Standard object metadata.

Spec is the specification of the AdminKubeconfigRequest.

Status is the status of the AdminKubeconfigRequest.

ExpirationSeconds is the requested validity duration of the credential. The credential issuer may return a credential with a different validity duration so a client needs to check the ‘expirationTimestamp’ field in a response. Defaults to 1 hour.

Kubeconfig contains the kubeconfig with cluster-admin privileges for the shoot cluster.

ExpirationTimestamp is the expiration timestamp of the returned credential.

Standard object metadata.

Spec is the specification of the ViewerKubeconfigRequest.

Status is the status of the ViewerKubeconfigRequest.

ExpirationSeconds is the requested validity duration of the credential. The credential issuer may return a credential with a different validity duration so a client needs to check the ‘expirationTimestamp’ field in a response. Defaults to 1 hour.

Kubeconfig contains the kubeconfig with viewer privileges (excluding Secrets) for the shoot cluster.

ExpirationTimestamp is the expiration timestamp of the returned credential.

Standard object metadata.

Specification of the Backup Bucket.

Most recently observed status of the Backup Bucket.

Standard object metadata.

Spec contains the specification of the Backup Entry.

Status contains the most recently observed status of the Backup Entry.

Standard object metadata.

Spec defines the provider environment properties.

Standard object metadata.

Type is the deployment type.

ProviderConfig contains type-specific configuration. It contains assets that deploy the controller.

Standard object metadata.

Spec contains the specification of this installation. If the object’s deletion timestamp is set, this field is immutable.

Status contains the status of this installation.

Standard object metadata.

Spec contains the specification of this registration. If the object’s deletion timestamp is set, this field is immutable.

Standard object metadata.

Handler is the name of the handler which applies the control plane endpoint exposure strategy. This field is immutable.

Scheduling holds information how to select applicable Seed’s for ExposureClass usage. This field is immutable.

Standard object’s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata

Immutable, if set to true, ensures that data stored in the Secret cannot be updated (only object metadata can be modified). If not set to true, the field can be modified at any time. Defaulted to nil.

Data contains the secret data. Each key must consist of alphanumeric characters, ‘-’, ‘_’ or ‘.’. The serialized form of the secret data is a base64 encoded string, representing the arbitrary (possibly non-string) data value here. Described in https://tools.ietf.org/html/rfc4648#section-4

stringData allows specifying non-binary secret data in string form. It is provided as a write-only input field for convenience. All keys and values are merged into the data field on write, overwriting any existing values. The stringData field is never output when reading from the API.

Used to facilitate programmatic handling of secret data. More info: https://kubernetes.io/docs/concepts/configuration/secret/#secret-types

Standard object metadata.

Spec defines the provider environment properties.

Most recently observed status of the NamespacedCloudProfile.

Standard object metadata.

Spec defines the project properties.

Most recently observed status of the Project.

Standard object metadata.

Spec defines the Quota constraints.

Standard object metadata.

SecretRef is a reference to a secret object in the same or another namespace. This field is immutable.

Quotas is a list of references to Quota objects in the same or another namespace. This field is immutable.

Provider defines the provider type of the SecretBinding. This field is immutable.

Standard object metadata.

Spec contains the specification of this installation.

Status contains the status of this installation.

Standard object metadata.

Specification of the Shoot cluster. If the object’s deletion timestamp is set, this field is immutable.

Most recently observed status of the Shoot cluster.

Standard object metadata.

Specification of the ShootState.

Verbosity is the kube-apiserver log verbosity level Defaults to 2.

HTTPAccessVerbosity is the kube-apiserver access logs level

MaxNonMutatingInflight is the maximum number of non-mutating requests in flight at a given time. When the server exceeds this, it rejects requests.

MaxMutatingInflight is the maximum number of mutating requests in flight at a given time. When the server exceeds this, it rejects requests.

Enabled indicates whether the addon is enabled or not.

KubernetesDashboard holds configuration settings for the kubernetes dashboard addon.

NginxIngress holds configuration settings for the nginx-ingress addon.

Name is the name of the plugin.

Config is the configuration of the plugin.

Disabled specifies whether this plugin should be disabled.

KubeconfigSecretName specifies the name of a secret containing the kubeconfig for this admission plugin.

MonitoringEmailReceivers is a list of recipients for alerts

AuditPolicy contains configuration settings for audit policy of the kube-apiserver.

ConfigMapRef is a reference to a ConfigMap object in the same namespace, which contains the audit policy for the kube-apiserver.

Name is an availability zone name.

UnavailableMachineTypes is a list of machine type names that are not availability in this zone.

UnavailableVolumeTypes is a list of volume type names that are not availability in this zone.

Type is the type of provider.

Region is the region of the bucket.

Provider holds the details of cloud provider of the object store. This field is immutable.

ProviderConfig is the configuration passed to BackupBucket resource.

SecretRef is a reference to a secret that contains the credentials to access object store.

SeedName holds the name of the seed allocated to BackupBucket for running controller. This field is immutable.

ProviderStatus is the configuration passed to BackupBucket resource.

LastOperation holds information about the last operation on the BackupBucket.

LastError holds information about the last occurred error during an operation.

ObservedGeneration is the most recent generation observed for this BackupBucket. It corresponds to the BackupBucket’s generation, which is updated on mutation by the API Server.

GeneratedSecretRef is reference to the secret generated by backup bucket, which will have object store specific credentials.

BucketName is the name of backup bucket for this Backup Entry.

SeedName holds the name of the seed to which this BackupEntry is scheduled

LastOperation holds information about the last operation on the BackupEntry.

LastError holds information about the last occurred error during an operation.

ObservedGeneration is the most recent generation observed for this BackupEntry. It corresponds to the BackupEntry’s generation, which is updated on mutation by the API Server.

SeedName is the name of the seed to which this BackupEntry is currently scheduled. This field is populated at the beginning of a create/reconcile operation. It is used when moving the BackupEntry between seeds.

MigrationStartTime is the time when a migration to a different seed was initiated.

Phase describes the phase of the certificate authority credential rotation.

LastCompletionTime is the most recent time when the certificate authority credential rotation was successfully completed.

LastInitiationTime is the most recent time when the certificate authority credential rotation was initiated.

LastInitiationFinishedTime is the recent time when the certificate authority credential rotation initiation was completed.

LastCompletionTriggeredTime is the recent time when the certificate authority credential rotation completion was triggered.

The name of the CRI library. Supported values are containerd.

ContainerRuntimes is the list of the required container runtimes supported for a worker pool.

Kind contains a CloudProfile kind.

Name contains the name of the referenced CloudProfile.

CABundle is a certificate bundle which will be installed onto every host machine of shoot cluster targeting this profile.

Kubernetes contains constraints regarding allowed values of the ‘kubernetes’ block in the Shoot specification.

MachineImages contains constraints regarding allowed values for machine images in the Shoot specification.

MachineTypes contains constraints regarding allowed values for machine types in the ‘workers’ block in the Shoot specification.

ProviderConfig contains provider-specific configuration for the profile.

Regions contains constraints regarding allowed values for regions and zones.

SeedSelector contains an optional list of labels on Seed resources that marks those seeds whose shoots may use this provider profile. An empty list means that all seeds of the same provider type are supported. This is useful for environments that are of the same type (like openstack) but may have different “instances”/landscapes. Optionally a list of possible providers can be added to enable cross-provider scheduling. By default, the provider type of the seed must match the shoot’s provider.

Type is the name of the provider.

VolumeTypes contains constraints regarding allowed values for volume types in the ‘workers’ block in the Shoot specification.

ScaleDownDelayAfterAdd defines how long after scale up that scale down evaluation resumes (default: 1 hour).

ScaleDownDelayAfterDelete how long after node deletion that scale down evaluation resumes, defaults to scanInterval (default: 0 secs).

ScaleDownDelayAfterFailure how long after scale down failure that scale down evaluation resumes (default: 3 mins).

ScaleDownUnneededTime defines how long a node should be unneeded before it is eligible for scale down (default: 30 mins).

ScaleDownUtilizationThreshold defines the threshold in fraction (0.0 - 1.0) under which a node is being removed (default: 0.5).

ScanInterval how often cluster is reevaluated for scale up or down (default: 10 secs).

Expander defines the algorithm to use during scale up (default: least-waste). See: https://github.com/gardener/autoscaler/blob/machine-controller-manager-provider/cluster-autoscaler/FAQ.md#what-are-expanders.

MaxNodeProvisionTime defines how long CA waits for node to be provisioned (default: 20 mins).

MaxGracefulTerminationSeconds is the number of seconds CA waits for pod termination when trying to scale down a node (default: 600).

IgnoreTaints specifies a list of taint keys to ignore in node templates when considering to scale a node group.

NewPodScaleUpDelay specifies how long CA should ignore newly created pods before they have to be considered for scale-up (default: 0s).

MaxEmptyBulkDelete specifies the maximum number of empty nodes that can be deleted at the same time (default: 10).

IgnoreDaemonsetsUtilization allows CA to ignore DaemonSet pods when calculating resource utilization for scaling down (default: false).

Verbosity allows CA to modify its log level (default: 2).

ScaleDownUtilizationThreshold defines the threshold in fraction (0.0 - 1.0) under which a node is being removed.

ScaleDownGpuUtilizationThreshold defines the threshold in fraction (0.0 - 1.0) of gpu resources under which a node is being removed.

ScaleDownUnneededTime defines how long a node should be unneeded before it is eligible for scale down.

ScaleDownUnreadyTime defines how long an unready node should be unneeded before it is eligible for scale down.

MaxNodeProvisionTime defines how long CA waits for node to be provisioned.

Type of the condition.

Status of the condition, one of True, False, Unknown.

Last time the condition transitioned from one status to another.

Last time the condition was updated.

The reason for the condition’s last transition.

A human readable message indicating details about the transition.

Well-defined error codes in case the condition reports a problem.

Type is the type of the Container Runtime.

ProviderConfig is the configuration passed to container runtime resource.

HighAvailability holds the configuration settings for high availability of the control plane of a shoot.

RegistrationRef is used to reference a ControllerRegistration resource. The name field of the RegistrationRef is immutable.

SeedRef is used to reference a Seed resource. The name field of the SeedRef is immutable.

DeploymentRef is used to reference a ControllerDeployment resource.

Conditions represents the latest available observations of a ControllerInstallations’s current state.

ProviderStatus contains type-specific status.

Policy controls how the controller is deployed. It defaults to ‘OnDemand’.

SeedSelector contains an optional label selector for seeds. Only if the labels match then this controller will be considered for a deployment. An empty list means that all seeds are selected.

DeploymentRefs holds references to ControllerDeployments. Only one element is supported currently.

Resources is a list of combinations of kinds (DNSProvider, Infrastructure, Generic, …) and their actual types (aws-route53, gcp, auditlog, …).

Deployment contains information for how this controller is deployed.

Kind is the resource kind, for example “OperatingSystemConfig”.

Type is the resource type, for example “coreos” or “ubuntu”.

GloballyEnabled determines if this ControllerResource is required by all Shoot clusters. This field is defaulted to false when kind is “Extension”.

ReconcileTimeout defines how long Gardener should wait for the resource reconciliation. This field is defaulted to 3m0s when kind is “Extension”.

Primary determines if the controller backed by this ControllerRegistration is responsible for the extension resource’s lifecycle. This field defaults to true. There must be exactly one primary controller for this kind/type combination. This field is immutable.

Lifecycle defines a strategy that determines when different operations on a ControllerResource should be performed. This field is defaulted in the following way when kind is “Extension”. Reconcile: “AfterKubeAPIServer” Delete: “BeforeKubeAPIServer” Migrate: “BeforeKubeAPIServer”

WorkerlessSupported specifies whether this ControllerResource supports Workerless Shoot clusters. This field is only relevant when kind is “Extension”.

Reconcile defines the strategy during reconciliation.

Delete defines the strategy during deletion.

Migrate defines the strategy during migration.

Autoscaling contains the settings related to autoscaling of the Core DNS components running in the data plane of the Shoot cluster.

Rewriting contains the setting related to rewriting of requests, which are obviously incorrect due to the unnecessary application of the search path.

The mode of the autoscaling to be used for the Core DNS components running in the data plane of the Shoot cluster. Supported values are horizontal and cluster-proportional.

CommonSuffixes are expected to be the suffix of a fully qualified domain name. Each suffix should contain at least one or two dots (‘.’) to prevent accidental clashes.

Domain is the external available domain of the Shoot cluster. This domain will be written into the kubeconfig that is handed out to end-users. This field is immutable.

Providers is a list of DNS providers that shall be enabled for this shoot cluster. Only relevant if not a default domain is used. Deprecated: Configuring multiple DNS providers is deprecated and will be forbidden in a future release. Please use the DNS extension provider config (e.g. shoot-dns-service) for additional providers.

Include is a list of domains that shall be included.

Exclude is a list of domains that shall be excluded.

Domains contains information about which domains shall be included/excluded for this provider. Deprecated: This field is deprecated and will be removed in a future release. Please use the DNS extension provider config (e.g. shoot-dns-service) for additional configuration.

Primary indicates that this DNSProvider is used for shoot related domains. Deprecated: This field is deprecated and will be removed in a future release. Please use the DNS extension provider config (e.g. shoot-dns-service) for additional and non-primary providers.

SecretName is a name of a secret containing credentials for the stated domain and the provider. When not specified, the Gardener will use the cloud provider credentials referenced by the Shoot and try to find respective credentials there (primary provider only). Specifying this field may override this behavior, i.e. forcing the Gardener to only look into the given secret.

Type is the DNS provider type.

Zones contains information about which hosted zones shall be included/excluded for this provider. Deprecated: This field is deprecated and will be removed in a future release. Please use the DNS extension provider config (e.g. shoot-dns-service) for additional configuration.

Name of the volume to make it referencable.

Type is the type of the volume.

VolumeSize is the size of the volume.

Encrypted determines if the volume should be encrypted.

Name is the name of the ControllerDeployment that is being referred to.

Resource is the name of the resource this applies to.

Selector is the label selector for the resources.

IncludeServiceAccounts specifies whether the concept also applies when deletion is triggered by ServiceAccounts. Defaults to true.

Phase describes the phase of the ETCD encryption key credential rotation.

LastCompletionTime is the most recent time when the ETCD encryption key credential rotation was successfully completed.

LastInitiationTime is the most recent time when the ETCD encryption key credential rotation was initiated.

LastInitiationFinishedTime is the recent time when the certificate authority credential rotation initiation was completed.

LastCompletionTriggeredTime is the recent time when the certificate authority credential rotation completion was triggered.

Resources contains the list of resources that shall be encrypted in addition to secrets. Each item is a Kubernetes resource name in plural (resource or resource.group) that should be encrypted. Note that configuring a custom resource is only supported for versions >= 1.26. Wildcards are not supported for now. See https://github.com/gardener/gardener/blob/master/docs/usage/etcd_encryption_config.md for more details.

Version is the version identifier.

ExpirationDate defines the time at which this version expires.

Classification defines the state of a version (preview, supported, deprecated)

SeedSelector is an optional label selector for Seed’s which are suitable to use the ExposureClass.

Tolerations contains the tolerations for taints on Seed clusters.

Type is the type of the extension resource.

ProviderConfig is the configuration passed to extension resource.

Disabled allows to disable extensions that were marked as ‘globally enabled’ by Gardener administrators.

Kind (type) of the extension custom resource

Name of the extension custom resource

Purpose of the extension custom resource

State of the extension resource

Resources holds a list of named resource references that can be referred to in the state by their names.

Type specifies the type of failure that the highly available resource can tolerate

ID is the container id of the Gardener which last acted on a resource.

Name is the hostname (pod name) of the Gardener which last acted on a resource.

Version is the version of the Gardener which last acted on a resource.

Name of the object required to generate resources

Type of the object

Data contains the payload required to generate resources

Labels are labels of the object

Chart is a Helm chart tarball.

Values is a map of values for the given chart.

OCIRepository defines where to pull the chart.

Enabled specifies whether the Shoot needs to be hibernated or not. If it is true, the Shoot’s desired state is to be hibernated. If it is false or nil, the Shoot’s desired state is to be awakened.

Schedules determine the hibernation schedules.

Start is a Cron spec at which time a Shoot will be hibernated.

End is a Cron spec at which time a Shoot will be woken up.

Location is the time location in which both start and shall be evaluated.

FailureTolerance holds information about failure tolerance level of a highly available resource.

The period after which a ready pod transition is considered to be the first.

The configurable window at which the controller will choose the highest recommendation for autoscaling.

The configurable period at which the horizontal pod autoscaler considers a Pod “not yet ready” given that it’s unready and it has transitioned to unready during that time.

The period for syncing the number of pods in horizontal pod autoscaler.

The minimum change (from 1.0) in the desired-to-actual metrics ratio for the horizontal pod autoscaler to consider scaling.

Domain specifies the IngressDomain of the cluster pointing to the ingress controller endpoint. It will be used to construct ingress URLs for system applications running in Shoot/Garden clusters. Once set this field is immutable.

Controller configures a Gardener managed Ingress Controller listening on the ingressDomain

Kind defines which kind of IngressController to use. At the moment only nginx is supported

ProviderConfig specifies infrastructure specific configuration for the ingressController

(Members of KubernetesConfig are embedded into this type.)

AdmissionPlugins contains the list of user-defined admission plugins (additional to those managed by Gardener), and, if desired, the corresponding configuration.

APIAudiences are the identifiers of the API. The service account token authenticator will validate that tokens used against the API are bound to at least one of these audiences. Defaults to [“kubernetes”].

AuditConfig contains configuration settings for the audit of the kube-apiserver.

OIDCConfig contains configuration settings for the OIDC provider.

RuntimeConfig contains information about enabled or disabled APIs.

ServiceAccountConfig contains configuration settings for the service account handling of the kube-apiserver.

WatchCacheSizes contains configuration of the API server’s watch cache sizes. Configuring these flags might be useful for large-scale Shoot clusters with a lot of parallel update requests and a lot of watching controllers (e.g. large ManagedSeed clusters). When the API server’s watch cache’s capacity is too small to cope with the amount of update requests and watchers for a particular resource, it might happen that controller watches are permanently stopped with too old resource version errors. Starting from kubernetes v1.19, the API server’s watch cache size is adapted dynamically and setting the watch cache size flags will have no effect, except when setting it to 0 (which disables the watch cache).

Requests contains configuration for request-specific settings for the kube-apiserver.

EnableAnonymousAuthentication defines whether anonymous requests to the secure port of the API server should be allowed (flag --anonymous-auth). See: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/

EventTTL controls the amount of time to retain events. Defaults to 1h.

Logging contains configuration for the log level and HTTP access logs.

DefaultNotReadyTolerationSeconds indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration (flag --default-not-ready-toleration-seconds). The field has effect only when the DefaultTolerationSeconds admission plugin is enabled. Defaults to 300.

DefaultUnreachableTolerationSeconds indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration (flag --default-unreachable-toleration-seconds). The field has effect only when the DefaultTolerationSeconds admission plugin is enabled. Defaults to 300.

EncryptionConfig contains customizable encryption configuration of the Kube API server.

(Members of KubernetesConfig are embedded into this type.)

HorizontalPodAutoscalerConfig contains horizontal pod autoscaler configuration settings for the kube-controller-manager.

NodeCIDRMaskSize defines the mask size for node cidr in cluster (default is 24). This field is immutable.

PodEvictionTimeout defines the grace period for deleting pods on failed nodes. Defaults to 2m.

Deprecated: The corresponding kube-controller-manager flag --pod-eviction-timeout is deprecated in favor of the kube-apiserver flags --default-not-ready-toleration-seconds and --default-unreachable-toleration-seconds. The --pod-eviction-timeout flag does not have effect when the taint besed eviction is enabled. The taint based eviction is beta (enabled by default) since Kubernetes 1.13 and GA since Kubernetes 1.18. Hence, instead of setting this field, set the spec.kubernetes.kubeAPIServer.defaultNotReadyTolerationSeconds and spec.kubernetes.kubeAPIServer.defaultUnreachableTolerationSeconds.

NodeMonitorGracePeriod defines the grace period before an unresponsive node is marked unhealthy.

(Members of KubernetesConfig are embedded into this type.)

Mode specifies which proxy mode to use. defaults to IPTables.

Enabled indicates whether kube-proxy should be deployed or not. Depending on the networking extensions switching kube-proxy off might be rejected. Consulting the respective documentation of the used networking extension is recommended before using this field. defaults to true if not specified.

(Members of KubernetesConfig are embedded into this type.)

KubeMaxPDVols allows to configure the KUBE_MAX_PD_VOLS environment variable for the kube-scheduler. Please find more information here: https://kubernetes.io/docs/concepts/storage/storage-limits/#custom-limits Note that using this field is considered alpha-/experimental-level and is on your own risk. You should be aware of all the side-effects and consequences when changing it.

Profile configures the scheduling profile for the cluster. If not specified, the used profile is “balanced” (provides the default kube-scheduler behavior).

(Members of KubernetesConfig are embedded into this type.)

CPUCFSQuota allows you to disable/enable CPU throttling for Pods.

CPUManagerPolicy allows to set alternative CPU management policies (default: none).

EvictionHard describes a set of eviction thresholds (e.g. memory.available<1Gi) that if met would trigger a Pod eviction. Default: memory.available: “100Mi/1Gi/5%” nodefs.available: “5%” nodefs.inodesFree: “5%” imagefs.available: “5%” imagefs.inodesFree: “5%”

EvictionMaxPodGracePeriod describes the maximum allowed grace period (in seconds) to use when terminating pods in response to a soft eviction threshold being met. Default: 90

EvictionMinimumReclaim configures the amount of resources below the configured eviction threshold that the kubelet attempts to reclaim whenever the kubelet observes resource pressure. Default: 0 for each resource

EvictionPressureTransitionPeriod is the duration for which the kubelet has to wait before transitioning out of an eviction pressure condition. Default: 4m0s

EvictionSoft describes a set of eviction thresholds (e.g. memory.available<1.5Gi) that if met over a corresponding grace period would trigger a Pod eviction. Default: memory.available: “200Mi/1.5Gi/10%” nodefs.available: “10%” nodefs.inodesFree: “10%” imagefs.available: “10%” imagefs.inodesFree: “10%”

EvictionSoftGracePeriod describes a set of eviction grace periods (e.g. memory.available=1m30s) that correspond to how long a soft eviction threshold must hold before triggering a Pod eviction. Default: memory.available: 1m30s nodefs.available: 1m30s nodefs.inodesFree: 1m30s imagefs.available: 1m30s imagefs.inodesFree: 1m30s

MaxPods is the maximum number of Pods that are allowed by the Kubelet. Default: 110

PodPIDsLimit is the maximum number of process IDs per pod allowed by the kubelet.

FailSwapOn makes the Kubelet fail to start if swap is enabled on the node. (default true).

KubeReserved is the configuration for resources reserved for kubernetes node components (mainly kubelet and container runtime). When updating these values, be aware that cgroup resizes may not succeed on active worker nodes. Look for the NodeAllocatableEnforced event to determine if the configuration was applied. Default: cpu=80m,memory=1Gi,pid=20k

SystemReserved is the configuration for resources reserved for system processes not managed by kubernetes (e.g. journald). When updating these values, be aware that cgroup resizes may not succeed on active worker nodes. Look for the NodeAllocatableEnforced event to determine if the configuration was applied. Deprecated: Separately configuring resource reservations for system processes is deprecated in Gardener and will be removed soon. Please merge existing resource reservations into the kubeReserved field. TODO(MichaelEischer): Drop this field after v1.113 has been released.

ImageGCHighThresholdPercent describes the percent of the disk usage which triggers image garbage collection. Default: 50

ImageGCLowThresholdPercent describes the percent of the disk to which garbage collection attempts to free. Default: 40

SerializeImagePulls describes whether the images are pulled one at a time. Default: true

RegistryPullQPS is the limit of registry pulls per second. The value must not be a negative number. Setting it to 0 means no limit. Default: 5

RegistryBurst is the maximum size of bursty pulls, temporarily allows pulls to burst to this number, while still not exceeding registryPullQPS. The value must not be a negative number. Only used if registryPullQPS is greater than 0. Default: 10

SeccompDefault enables the use of RuntimeDefault as the default seccomp profile for all workloads. This requires the corresponding SeccompDefault feature gate to be enabled as well. This field is only available for Kubernetes v1.25 or later.

A quantity defines the maximum size of the container log file before it is rotated. For example: “5Mi” or “256Ki”. Default: 100Mi

Maximum number of container log files that can be present for a container.

ProtectKernelDefaults ensures that the kernel tunables are equal to the kubelet defaults. Defaults to true for Kubernetes v1.26 or later.

StreamingConnectionIdleTimeout is the maximum time a streaming connection can be idle before the connection is automatically closed. This field cannot be set lower than “30s” or greater than “4h”. Default: “4h” for Kubernetes < v1.26. “5m” for Kubernetes >= v1.26.

MemorySwap configures swap memory available to container workloads.

MemoryAvailable is the threshold for the free memory on the host server.

ImageFSAvailable is the threshold for the free disk space in the imagefs filesystem (docker images and container writable layers).

ImageFSInodesFree is the threshold for the available inodes in the imagefs filesystem.

NodeFSAvailable is the threshold for the free disk space in the nodefs filesystem (docker volumes, logs, etc).

NodeFSInodesFree is the threshold for the available inodes in the nodefs filesystem.

MemoryAvailable is the threshold for the memory reclaim on the host server.

ImageFSAvailable is the threshold for the disk space reclaim in the imagefs filesystem (docker images and container writable layers).

ImageFSInodesFree is the threshold for the inodes reclaim in the imagefs filesystem.

NodeFSAvailable is the threshold for the disk space reclaim in the nodefs filesystem (docker volumes, logs, etc).

NodeFSInodesFree is the threshold for the inodes reclaim in the nodefs filesystem.

MemoryAvailable is the grace period for the MemoryAvailable eviction threshold.

ImageFSAvailable is the grace period for the ImageFSAvailable eviction threshold.

ImageFSInodesFree is the grace period for the ImageFSInodesFree eviction threshold.

NodeFSAvailable is the grace period for the NodeFSAvailable eviction threshold.

NodeFSInodesFree is the grace period for the NodeFSInodesFree eviction threshold.

CPU is the reserved cpu.

Memory is the reserved memory.

EphemeralStorage is the reserved ephemeral-storage.

PID is the reserved process-ids.

ClusterAutoscaler contains the configuration flags for the Kubernetes cluster autoscaler.

KubeAPIServer contains configuration settings for the kube-apiserver.

KubeControllerManager contains configuration settings for the kube-controller-manager.

KubeScheduler contains configuration settings for the kube-scheduler.

KubeProxy contains configuration settings for the kube-proxy.

Kubelet contains configuration settings for the kubelet.

Version is the semantic Kubernetes version to use for the Shoot cluster. Defaults to the highest supported minor and patch version given in the referenced cloud profile. The version can be omitted completely or partially specified, e.g. <major>.<minor>.

VerticalPodAutoscaler contains the configuration flags for the Kubernetes vertical pod autoscaler.

EnableStaticTokenKubeconfig indicates whether static token kubeconfig secret will be created for the Shoot cluster. Defaults to true for Shoots with Kubernetes versions < 1.26. Defaults to false for Shoots with Kubernetes versions >= 1.26. Starting Kubernetes 1.27 the field will be locked to false.

FeatureGates contains information about enabled feature gates.

(Members of Addon are embedded into this type.)

AuthenticationMode defines the authentication mode for the kubernetes-dashboard.

Versions is the list of allowed Kubernetes versions with optional expiration dates for Shoot clusters.

A human readable message indicating details about the last error.

ID of the task which caused this last error

Well-defined error codes of the last error(s).

Last time the error was reported

A human-readable message containing details about the operations performed in the last maintenance.

TriggeredTime is the time when maintenance was triggered.

Status of the last maintenance operation, one of Processing, Succeeded, Error.

FailureReason holds the information about the last maintenance operation failure reason.

A human readable message indicating details about the last operation.

Last time the operation state transitioned from one to another.

The progress in percentage (0-100) of the last operation.

Status of the last operation, one of Aborted, Processing, Succeeded, Error, Failed.

Type of the last operation, one of Create, Reconcile, Delete, Migrate, Restore.

Allowed controls whether the ProxyProtocol is optionally allowed for the load balancer services. This should only be enabled if the load balancer services are already using ProxyProtocol or will be reconfigured to use it soon. Until the load balancers are configured with ProxyProtocol, enabling this setting may allow clients to spoof their source IP addresses. The option allows a migration from non-ProxyProtocol to ProxyProtocol without downtime (depending on the infrastructure). Defaults to false.

Type is the machine type of the worker group.

Image holds information about the machine image to use for all nodes of this pool. It will default to the latest version of the first image stated in the referenced CloudProfile if no value has been provided.

Architecture is CPU architecture of machines in this worker pool.

MachineDrainTimeout is the period after which machine is forcefully deleted.

MachineHealthTimeout is the period after which machine is declared failed.

MachineCreationTimeout is the period after which creation of the machine is declared failed.

MaxEvictRetries are the number of eviction retries on a pod after which drain is declared failed, and forceful deletion is triggered.

NodeConditions are the set of conditions if set to true for the period of MachineHealthTimeout, machine will be declared failed.

Name is the name of the image.

Versions contains versions, expiration dates and container runtimes of the machine image

UpdateStrategy is the update strategy to use for the machine image. Possible values are: - patch: update to the latest patch version of the current minor version. - minor: update to the latest minor and patch version. - major: always update to the overall latest version (default).

(Members of ExpirableVersion are embedded into this type.)

CRI list of supported container runtime and interfaces supported by this version

Architectures is the list of CPU architectures of the machine image in this version.

KubeletVersionConstraint is a constraint describing the supported kubelet versions by the machine image in this version. If the field is not specified, it is assumed that the machine image in this version supports all kubelet versions. Examples: - ‘>= 1.26’ - supports only kubelet versions greater than or equal to 1.26 - ‘< 1.26’ - supports only kubelet versions less than 1.26

CPU is the number of CPUs for this machine type.

GPU is the number of GPUs for this machine type.

Memory is the amount of memory for this machine type.

Name is the name of the machine type.

Storage is the amount of storage associated with the root volume of this machine type.

Usable defines if the machine type can be used for shoot clusters.

Architecture is the CPU architecture of this machine type.

Class is the class of the storage type.

StorageSize is the storage size.

Type is the type of the storage.

MinSize is the minimal supported storage size. This overrides any other common minimum size configuration from spec.volumeTypes[*].minSize.

AutoUpdate contains information about which constraints should be automatically updated.

TimeWindow contains information about the time window for maintenance operations.

ConfineSpecUpdateRollout prevents that changes/updates to the shoot specification will be rolled out immediately. Instead, they are rolled out during the shoot’s maintenance time window. There is one exception that will trigger an immediate roll out which is changes to the Spec.Hibernation.Enabled field.

KubernetesVersion indicates whether the patch Kubernetes version may be automatically updated (default: true).

MachineImageVersion indicates whether the machine image version may be automatically updated (default: true).

Begin is the beginning of the time window in the format HHMMSS+ZONE, e.g. “220000+0100”. If not present, a random value will be computed.

End is the end of the time window in the format HHMMSS+ZONE, e.g. “220000+0100”. If not present, the value will be computed based on the “Begin” value.

SwapBehavior configures swap memory available to container workloads. May be one of {“LimitedSwap”, “UnlimitedSwap”} defaults to: LimitedSwap

Alerting contains information about the alerting configuration for the shoot cluster.

Name of the resource reference.

ResourceRef is a reference to a resource.

CABundle is a certificate bundle which will be installed onto every host machine of shoot cluster targeting this profile.

Kubernetes contains constraints regarding allowed values of the ‘kubernetes’ block in the Shoot specification.

MachineImages contains constraints regarding allowed values for machine images in the Shoot specification.

MachineTypes contains constraints regarding allowed values for machine types in the ‘workers’ block in the Shoot specification.

Regions contains constraints regarding allowed values for regions and zones.

VolumeTypes contains constraints regarding allowed values for volume types in the ‘workers’ block in the Shoot specification.

Parent contains a reference to a CloudProfile it inherits from.

CloudProfile is the most recently generated CloudProfile of the NamespacedCloudProfile.

ObservedGeneration is the most recent generation observed for this project.

Type identifies the type of the networking plugin. This field is immutable.

ProviderConfig is the configuration passed to network resource.

Pods is the CIDR of the pod network. This field is immutable.

Nodes is the CIDR of the entire node network. This field is mutable.

Services is the CIDR of the service network. This field is immutable.

IPFamilies specifies the IP protocol versions to use for shoot networking. This field is immutable. See https://github.com/gardener/gardener/blob/master/docs/usage/ipv6.md. Defaults to [“IPv4”].

Pods are the CIDRs of the pod network.

Nodes are the CIDRs of the node network.

Services are the CIDRs of the service network.

(Members of Addon are embedded into this type.)

LoadBalancerSourceRanges is list of allowed IP sources for NginxIngress

Config contains custom configuration for the nginx-ingress-controller configuration. See https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md#configuration-options

ExternalTrafficPolicy controls the .spec.externalTrafficPolicy value of the load balancer Service exposing the nginx-ingress. Defaults to Cluster.

Enabled indicates whether node local DNS is enabled or not.

ForceTCPToClusterDNS indicates whether the connection from the node local DNS to the cluster DNS (Core DNS) will be forced to TCP or not. Default, if unspecified, is to enforce TCP.

ForceTCPToUpstreamDNS indicates whether the connection from the node local DNS to the upstream DNS (infrastructure DNS) will be forced to TCP or not. Default, if unspecified, is to enforce TCP.

DisableForwardToUpstreamDNS indicates whether requests from node local DNS to upstream DNS should be disabled. Default, if unspecified, is to forward requests for external domains to upstream DNS

Ref is the full artifact Ref and takes precedence over all other fields.

Repository is a reference to an OCI artifact repository.

Tag is the image tag to pull.

Digest of the image to pull, takes precedence over tag.

If set, the OpenID server’s certificate will be verified by one of the authorities in the oidc-ca-file, otherwise the host’s root CA set will be used.

ClientAuthentication can optionally contain client configuration used for kubeconfig generation.

The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set.

If provided, the name of a custom OpenID Connect claim for specifying user groups. The claim value is expected to be a string or array of strings. This flag is experimental, please see the authentication documentation for further details.

If provided, all groups will be prefixed with this value to prevent conflicts with other authentication strategies.

The URL of the OpenID issuer, only HTTPS scheme will be accepted. If set, it will be used to verify the OIDC JSON Web Token (JWT).

key=value pairs that describes a required claim in the ID Token. If set, the claim is verified to be present in the ID Token with a matching value.

List of allowed JOSE asymmetric signing algorithms. JWTs with a ‘alg’ header value not in this list will be rejected. Values are defined by RFC 7518 https://tools.ietf.org/html/rfc7518#section-3.1

The OpenID claim to use as the user name. Note that claims other than the default (‘sub’) is not guaranteed to be unique and immutable. This flag is experimental, please see the authentication documentation for further details. (default “sub”)

If provided, all usernames will be prefixed with this value. If not provided, username claims other than ‘email’ are prefixed by the issuer URL to avoid clashes. To skip any prefixing, provide the value ‘-’.

LastInitiationTime is the most recent time when the observability credential rotation was initiated.

LastCompletionTime is the most recent time when the observability credential rotation was successfully completed.

Extra configuration added to kubeconfig’s auth-provider. Must not be any of idp-issuer-url, client-id, client-secret, idp-certificate-authority, idp-certificate-authority-data, id-token or refresh-token

The client Secret for the OpenID Connect client.

(Members of Subject are embedded into this type.)

Subject is representing a user name, an email address, or any other identifier of a user, group, or service account that has a certain role.

Role represents the role of this member. IMPORTANT: Be aware that this field will be removed in the v1 version of this API in favor of the roles list. TODO: Remove this field in favor of the roles list in v1.

Roles represents the list of roles of this member.

CreatedBy is a subject representing a user name, an email address, or any other identifier of a user who created the project. This field is immutable.

Description is a human-readable description of what the project is used for.

Owner is a subject representing a user name, an email address, or any other identifier of a user owning the project. IMPORTANT: Be aware that this field will be removed in the v1 version of this API in favor of the owner role. The only way to change the owner will be by moving the owner role. In this API version the only way to change the owner is to use this field. TODO: Remove this field in favor of the owner role in v1.

Purpose is a human-readable explanation of the project’s purpose.

Members is a list of subjects representing a user name, an email address, or any other identifier of a user, group, or service account that has a certain role.

Namespace is the name of the namespace that has been created for the Project object. A nil value means that Gardener will determine the name of the namespace. This field is immutable.

Tolerations contains the tolerations for taints on seed clusters.

DualApprovalForDeletion contains configuration for the dual approval concept for resource deletion.

ObservedGeneration is the most recent generation observed for this project.

Phase is the current phase of the project.

StaleSinceTimestamp contains the timestamp when the project was first discovered to be stale/unused.

StaleAutoDeleteTimestamp contains the timestamp when the project will be garbage-collected/automatically deleted because it’s stale/unused.

LastActivityTimestamp contains the timestamp from the last activity performed in this project.

Defaults contains a list of tolerations that are added to the shoots in this project by default.

Whitelist contains a list of tolerations that are allowed to be added to the shoots in this project. Please note that this list may only be added by users having the spec-tolerations-whitelist verb for project resources.

Type is the type of the provider. This field is immutable.

ControlPlaneConfig contains the provider-specific control plane config blob. Please look up the concrete definition in the documentation of your provider extension.

InfrastructureConfig contains the provider-specific infrastructure config blob. Please look up the concrete definition in the documentation of your provider extension.

Workers is a list of worker groups.

WorkersSettings contains settings for all workers.

ClusterLifetimeDays is the lifetime of a Shoot cluster in days before it will be terminated automatically.

Metrics is a list of resources which will be put under constraints.

Scope is the scope of the Quota object, either ‘project’ or ‘secret’. This field is immutable.

Name is a region name.

Zones is a list of availability zones in this region.

Labels is an optional set of key-value pairs that contain certain administrator-controlled labels for this region. It can be used by Gardener administrators/operators to provide additional information about a region, e.g. wrt quality, reliability, access restrictions, etc.

(Members of CrossVersionObjectReference are embedded into this type.)

Data of the resource

APIGroup is the API group of the resource for which the watch cache size should be configured. An unset value is used to specify the legacy core API (e.g. for secrets).

Resource is the name of the resource for which the watch cache size should be configured (in lowercase plural form, e.g. secrets).

CacheSize specifies the watch cache size that should be configured for the specified resource.

Enabled indicates whether the SSH access to the worker nodes is ensured to be enabled or disabled in systemd. Defaults to true.

Type is the type of the provider.

For backwards compatibility, the field can contain multiple providers separated by a comma. However the usage of single SecretBinding (hence Secret) for different cloud providers is strongly discouraged.

Provider is a provider name. This field is immutable.

ProviderConfig is the configuration passed to BackupBucket resource.

Region is a region name. This field is immutable.

SecretRef is a reference to a Secret object containing the cloud provider credentials for the object store where backups should be stored. It should have enough privileges to manipulate the objects as well as buckets.

Provider configures a DNSProvider

Type describes the type of the dns-provider, for example aws-route53

SecretRef is a reference to a Secret object containing cloud provider credentials used for registering external domains.

Nodes is the CIDR of the node network. This field is immutable.

Pods is the CIDR of the pod network. This field is immutable.

Services is the CIDR of the service network. This field is immutable.

ShootDefaults contains the default networks CIDRs for shoots.

BlockCIDRs is a list of network addresses that should be blocked for shoot control plane components running in the seed cluster.

IPFamilies specifies the IP protocol versions to use for seed networking. This field is immutable. See https://github.com/gardener/gardener/blob/master/docs/usage/ipv6.md. Defaults to [“IPv4”].

Type is the name of the provider.

ProviderConfig is the configuration passed to Seed resource.

Region is a name of a region.

Zones is the list of availability zones the seed cluster is deployed to.

(Members of LabelSelector are embedded into this type.)

LabelSelector is optional and can be used to select seeds by their label settings

Providers is optional and can be used by restricting seeds by their provider type. ‘*’ can be used to enable seeds regardless of their provider type.

Weeder controls the weeder settings for the dependency-watchdog for the seed.

Prober controls the prober settings for the dependency-watchdog for the seed.

Enabled controls whether the probe controller(prober) of the dependency-watchdog should be enabled. This controller scales down the kube-controller-manager, machine-controller-manager and cluster-autoscaler of shoot clusters in case their respective kube-apiserver is not reachable via its external ingress in order to avoid melt-down situations.

Enabled controls whether the endpoint controller(weeder) of the dependency-watchdog should be enabled. This controller helps to alleviate the delay where control plane components remain unavailable by finding the respective pods in CrashLoopBackoff status and restarting them once their dependants become ready and available again.

Enabled controls whether the default excess capacity reservation should be enabled. When not specified, the functionality is enabled.

Configs configures excess capacity reservation deployments for shoot control planes in the seed.

Resources specify the resource requests and limits of the excess-capacity-reservation pod.

NodeSelector specifies the node where the excess-capacity-reservation pod should run.

Tolerations specify the tolerations for the the excess-capacity-reservation pod.

Annotations is a map of annotations that will be injected/merged into every load balancer service object.

ExternalTrafficPolicy describes how nodes distribute service traffic they receive on one of the service’s “externally-facing” addresses. Defaults to “Cluster”.

Zones controls settings, which are specific to the single-zone load balancers in a multi-zonal setup. Can be empty for single-zone seeds. Each specified zone has to relate to one of the zones in seed.spec.provider.zones.

ProxyProtocol controls whether ProxyProtocol is (optionally) allowed for the load balancer services. Defaults to nil, which is equivalent to not allowing ProxyProtocol.

Name is the name of the zone as specified in seed.spec.provider.zones.

Annotations is a map of annotations that will be injected/merged into the zone-specific load balancer service object.

ExternalTrafficPolicy describes how nodes distribute service traffic they receive on one of the service’s “externally-facing” addresses. Defaults to “Cluster”.

ProxyProtocol controls whether ProxyProtocol is (optionally) allowed for the load balancer services. Defaults to nil, which is equivalent to not allowing ProxyProtocol.

Visible controls whether the gardener-scheduler shall consider this seed when scheduling shoots. Invisible seeds are not considered by the scheduler.

Enabled controls whether certain Services deployed in the seed cluster should be topology-aware. These Services are etcd-main-client, etcd-events-client, kube-apiserver, gardener-resource-manager and vpa-webhook.

Enabled controls whether the VPA components shall be deployed into the garden namespace in the seed cluster. It is enabled by default because Gardener heavily relies on a VPA being deployed. You should only disable this if your seed cluster already has another, manually/custom managed VPA deployment.

ExcessCapacityReservation controls the excess capacity reservation for shoot control planes in the seed.

Scheduling controls settings for scheduling decisions for the seed.

LoadBalancerServices controls certain settings for services of type load balancer that are created in the seed.

VerticalPodAutoscaler controls certain settings for the vertical pod autoscaler components deployed in the seed.

DependencyWatchdog controls certain settings for the dependency-watchdog components deployed in the seed.

TopologyAwareRouting controls certain settings for topology-aware traffic routing in the seed. See https://github.com/gardener/gardener/blob/master/docs/operations/topology_aware_routing.md.

Backup holds the object store configuration for the backups of shoot (currently only etcd). If it is not specified, then there won’t be any backups taken for shoots associated with this seed. If backup field is present in seed, then backups of the etcd from shoot control plane will be stored under the configured object store.

DNS contains DNS-relevant information about this seed cluster.

Networks defines the pod, service and worker network of the Seed cluster.

Provider defines the provider type and region for this Seed cluster.

Taints describes taints on the seed.

Volume contains settings for persistentvolumes created in the seed cluster.

Settings contains certain settings for this seed cluster.

Ingress configures Ingress specific settings of the Seed cluster. This field is immutable.

Gardener holds information about the Gardener which last acted on the Shoot.

KubernetesVersion is the Kubernetes version of the seed cluster.

Conditions represents the latest available observations of a Seed’s current state.

ObservedGeneration is the most recent generation observed for this Seed. It corresponds to the Seed’s generation, which is updated on mutation by the API Server.

ClusterIdentity is the identity of the Seed cluster. This field is immutable.

Capacity represents the total resources of a seed.

Allocatable represents the resources of a seed that are available for scheduling. Defaults to Capacity.

ClientCertificateExpirationTimestamp is the timestamp at which gardenlet’s client certificate expires.

LastOperation holds information about the last operation on the Seed.

Key is the taint key to be applied to a seed.

Value is the taint value corresponding to the taint key.

Standard object metadata.

Specification of the desired behavior of the Seed.

MinimumSize defines the minimum size that should be used for PVCs in the seed.

Providers is a list of storage class provisioner types for the seed.

Purpose is the purpose of this provider.

Name is the name of the storage class provisioner type.

Issuer is the identifier of the service account token issuer. The issuer will assert this identifier in “iss” claim of issued tokens. This value is used to generate new service account tokens. This value is a string or URI. Defaults to URI of the API server.

ExtendTokenExpiration turns on projected service account expiration extension during token generation, which helps safe transition from legacy token to bound service account token feature. If this flag is enabled, admission injected tokens would be extended up to 1 year to prevent unexpected failure during transition, ignoring value of service-account-max-token-expiration.

MaxTokenExpiration is the maximum validity duration of a token created by the service account token issuer. If an otherwise valid TokenRequest with a validity duration larger than this value is requested, a token will be issued with a validity duration of this value. This field must be within [30d,90d].

AcceptedIssuers is an additional set of issuers that are used to determine which service account tokens are accepted. These values are not used to generate new service account tokens. Only useful when service account tokens are also issued by another external system or a change of the current issuer that is used for generating tokens is being performed.

Phase describes the phase of the service account key credential rotation.

LastCompletionTime is the most recent time when the service account key credential rotation was successfully completed.

LastInitiationTime is the most recent time when the service account key credential rotation was initiated.

LastInitiationFinishedTime is the recent time when the certificate authority credential rotation initiation was completed.

LastCompletionTriggeredTime is the recent time when the certificate authority credential rotation completion was triggered.

Name of the advertised address. e.g. external

The URL of the API Server. e.g. https://api.foo.bar or https://1.2.3.4

Rotation contains information about the credential rotations.

CertificateAuthorities contains information about the certificate authority credential rotation.

Kubeconfig contains information about the kubeconfig credential rotation.

SSHKeypair contains information about the ssh-keypair credential rotation.

Observability contains information about the observability credential rotation.

ServiceAccountKey contains information about the service account key credential rotation.

ETCDEncryptionKey contains information about the ETCD encryption key credential rotation.

LastInitiationTime is the most recent time when the kubeconfig credential rotation was initiated.

LastCompletionTime is the most recent time when the kubeconfig credential rotation was successfully completed.

Name is the name of the image.

ProviderConfig is the shoot’s individual configuration passed to an extension resource.

Version is the version of the shoot’s image. If version is not provided, it will be defaulted to the latest version from the CloudProfile.

Pods is the CIDR of the pod network.

Services is the CIDR of the service network.

LastInitiationTime is the most recent time when the ssh-keypair credential rotation was initiated.

LastCompletionTime is the most recent time when the ssh-keypair credential rotation was successfully completed.

Addons contains information about enabled/disabled addons and their configuration.

CloudProfileName is a name of a CloudProfile object. This field will be deprecated soon, use CloudProfile instead.

DNS contains information about the DNS settings of the Shoot.

Extensions contain type and provider information for Shoot extensions.

Hibernation contains information whether the Shoot is suspended or not.

Kubernetes contains the version and configuration settings of the control plane components.

Networking contains information about cluster networking such as CNI Plugin type, CIDRs, …etc.

Maintenance contains information about the time window for maintenance operations and which operations should be performed.

Monitoring contains information about custom monitoring configurations for the shoot.

Provider contains all provider-specific and provider-relevant information.

Purpose is the purpose class for this cluster.

Region is a name of a region. This field is immutable.

SecretBindingName is the name of the a SecretBinding that has a reference to the provider secret. The credentials inside the provider secret will be used to create the shoot in the respective account. The field is mutually exclusive with CredentialsBindingName. This field is immutable.

SeedName is the name of the seed cluster that runs the control plane of the Shoot.

SeedSelector is an optional selector which must match a seed’s labels for the shoot to be scheduled on that seed.

Resources holds a list of named resource references that can be referred to in extension configs by their names.

Tolerations contains the tolerations for taints on seed clusters.

ExposureClassName is the optional name of an exposure class to apply a control plane endpoint exposure strategy. This field is immutable.

SystemComponents contains the settings of system components in the control or data plane of the Shoot cluster.

ControlPlane contains general settings for the control plane of the shoot.

SchedulerName is the name of the responsible scheduler which schedules the shoot. If not specified, the default scheduler takes over. This field is immutable.

CloudProfile contains a reference to a CloudProfile or a NamespacedCloudProfile.

CredentialsBindingName is the name of the a CredentialsBinding that has a reference to the provider credentials. The credentials will be used to create the shoot in the respective account. The field is mutually exclusive with SecretBindingName. This field is immutable.

Gardener holds the data required to generate resources deployed by the gardenlet

Extensions holds the state of custom resources reconciled by extension controllers in the seed

Resources holds the data of resources referred to by extension controller states