api/storage_apis/storage-apis-index.adoc index 9c674166058f..ac8e5e5ecaf4 100644 --- a/rest_api/storage_apis/storage-apis-index.adoc +++ b/rest_api/storage_apis/storage-apis-index.adoc @@ -115,6 +115,17 @@ VolumeAttachment captures the intent to attach or detach the specified volume to VolumeAttachment objects are non-namespaced. -- +Type:: + `object` + +== VolumePopulator [populator.storage.k8s.io/v1beta1] + +Description:: ++ +-- +VolumePopulator represents the registration for a volume populator. VolumePopulators are cluster scoped. +-- + Type:: `object` diff --git a/rest_api/storage_apis/volumepopulator-populator-storage-k8s-io-v1beta1.adoc b/rest_api/storage_apis/volumepopulator-populator-storage-k8s-io-v1beta1.adoc new file mode 100644 index 000000000000..96479eeada32 --- /dev/null +++ b/rest_api/storage_apis/volumepopulator-populator-storage-k8s-io-v1beta1.adoc @@ -0,0 +1,307 @@ +// Automatically generated by 'openshift-apidocs-gen'. Do not edit. +:_mod-docs-content-type: ASSEMBLY +[id="volumepopulator-populator-storage-k8s-io-v1beta1"] += VolumePopulator [populator.storage.k8s.io/v1beta1] +:toc: macro +:toc-title: + +toc::[] + + +Description:: ++ +-- +VolumePopulator represents the registration for a volume populator. VolumePopulators are cluster scoped. +-- + +Type:: + `object` + +Required:: + - `sourceKind` + + +== Specification + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `apiVersion` +| `string` +| APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + +| `kind` +| `string` +| Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + +| `metadata` +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-ObjectMeta[`ObjectMeta`] +| Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + +| `sourceKind` +| `object` +| Kind of the data source this populator supports + +|=== +=== .sourceKind +Description:: ++ +-- +Kind of the data source this populator supports +-- + +Type:: + `object` + +Required:: + - `group` + - `kind` + + + +[cols="1,1,1",options="header"] +|=== +| Property | Type | Description + +| `group` +| `string` +| + +| `kind` +| `string` +| + +|=== + +== API endpoints + +The following API endpoints are available: + +* `/apis/populator.storage.k8s.io/v1beta1/volumepopulators` +- `DELETE`: delete collection of VolumePopulator +- `GET`: list objects of kind VolumePopulator +- `POST`: create a VolumePopulator +* `/apis/populator.storage.k8s.io/v1beta1/volumepopulators/{name}` +- `DELETE`: delete a VolumePopulator +- `GET`: read the specified VolumePopulator +- `PATCH`: partially update the specified VolumePopulator +- `PUT`: replace the specified VolumePopulator + + +=== /apis/populator.storage.k8s.io/v1beta1/volumepopulators + + + +HTTP method:: + `DELETE` + +Description:: + delete collection of VolumePopulator + + + + +.HTTP responses +[cols="1,1",options="header"] +|=== +| HTTP code | Reponse body +| 200 - OK +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-Status[`Status`] schema +| 401 - Unauthorized +| Empty +|=== + +HTTP method:: + `GET` + +Description:: + list objects of kind VolumePopulator + + + + +.HTTP responses +[cols="1,1",options="header"] +|=== +| HTTP code | Reponse body +| 200 - OK +| xref:../objects/index.adoc#io-k8s-storage-populator-v1beta1-VolumePopulatorList[`VolumePopulatorList`] schema +| 401 - Unauthorized +| Empty +|=== + +HTTP method:: + `POST` + +Description:: + create a VolumePopulator + + +.Query parameters +[cols="1,1,2",options="header"] +|=== +| Parameter | Type | Description +| `dryRun` +| `string` +| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed +| `fieldValidation` +| `string` +| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. +|=== + +.Body parameters +[cols="1,1,2",options="header"] +|=== +| Parameter | Type | Description +| `body` +| xref:../storage_apis/volumepopulator-populator-storage-k8s-io-v1beta1.adoc#volumepopulator-populator-storage-k8s-io-v1beta1[`VolumePopulator`] schema +| +|=== + +.HTTP responses +[cols="1,1",options="header"] +|=== +| HTTP code | Reponse body +| 200 - OK +| xref:../storage_apis/volumepopulator-populator-storage-k8s-io-v1beta1.adoc#volumepopulator-populator-storage-k8s-io-v1beta1[`VolumePopulator`] schema +| 201 - Created +| xref:../storage_apis/volumepopulator-populator-storage-k8s-io-v1beta1.adoc#volumepopulator-populator-storage-k8s-io-v1beta1[`VolumePopulator`] schema +| 202 - Accepted +| xref:../storage_apis/volumepopulator-populator-storage-k8s-io-v1beta1.adoc#volumepopulator-populator-storage-k8s-io-v1beta1[`VolumePopulator`] schema +| 401 - Unauthorized +| Empty +|=== + + +=== /apis/populator.storage.k8s.io/v1beta1/volumepopulators/{name} + +.Global path parameters +[cols="1,1,2",options="header"] +|=== +| Parameter | Type | Description +| `name` +| `string` +| name of the VolumePopulator +|=== + + +HTTP method:: + `DELETE` + +Description:: + delete a VolumePopulator + + +.Query parameters +[cols="1,1,2",options="header"] +|=== +| Parameter | Type | Description +| `dryRun` +| `string` +| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed +|=== + + +.HTTP responses +[cols="1,1",options="header"] +|=== +| HTTP code | Reponse body +| 200 - OK +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-Status[`Status`] schema +| 202 - Accepted +| xref:../objects/index.adoc#io-k8s-apimachinery-pkg-apis-meta-v1-Status[`Status`] schema +| 401 - Unauthorized +| Empty +|=== + +HTTP method:: + `GET` + +Description:: + read the specified VolumePopulator + + + + +.HTTP responses +[cols="1,1",options="header"] +|=== +| HTTP code | Reponse body +| 200 - OK +| xref:../storage_apis/volumepopulator-populator-storage-k8s-io-v1beta1.adoc#volumepopulator-populator-storage-k8s-io-v1beta1[`VolumePopulator`] schema +| 401 - Unauthorized +| Empty +|=== + +HTTP method:: + `PATCH` + +Description:: + partially update the specified VolumePopulator + + +.Query parameters +[cols="1,1,2",options="header"] +|=== +| Parameter | Type | Description +| `dryRun` +| `string` +| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed +| `fieldValidation` +| `string` +| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. +|=== + + +.HTTP responses +[cols="1,1",options="header"] +|=== +| HTTP code | Reponse body +| 200 - OK +| xref:../storage_apis/volumepopulator-populator-storage-k8s-io-v1beta1.adoc#volumepopulator-populator-storage-k8s-io-v1beta1[`VolumePopulator`] schema +| 401 - Unauthorized +| Empty +|=== + +HTTP method:: + `PUT` + +Description:: + replace the specified VolumePopulator + + +.Query parameters +[cols="1,1,2",options="header"] +|=== +| Parameter | Type | Description +| `dryRun` +| `string` +| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed +| `fieldValidation` +| `string` +| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. +|=== + +.Body parameters +[cols="1,1,2",options="header"] +|=== +| Parameter | Type | Description +| `body` +| xref:../storage_apis/volumepopulator-populator-storage-k8s-io-v1beta1.adoc#volumepopulator-populator-storage-k8s-io-v1beta1[`VolumePopulator`] schema +| +|=== + +.HTTP responses +[cols="1,1",options="header"] +|=== +| HTTP code | Reponse body +| 200 - OK +| xref:../storage_apis/volumepopulator-populator-storage-k8s-io-v1beta1.adoc#volumepopulator-populator-storage-k8s-io-v1beta1[`VolumePopulator`] schema +| 201 - Created +| xref:../storage_apis/volumepopulator-populator-storage-k8s-io-v1beta1.adoc#volumepopulator-populator-storage-k8s-io-v1beta1[`VolumePopulator`] schema +| 401 - Unauthorized +| Empty +|=== + + diff --git a/rest_api/template_apis/templateinstance-template-openshift-io-v1.adoc b/rest_api/template_apis/templateinstance-template-openshift-io-v1.adoc index 1f39295fb5d2..19eb1918bfe4 100644 --- a/rest_api/template_apis/templateinstance-template-openshift-io-v1.adoc +++ b/rest_api/template_apis/templateinstance-template-openshift-io-v1.adoc @@ -74,7 +74,7 @@ Required:: | TemplateInstanceRequester holds the identity of an agent requesting a template instantiation. | `secret` -| `LocalObjectReference_v2` +| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`] | secret is a reference to a Secret object containing the necessary template parameters. | `template` @@ -107,7 +107,7 @@ Type:: | `extra{}` | `array (string)` -| +| | `groups` | `array (string)` @@ -529,7 +529,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../template_apis/templateinstance-template-openshift-io-v1.adoc#templateinstance-template-openshift-io-v1[`TemplateInstance`] schema -| +| |=== .HTTP responses @@ -684,7 +684,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../template_apis/templateinstance-template-openshift-io-v1.adoc#templateinstance-template-openshift-io-v1[`TemplateInstance`] schema -| +| |=== .HTTP responses @@ -816,7 +816,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../template_apis/templateinstance-template-openshift-io-v1.adoc#templateinstance-template-openshift-io-v1[`TemplateInstance`] schema -| +| |=== .HTTP responses diff --git a/rest_api/workloads_apis/build-build-openshift-io-v1.adoc b/rest_api/workloads_apis/build-build-openshift-io-v1.adoc index bb49a478a1e4..39d4899327e2 100644 --- a/rest_api/workloads_apis/build-build-openshift-io-v1.adoc +++ b/rest_api/workloads_apis/build-build-openshift-io-v1.adoc @@ -200,7 +200,7 @@ Type:: | ImageLabel represents a label applied to the resulting image. | `pushSecret` -| `LocalObjectReference_v2` +| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`] | PushSecret is the name of a Secret that would be used for setting up the authentication for executing the Docker push to authentication enabled Docker Registry (or Docker Hub). | `to` @@ -507,7 +507,7 @@ Type:: | SecretBuildSource describes a secret and its destination directory that will be used only at the build time. The content of the secret referenced here will be copied into the destination directory instead of mounting. | `sourceSecret` -| `LocalObjectReference_v2` +| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`] | sourceSecret is the name of a Secret that would be used for setting up the authentication for cloning private repository. The secret contains valid credentials for remote repository, where the data's key represent the authentication method to be used and value is the base64 encoded credentials. Supported auth methods are: ssh-privatekey. | `type` @@ -570,7 +570,7 @@ Required:: | Property | Type | Description | `configMap` -| `LocalObjectReference_v2` +| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`] | configMap is a reference to an existing configmap that you want to use in your build. | `destinationDir` @@ -667,7 +667,7 @@ Required:: | ImageSourcePath describes a path to be copied from a source image and its destination within the build directory. | `pullSecret` -| `LocalObjectReference_v2` +| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`] | pullSecret is a reference to a secret to be used to pull the image from a registry If the image is pulled from the OpenShift registry, this field does not need to be set. |=== @@ -750,7 +750,7 @@ Required:: | destinationDir is the directory where the files from the secret should be available for the build time. For the Source build strategy, these will be injected into a container where the assemble script runs. Later, when the script finishes, all files injected will be truncated to zero length. For the container image build strategy, these will be copied into the build directory, where the Dockerfile is located, so users can ADD or COPY them during container image build. | `secret` -| `LocalObjectReference_v2` +| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`] | secret is a reference to an existing secret that you want to use in your build. |=== @@ -832,7 +832,7 @@ Required:: | from is reference to an DockerImage, ImageStreamTag, or ImageStreamImage from which the container image should be pulled | `pullSecret` -| `LocalObjectReference_v2` +| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`] | pullSecret is the name of a Secret that would be used for setting up the authentication for pulling the container images from the private Docker registries | `secrets` @@ -882,7 +882,7 @@ Required:: | mountPath is the path at which to mount the secret | `secretSource` -| `LocalObjectReference_v2` +| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`] | secretSource is a reference to the secret |=== @@ -932,7 +932,7 @@ Type:: | noCache if set to true indicates that the container image build must be executed with the --no-cache=true flag | `pullSecret` -| `LocalObjectReference_v2` +| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`] | pullSecret is the name of a Secret that would be used for setting up the authentication for pulling the container images from the private Docker registries | `volumes` @@ -1134,7 +1134,7 @@ Required:: | incremental flag forces the Source build to do incremental builds if true. | `pullSecret` -| `LocalObjectReference_v2` +| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`] | pullSecret is the name of a Secret that would be used for setting up the authentication for pulling the container images from the private Docker registries | `scripts` @@ -2342,7 +2342,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../workloads_apis/build-build-openshift-io-v1.adoc#build-build-openshift-io-v1[`Build`] schema -| +| |=== .HTTP responses @@ -2497,7 +2497,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../workloads_apis/build-build-openshift-io-v1.adoc#build-build-openshift-io-v1[`Build`] schema -| +| |=== .HTTP responses @@ -2580,7 +2580,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../workloads_apis/build-build-openshift-io-v1.adoc#build-build-openshift-io-v1[`Build`] schema -| +| |=== .HTTP responses diff --git a/rest_api/workloads_apis/buildconfig-build-openshift-io-v1.adoc b/rest_api/workloads_apis/buildconfig-build-openshift-io-v1.adoc index de746fcadb86..507fa7417891 100644 --- a/rest_api/workloads_apis/buildconfig-build-openshift-io-v1.adoc +++ b/rest_api/workloads_apis/buildconfig-build-openshift-io-v1.adoc @@ -216,7 +216,7 @@ Type:: | ImageLabel represents a label applied to the resulting image. | `pushSecret` -| `LocalObjectReference_v2` +| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`] | PushSecret is the name of a Secret that would be used for setting up the authentication for executing the Docker push to authentication enabled Docker Registry (or Docker Hub). | `to` @@ -523,7 +523,7 @@ Type:: | SecretBuildSource describes a secret and its destination directory that will be used only at the build time. The content of the secret referenced here will be copied into the destination directory instead of mounting. | `sourceSecret` -| `LocalObjectReference_v2` +| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`] | sourceSecret is the name of a Secret that would be used for setting up the authentication for cloning private repository. The secret contains valid credentials for remote repository, where the data's key represent the authentication method to be used and value is the base64 encoded credentials. Supported auth methods are: ssh-privatekey. | `type` @@ -586,7 +586,7 @@ Required:: | Property | Type | Description | `configMap` -| `LocalObjectReference_v2` +| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`] | configMap is a reference to an existing configmap that you want to use in your build. | `destinationDir` @@ -683,7 +683,7 @@ Required:: | ImageSourcePath describes a path to be copied from a source image and its destination within the build directory. | `pullSecret` -| `LocalObjectReference_v2` +| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`] | pullSecret is a reference to a secret to be used to pull the image from a registry If the image is pulled from the OpenShift registry, this field does not need to be set. |=== @@ -766,7 +766,7 @@ Required:: | destinationDir is the directory where the files from the secret should be available for the build time. For the Source build strategy, these will be injected into a container where the assemble script runs. Later, when the script finishes, all files injected will be truncated to zero length. For the container image build strategy, these will be copied into the build directory, where the Dockerfile is located, so users can ADD or COPY them during container image build. | `secret` -| `LocalObjectReference_v2` +| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`] | secret is a reference to an existing secret that you want to use in your build. |=== @@ -848,7 +848,7 @@ Required:: | from is reference to an DockerImage, ImageStreamTag, or ImageStreamImage from which the container image should be pulled | `pullSecret` -| `LocalObjectReference_v2` +| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`] | pullSecret is the name of a Secret that would be used for setting up the authentication for pulling the container images from the private Docker registries | `secrets` @@ -898,7 +898,7 @@ Required:: | mountPath is the path at which to mount the secret | `secretSource` -| `LocalObjectReference_v2` +| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`] | secretSource is a reference to the secret |=== @@ -948,7 +948,7 @@ Type:: | noCache if set to true indicates that the container image build must be executed with the --no-cache=true flag | `pullSecret` -| `LocalObjectReference_v2` +| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`] | pullSecret is the name of a Secret that would be used for setting up the authentication for pulling the container images from the private Docker registries | `volumes` @@ -1150,7 +1150,7 @@ Required:: | incremental flag forces the Source build to do incremental builds if true. | `pullSecret` -| `LocalObjectReference_v2` +| xref:../objects/index.adoc#io-k8s-api-core-v1-LocalObjectReference_v2[`LocalObjectReference_v2`] | pullSecret is the name of a Secret that would be used for setting up the authentication for pulling the container images from the private Docker registries | `scripts` @@ -1849,7 +1849,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../workloads_apis/buildconfig-build-openshift-io-v1.adoc#buildconfig-build-openshift-io-v1[`BuildConfig`] schema -| +| |=== .HTTP responses @@ -2004,7 +2004,7 @@ Description:: | Parameter | Type | Description | `body` | xref:../workloads_apis/buildconfig-build-openshift-io-v1.adoc#buildconfig-build-openshift-io-v1[`BuildConfig`] schema -| +| |=== .HTTP responses