RuntimeCluster is the deployment configuration for the admission in the runtime cluster. The runtime deployment is responsible for creating the admission controller in the runtime cluster.

VirtualCluster is the deployment configuration for the admission deployment in the garden cluster. The garden deployment installs necessary resources in the virtual garden cluster e.g. RBAC that are necessary for the admission controller.

Values are the deployment values. The values will be applied to both admission deployments.

BatchMaxSize is the maximum size of a batch.

KubeconfigSecretName specifies the name of a secret containing the kubeconfig for this webhook.

Version is the API version to send and expect from the webhook.

Webhook contains settings related to an authentication webhook configuration.

CacheTTL is the duration to cache responses from the webhook authenticator.

KubeconfigSecretName specifies the name of a secret containing the kubeconfig for this webhook.

Version is the API version to send and expect from the webhook.

Provider is a provider name. This field is immutable.

BucketName is the name of the backup bucket. If not provided, gardener-operator attempts to manage a new bucket. In this case, the cloud provider credentials provided in the SecretRef must have enough privileges for creating and deleting buckets.

ProviderConfig is the provider-specific configuration passed to BackupBucket resource.

SecretRef is a reference to a Secret object containing the cloud provider credentials for the object store where backups should be stored. It should have enough privileges to manipulate the objects as well as buckets.

HighAvailability holds the configuration settings for high availability settings.

Rotation contains information about the credential rotations.

CertificateAuthorities contains information about the certificate authority credential rotation.

ServiceAccountKey contains information about the service account key credential rotation.

ETCDEncryptionKey contains information about the ETCD encryption key credential rotation.

Observability contains information about the observability credential rotation.

WorkloadIdentityKey contains information about the workload identity key credential rotation.

Domains are the external domains of the virtual garden cluster. The first given domain in this list is immutable.

Name is the domain name.

Provider is the name of the DNS provider as declared in the ‘.spec.dns.providers’ section. It is only optional, if the .spec.dns section is not provided at all.

Providers is a list of DNS providers.

Name is the name of the DNS provider.

Type is the type of the DNS provider.

Config is the provider-specific configuration passed to DNSRecord resources.

SecretRef is a reference to a Secret object containing the DNS provider credentials.

APIURL is the URL to the GitHub API.

Organisation is the name of the GitHub organisation.

Repository is the name of the GitHub repository.

SecretRef is the reference to a secret in the garden namespace containing the GitHub credentials.

PollInterval is the interval of how often the GitHub API is polled for issue updates. This field is used as a fallback mechanism to ensure state synchronization, even when there is a GitHub webhook configuration. If a webhook event is missed or not successfully delivered, the polling will help catch up on any missed updates. If this field is not provided and there is no ‘webhookSecret’ key in the referenced secret, it will be implicitly defaulted to 15m.

Enabled controls whether the Dashboard Ingress resource will be deployed to the cluster.

ClientIDPublic is the public client ID. Falls back to the API server’s OIDC client ID configuration if not set here.

The URL of the OpenID issuer, only HTTPS scheme will be accepted. Used to verify the OIDC JSON Web Token (JWT). Falls back to the API server’s OIDC issuer URL configuration if not set here.

SessionLifetime is the maximum duration of a session.

AdditionalScopes is the list of additional OIDC scopes.

SecretRef is the reference to a secret in the garden namespace containing the OIDC client ID and secret for the dashboard.

CertificateAuthoritySecretRef is the reference to a secret in the garden namespace containing a custom CA certificate under the “ca.crt” key

Container contains configuration for the dashboard terminal container.

AllowedHosts should consist of permitted hostnames (without the scheme) for terminal connections. It is important to consider that the usage of wildcards follows the rules defined by the content security policy. ‘.seed.local.gardener.cloud’, or ‘.other-seeds.local.gardener.cloud’. For more information, see https://github.com/gardener/dashboard/blob/master/docs/operations/webterminals.md#allowlist-for-hosts.

Image is the container image for the dashboard terminal container.

Description is a description for the dashboard terminal container with hints for the user.

ExtensionDeployment contains the deployment configuration an extension.

AdmissionDeployment contains the deployment configuration for an admission controller.

Helm contains the specification for a Helm deployment.

Main contains configuration for the main etcd.

Events contains configuration for the events etcd.

Autoscaling contains auto-scaling configuration options for etcd.

Storage contains storage configuration.

Autoscaling contains auto-scaling configuration options for etcd.

Backup contains the object store configuration for backups for the virtual garden etcd.

Storage contains storage configuration.

Standard object metadata.

Spec contains the specification of this extension.

Status contains the status of this extension.

(Members of DeploymentSpec are embedded into this type.)

DeploymentSpec is the deployment configuration for the extension.

Values are the deployment values used in the creation of the ControllerDeployment in the virtual garden cluster.

RuntimeClusterValues are the deployment values for the extension deployment running in the runtime garden cluster.

Policy controls how the controller is deployed. It defaults to ‘OnDemand’.

SeedSelector contains an optional label selector for seeds. Only if the labels match then this controller will be considered for a deployment. An empty list means that all seeds are selected.

InjectGardenKubeconfig controls whether a kubeconfig to the garden cluster should be injected into workload resources.

OCIRepository defines where to pull the chart from.

Resources is a list of combinations of kinds (DNSRecord, Backupbucket, …) and their actual types (aws-route53, gcp).

Deployment contains deployment configuration for an extension and it’s admission controller.

ObservedGeneration is the most recent generation observed for this resource.

Conditions represents the latest available observations of an Extension’s current state.

ProviderStatus contains type-specific status.

Standard object metadata.

Spec contains the specification of this garden.

Status contains the status of this garden.

Type is the type of the extension resource.

ProviderConfig is the configuration passed to extension resource.

DNS contains specifications of DNS providers.

Extensions contain type and provider information for Garden extensions.

RuntimeCluster contains configuration for the runtime cluster.

VirtualCluster contains configuration for the virtual cluster.

Gardener holds information about the Gardener which last acted on the Garden.

Conditions is a list of conditions.

LastOperation holds information about the last operation on the Garden.

ObservedGeneration is the most recent generation observed for this resource.

Credentials contains information about the virtual garden cluster credentials.

EncryptedResources is the list of resources which are currently encrypted in the virtual garden by the virtual kube-apiserver. Resources which are encrypted by default will not appear here. See https://github.com/gardener/gardener/blob/master/docs/concepts/operator.md#etcd-encryption-config for more details.

ClusterIdentity is the identity of the garden cluster. This field is immutable.

APIServer contains configuration settings for the gardener-apiserver.

AdmissionController contains configuration settings for the gardener-admission-controller.

ControllerManager contains configuration settings for the gardener-controller-manager.

Scheduler contains configuration settings for the gardener-scheduler.

Dashboard contains configuration settings for the gardener-dashboard.

DiscoveryServer contains configuration settings for the gardener-discovery-server.

(Members of KubernetesConfig are embedded into this type.)

AdmissionPlugins contains the list of user-defined admission plugins (additional to those managed by Gardener), and, if desired, the corresponding configuration.

AuditConfig contains configuration settings for the audit of the kube-apiserver.

AuditWebhook contains settings related to an audit webhook configuration.

Logging contains configuration for the log level and HTTP access logs.

Requests contains configuration for request-specific settings for the kube-apiserver.

WatchCacheSizes contains configuration of the API server’s watch cache sizes. Configuring these flags might be useful for large-scale Garden clusters with a lot of parallel update requests and a lot of watching controllers (e.g. large ManagedSeed clusters). When the API server’s watch cache’s capacity is too small to cope with the amount of update requests and watchers for a particular resource, it might happen that controller watches are permanently stopped with too old resource version errors. Starting from kubernetes v1.19, the API server’s watch cache size is adapted dynamically and setting the watch cache size flags will have no effect, except when setting it to 0 (which disables the watch cache).

EncryptionConfig contains customizable encryption configuration of the Gardener API server.

GoAwayChance can be used to prevent HTTP/2 clients from getting stuck on a single apiserver, randomly close a connection (GOAWAY). The client’s other in-flight requests won’t be affected, and the client will reconnect, likely landing on a different apiserver after going through the load balancer again. This field sets the fraction of requests that will be sent a GOAWAY. Min is 0 (off), Max is 0.02 (¹⁄₅₀ requests); 0.001 (¹⁄₁₀₀₀) is a recommended starting point.

ShootAdminKubeconfigMaxExpiration is the maximum validity duration of a credential requested to a Shoot by an AdminKubeconfigRequest. If an otherwise valid AdminKubeconfigRequest with a validity duration larger than this value is requested, a credential will be issued with a validity duration of this value.

LogLevel is the configured log level for the gardener-admission-controller. Must be one of [info,debug,error]. Defaults to info.

ResourceAdmissionConfiguration is the configuration for resource size restrictions for arbitrary Group-Version-Kinds.

(Members of KubernetesConfig are embedded into this type.)

DefaultProjectQuotas is the default configuration matching projects are set up with if a quota is not already specified.

LogLevel is the configured log level for the gardener-controller-manager. Must be one of [info,debug,error]. Defaults to info.

EnableTokenLogin specifies whether it is possible to log into the dashboard with a JWT token. If disabled, OIDC must be configured.

FrontendConfigMapRef is the reference to a ConfigMap in the garden namespace containing the frontend configuration.

AssetsConfigMapRef is the reference to a ConfigMap in the garden namespace containing the assets (logos/icons).

GitHub contains configuration for the GitHub ticketing feature.

LogLevel is the configured log level. Must be one of [trace,debug,info,warn,error]. Defaults to info.

OIDCConfig contains configuration for the OIDC provider. This field must be provided when EnableTokenLogin is false.

Terminal contains configuration for the terminal settings.

Ingress contains configuration for the ingress settings.

(Members of KubernetesConfig are embedded into this type.)

LogLevel is the configured log level for the gardener-scheduler. Must be one of [info,debug,error]. Defaults to info.

Group is the API group name.

Resource is the resource name.

Domains specify the ingress domains of the cluster pointing to the ingress controller endpoint. They will be used to construct ingress URLs for system applications running in runtime cluster.

Controller configures a Gardener managed Ingress Controller listening on the ingressDomain.

(Members of KubeAPIServerConfig are embedded into this type.)

KubeAPIServerConfig contains all configuration values not specific to the virtual garden cluster.

AuditWebhook contains settings related to an audit webhook configuration.

Authentication contains settings related to authentication.

ResourcesToStoreInETCDEvents contains a list of resources which should be stored in etcd-events instead of etcd-main. The ‘events’ resource is always stored in etcd-events. Note that adding or removing resources from this list will not migrate them automatically from the etcd-main to etcd-events or vice versa.

SNI contains configuration options for the TLS SNI settings.

(Members of KubeControllerManagerConfig are embedded into this type.)

KubeControllerManagerConfig contains all configuration values not specific to the virtual garden cluster.

CertificateSigningDuration is the maximum length of duration signed certificates will be given. Individual CSRs may request shorter certs by setting spec.expirationSeconds.

KubeAPIServer contains configuration settings for the kube-apiserver.

KubeControllerManager contains configuration settings for the kube-controller-manager.

Version is the semantic Kubernetes version to use for the virtual garden cluster.

TimeWindow contains information about the time window for maintenance operations.

Services are the CIDRs of the service network. Elements can be appended to this list, but not removed.

Config is the corev1.ResourceQuota specification used for the project set-up.

ProjectSelector is an optional setting to select the projects considered for quotas. Defaults to empty LabelSelector, which matches all projects.

Region is the region the cluster is deployed to.

Zones is the list of availability zones the cluster is deployed to.

Limits contains configuration for resources which are subjected to size limitations.

UnrestrictedSubjects contains references to users, groups, or service accounts which aren’t subjected to any resource size limit.

OperationMode specifies the mode the webhooks operates in. Allowed values are “block” and “log”. Defaults to “block”.

APIGroups is the name of the APIGroup that contains the limited resource. WildcardAll represents all groups.

APIVersions is the version of the resource. WildcardAll represents all versions.

Resources is the name of the resource this rule applies to. WildcardAll represents all resources.

Size specifies the imposed limit.

Ingress configures Ingress specific settings for the Garden cluster.

Networking defines the networking configuration of the runtime cluster.

Provider defines the provider-specific information for this cluster.

Settings contains certain settings for this cluster.

Volume contains settings for persistent volumes created in the runtime cluster.

Nodes are the CIDRs of the node network. Elements can be appended to this list, but not removed.

Pods are the CIDRs of the pod network. Elements can be appended to this list, but not removed.

Services are the CIDRs of the service network. Elements can be appended to this list, but not removed.

BlockCIDRs is a list of network addresses that should be blocked.

SecretName is the name of a secret containing the TLS certificate and private key.

DomainPatterns is a list of fully qualified domain names, possibly with prefixed wildcard segments. The domain patterns also allow IP addresses, but IPs should only be used if the apiserver has visibility to the IP address requested by a client. If no domain patterns are provided, the names of the certificate are extracted. Non-wildcard matches trump over wildcard matches, explicit domain patterns trump over extracted names.

Annotations is a map of annotations that will be injected/merged into every load balancer service object.

Enabled controls whether certain Services deployed in the cluster should be topology-aware. These Services are virtual-garden-etcd-main-client, virtual-garden-etcd-events-client and virtual-garden-kube-apiserver. Additionally, other components that are deployed to the runtime cluster via other means can read this field and according to its value enable/disable topology-aware routing for their Services.

Enabled controls whether the VPA components shall be deployed into this cluster. It is true by default because the operator (and Gardener) heavily rely on a VPA being deployed. You should only disable this if your runtime cluster already has another, manually/custom managed VPA deployment. If this is not the case, but you still disable it, then reconciliation will fail.

LoadBalancerServices controls certain settings for services of type load balancer that are created in the runtime cluster.

VerticalPodAutoscaler controls certain settings for the vertical pod autoscaler components deployed in the cluster.

TopologyAwareRouting controls certain settings for topology-aware traffic routing in the cluster. See https://github.com/gardener/gardener/blob/master/docs/operations/topology_aware_routing.md.

Capacity is the storage capacity for the volumes.

ClassName is the name of a storage class.

ControlPlane holds information about the general settings for the control plane of the virtual cluster.

DNS holds information about DNS settings.

ETCD contains configuration for the etcds of the virtual garden cluster.

Gardener contains the configuration options for the Gardener control plane components.

Kubernetes contains the version and configuration options for the Kubernetes components of the virtual garden cluster.

Maintenance contains information about the time window for maintenance operations.

Networking contains information about cluster networking such as CIDRs, etc.

MinimumSize defines the minimum size that should be used for PVCs in the runtime cluster.

Phase describes the phase of the workload identity key credential rotation.

LastCompletionTime is the most recent time when the workload identity key credential rotation was successfully completed.

LastInitiationTime is the most recent time when the workload identity key credential rotation was initiated.

LastInitiationFinishedTime is the recent time when the workload identity key credential rotation initiation was completed.

LastCompletionTriggeredTime is the recent time when the workload identity key credential rotation completion was triggered.