operator.md

Packages:

• operator.gardener.cloud/v1alpha1

operator.gardener.cloud/v1alpha1

Resource Types:

• Extension
• Garden

AdmissionDeploymentSpec

(Appears on:Deployment)

AdmissionDeploymentSpec contains the deployment specification for the admission controller of an extension.

Field	Description
runtimeCluster DeploymentSpec	(Optional) RuntimeCluster is the deployment configuration for the admission in the runtime cluster. The runtime deployment is responsible for creating the admission controller in the runtime cluster.
virtualCluster DeploymentSpec	(Optional) VirtualCluster is the deployment configuration for the admission deployment in the garden cluster. The garden deployment installs necessary resources in the virtual garden cluster e.g. RBAC that are necessary for the admission controller.
values JSON	(Optional) Values are the deployment values. The values will be applied to both admission deployments.

AuditWebhook

(Appears on:GardenerAPIServerConfig, KubeAPIServerConfig)

AuditWebhook contains settings related to an audit webhook configuration.

Field	Description
batchMaxSize integer	(Optional) BatchMaxSize is the maximum size of a batch.
kubeconfigSecretName string	KubeconfigSecretName specifies the name of a secret containing the kubeconfig for this webhook.
version string	(Optional) Version is the API version to send and expect from the webhook.

Authentication

(Appears on:KubeAPIServerConfig)

Authentication contains settings related to authentication.

Field	Description
webhook AuthenticationWebhook	(Optional) Webhook contains settings related to an authentication webhook configuration.

AuthenticationWebhook

(Appears on:Authentication)

AuthenticationWebhook contains settings related to an authentication webhook configuration.

Field	Description
cacheTTL Duration	(Optional) CacheTTL is the duration to cache responses from the webhook authenticator.
kubeconfigSecretName string	KubeconfigSecretName specifies the name of a secret containing the kubeconfig for this webhook.
version string	(Optional) Version is the API version to send and expect from the webhook.

Backup

(Appears on:ETCDMain)

Backup contains the object store configuration for backups for the virtual garden etcd.

Field	Description
provider string	Provider is a provider name. This field is immutable.
bucketName string	(Optional) BucketName is the name of the backup bucket. If not provided, gardener-operator attempts to manage a new bucket. In this case, the cloud provider credentials provided in the SecretRef must have enough privileges for creating and deleting buckets.
providerConfig RawExtension	(Optional) ProviderConfig is the provider-specific configuration passed to BackupBucket resource.
region string	(Optional) Region is a region name. If undefined, the provider region is used. This field is immutable.
secretRef LocalObjectReference	SecretRef is a reference to a Secret object containing the cloud provider credentials for the object store where backups should be stored. It should have enough privileges to manipulate the objects as well as buckets.

ControlPlane

(Appears on:VirtualCluster)

ControlPlane holds information about the general settings for the control plane of the virtual garden cluster.

Field	Description
highAvailability HighAvailability	(Optional) HighAvailability holds the configuration settings for high availability settings.

Credentials

(Appears on:GardenStatus)

Credentials contains information about the virtual garden cluster credentials.

Field	Description
rotation CredentialsRotation	(Optional) Rotation contains information about the credential rotations.
encryptionAtRest EncryptionAtRest	(Optional) EncryptionAtRest contains information about garden data encryption at rest.

CredentialsRotation

(Appears on:Credentials)

CredentialsRotation contains information about the rotation of credentials.

Field	Description
certificateAuthorities CARotation	(Optional) CertificateAuthorities contains information about the certificate authority credential rotation.
serviceAccountKey ServiceAccountKeyRotation	(Optional) ServiceAccountKey contains information about the service account key credential rotation.
etcdEncryptionKey ETCDEncryptionKeyRotation	(Optional) ETCDEncryptionKey contains information about the ETCD encryption key credential rotation.
observability ObservabilityRotation	(Optional) Observability contains information about the observability credential rotation.
workloadIdentityKey WorkloadIdentityKeyRotation	(Optional) WorkloadIdentityKey contains information about the workload identity key credential rotation.

DNS

(Appears on:VirtualCluster)

DNS holds information about DNS settings.

Field	Description
domains DNSDomain array	Domains are the external domains of the virtual garden cluster. The first given domain in this list is immutable.

DNSDomain

(Appears on:DNS, GardenerDiscoveryServerConfig, Ingress)

DNSDomain defines a DNS domain with optional provider.

Field	Description
name string	Name is the domain name.
provider string	(Optional) Provider is the name of the DNS provider as declared in the '.spec.dns.providers' section. It is only optional, if the `.spec.dns` section is not provided at all.

DNSManagement

(Appears on:GardenSpec)

DNSManagement contains specifications of DNS providers.

Field	Description
providers DNSProvider array	Providers is a list of DNS providers.

DNSProvider

(Appears on:DNSManagement)

DNSProvider contains the configuration for a DNS provider.

Field	Description
name string	Name is the name of the DNS provider.
type string	Type is the type of the DNS provider.
providerConfig RawExtension	(Optional) Config is the provider-specific configuration passed to DNSRecord resources.
secretRef LocalObjectReference	SecretRef is a reference to a Secret object containing the DNS provider credentials.

DashboardGitHub

(Appears on:GardenerDashboardConfig)

DashboardGitHub contains configuration for the GitHub ticketing feature.

Field	Description
apiURL string	APIURL is the URL to the GitHub API.
organisation string	Organisation is the name of the GitHub organisation.
repository string	Repository is the name of the GitHub repository.
secretRef LocalObjectReference	SecretRef is the reference to a secret in the garden namespace containing the GitHub credentials.
pollInterval Duration	(Optional) PollInterval is the interval of how often the GitHub API is polled for issue updates. This field is used as a fallback mechanism to ensure state synchronization, even when there is a GitHub webhook configuration. If a webhook event is missed or not successfully delivered, the polling will help catch up on any missed updates. If this field is not provided and there is no 'webhookSecret' key in the referenced secret, it will be implicitly defaulted to `15m`.

DashboardIngress

(Appears on:GardenerDashboardConfig)

DashboardIngress contains configuration for the dashboard ingress resource.

Field	Description
enabled boolean	(Optional) Enabled controls whether the Dashboard Ingress resource will be deployed to the cluster.

DashboardOIDC

(Appears on:GardenerDashboardConfig)

DashboardOIDC contains configuration for the OIDC settings.

Field	Description
clientIDPublic string	(Optional) ClientIDPublic is the public client ID. Falls back to the API server's OIDC client ID configuration if not set here.
issuerURL string	(Optional) The URL of the OpenID issuer, only HTTPS scheme will be accepted. Used to verify the OIDC JSON Web Token (JWT). Falls back to the API server's OIDC issuer URL configuration if not set here.
sessionLifetime Duration	(Optional) SessionLifetime is the maximum duration of a session.
additionalScopes string array	(Optional) AdditionalScopes is the list of additional OIDC scopes.
secretRef LocalObjectReference	SecretRef is the reference to a secret in the garden namespace containing the OIDC client ID and secret for the dashboard.
certificateAuthoritySecretRef LocalObjectReference	(Optional) CertificateAuthoritySecretRef is the reference to a secret in the garden namespace containing a custom CA certificate under the "ca.crt" key

DashboardTerminal

(Appears on:GardenerDashboardConfig)

DashboardTerminal contains configuration for the terminal settings.

Field	Description
container DashboardTerminalContainer	Container contains configuration for the dashboard terminal container.
allowedHosts string array	(Optional) AllowedHosts should consist of permitted hostnames (without the scheme) for terminal connections. It is important to consider that the usage of wildcards follows the rules defined by the content security policy. '*.seed.local.gardener.cloud', or '*.other-seeds.local.gardener.cloud'. For more information, see https://github.com/gardener/dashboard/blob/master/docs/operations/webterminals.md#allowlist-for-hosts.

DashboardTerminalContainer

(Appears on:DashboardTerminal)

DashboardTerminalContainer contains configuration for the dashboard terminal container.

Field	Description
image string	Image is the container image for the dashboard terminal container.
description string	(Optional) Description is a description for the dashboard terminal container with hints for the user.

Deployment

(Appears on:ExtensionSpec)

Deployment specifies how an extension can be installed for a Gardener landscape. It includes the specification for installing an extension and/or an admission controller.

Field	Description
extension ExtensionDeploymentSpec	(Optional) ExtensionDeployment contains the deployment configuration an extension.
admission AdmissionDeploymentSpec	(Optional) AdmissionDeployment contains the deployment configuration for an admission controller.

DeploymentSpec

(Appears on:AdmissionDeploymentSpec, ExtensionDeploymentSpec)

DeploymentSpec is the specification for the deployment of a component.

Field	Description
helm ExtensionHelm	Helm contains the specification for a Helm deployment.

ETCD

(Appears on:VirtualCluster)

ETCD contains configuration for the etcds of the virtual garden cluster.

Field	Description
main ETCDMain	(Optional) Main contains configuration for the main etcd.
events ETCDEvents	(Optional) Events contains configuration for the events etcd.

ETCDEvents

(Appears on:ETCD)

ETCDEvents contains configuration for the events etcd.

Field	Description
autoscaling ControlPlaneAutoscaling	(Optional) Autoscaling contains auto-scaling configuration options for etcd.
storage Storage	(Optional) Storage contains storage configuration.

ETCDMain

(Appears on:ETCD)

ETCDMain contains configuration for the main etcd.

Field	Description
autoscaling ControlPlaneAutoscaling	(Optional) Autoscaling contains auto-scaling configuration options for etcd.
backup Backup	(Optional) Backup contains the object store configuration for backups for the virtual garden etcd.
storage Storage	(Optional) Storage contains storage configuration.

EncryptionAtRest

(Appears on:Credentials)

EncryptionAtRest contains information about virtual garden data encryption at rest.

Field	Description
resources string array	(Optional) Resources is the list of resources which are currently encrypted in the virtual garden by the virtual kube-apiserver. Resources which are encrypted by default will not appear here. See https://github.com/gardener/gardener/blob/master/docs/concepts/operator.md#etcd-encryption-config for more details.
provider EncryptionProviderStatus	Provider contains information about virtual garden encryption provider.

EncryptionProviderStatus

(Appears on:EncryptionAtRest)

EncryptionProviderStatus contains information about virtual garden encryption provider.

Field	Description
type EncryptionProviderType	Type is the used encryption provider type.

Extension

Extension describes a Gardener extension.

Field	Description
metadata ObjectMeta	Refer to the Kubernetes API documentation for the fields of the metadata field.
spec ExtensionSpec	Spec contains the specification of this extension.
status ExtensionStatus	Status contains the status of this extension.

ExtensionDeploymentSpec

(Appears on:Deployment)

ExtensionDeploymentSpec specifies how to install the extension in a gardener landscape. The installation is split into two parts: - installing the extension in the virtual garden cluster by creating the ControllerRegistration and ControllerDeployment - installing the extension in the runtime cluster (if necessary).

Field	Description
helm ExtensionHelm	Helm contains the specification for a Helm deployment.
values JSON	(Optional) Values are the deployment values used in the creation of the ControllerDeployment in the virtual garden cluster.
runtimeClusterValues JSON	(Optional) RuntimeClusterValues are the deployment values for the extension deployment running in the runtime garden cluster.
policy ControllerDeploymentPolicy	(Optional) Policy controls how the controller is deployed. It defaults to 'OnDemand'.
seedSelector LabelSelector	(Optional) SeedSelector contains an optional label selector for seeds. Only if the labels match then this controller will be considered for a deployment. An empty list means that all seeds are selected.
injectGardenKubeconfig boolean	(Optional) InjectGardenKubeconfig controls whether a kubeconfig to the garden cluster should be injected into workload resources.

ExtensionHelm

(Appears on:DeploymentSpec, ExtensionDeploymentSpec)

ExtensionHelm is the configuration for a helm deployment.

Field	Description
ociRepository OCIRepository	(Optional) OCIRepository defines where to pull the chart from.

ExtensionSpec

(Appears on:Extension)

ExtensionSpec contains the specification of a Gardener extension.

Field	Description
resources ControllerResource array	(Optional) Resources is a list of combinations of kinds (DNSRecord, Backupbucket, ...) and their actual types (aws-route53, gcp).
deployment Deployment	(Optional) Deployment contains deployment configuration for an extension and it's admission controller.

ExtensionStatus

(Appears on:Extension)

ExtensionStatus is the status of a Gardener extension.

Field	Description
observedGeneration integer	(Optional) ObservedGeneration is the most recent generation observed for this resource.
conditions Condition array	(Optional) Conditions represents the latest available observations of an Extension's current state.
providerStatus RawExtension	(Optional) ProviderStatus contains type-specific status.

Garden

Garden describes a list of gardens.

Field	Description
metadata ObjectMeta	Refer to the Kubernetes API documentation for the fields of the metadata field.
spec GardenSpec	Spec contains the specification of this garden.
status GardenStatus	Status contains the status of this garden.

GardenExtension

(Appears on:GardenSpec)

GardenExtension contains type and provider information for Garden extensions.

Field	Description
type string	Type is the type of the extension resource.
providerConfig RawExtension	(Optional) ProviderConfig is the configuration passed to extension resource.

GardenSpec

(Appears on:Garden)

GardenSpec contains the specification of a garden environment.

Field	Description
dns DNSManagement	(Optional) DNS contains specifications of DNS providers.
extensions GardenExtension array	(Optional) Extensions contain type and provider information for Garden extensions.
runtimeCluster RuntimeCluster	RuntimeCluster contains configuration for the runtime cluster.
virtualCluster VirtualCluster	VirtualCluster contains configuration for the virtual cluster.
resources NamedResourceReference array	(Optional) Resources holds a list of named resource references that can be referred to in extension configs by their names.

GardenStatus

(Appears on:Garden)

GardenStatus is the status of a garden environment.

Field	Description
gardener Gardener	(Optional) Gardener holds information about the Gardener which last acted on the Garden.
conditions Condition array	Conditions is a list of conditions.
lastOperation LastOperation	(Optional) LastOperation holds information about the last operation on the Garden.
observedGeneration integer	ObservedGeneration is the most recent generation observed for this resource.
credentials Credentials	(Optional) Credentials contains information about the virtual garden cluster credentials.

Gardener

(Appears on:VirtualCluster)

Gardener contains the configuration settings for the Gardener components.

Field	Description
clusterIdentity string	ClusterIdentity is the identity of the garden cluster. This field is immutable.
gardenerAPIServer GardenerAPIServerConfig	(Optional) APIServer contains configuration settings for the gardener-apiserver.
gardenerAdmissionController GardenerAdmissionControllerConfig	(Optional) AdmissionController contains configuration settings for the gardener-admission-controller.
gardenerControllerManager GardenerControllerManagerConfig	(Optional) ControllerManager contains configuration settings for the gardener-controller-manager.
gardenerScheduler GardenerSchedulerConfig	(Optional) Scheduler contains configuration settings for the gardener-scheduler.
gardenerDashboard GardenerDashboardConfig	(Optional) Dashboard contains configuration settings for the gardener-dashboard.
gardenerDiscoveryServer GardenerDiscoveryServerConfig	(Optional) DiscoveryServer contains configuration settings for the gardener-discovery-server. Once enabled, the gardener-discovery-server deployment cannot be removed and its domain cannot be changed. Otherwise, workload identity and/or shoot service account tokens referencing the gardener-discovery-server in the issuer URL might become unusable. This field is optional, but once set, it cannot be removed anymore.
gardenerResourceManager GardenerResourceManagerConfig	(Optional) ResourceManager contains configuration settings for the gardener-resource-manager.

GardenerAPIServerConfig

(Appears on:Gardener)

GardenerAPIServerConfig contains configuration settings for the gardener-apiserver.

Field	Description
featureGates object (keys:string, values:boolean)	(Optional) FeatureGates contains information about enabled feature gates.
admissionPlugins AdmissionPlugin array	(Optional) AdmissionPlugins contains the list of user-defined admission plugins (additional to those managed by Gardener), and, if desired, the corresponding configuration.
auditConfig AuditConfig	(Optional) AuditConfig contains configuration settings for the audit of the kube-apiserver.
auditWebhook AuditWebhook	(Optional) AuditWebhook contains settings related to an audit webhook configuration.
logging APIServerLogging	(Optional) Logging contains configuration for the log level and HTTP access logs.
requests APIServerRequests	(Optional) Requests contains configuration for request-specific settings for the kube-apiserver.
watchCacheSizes WatchCacheSizes	(Optional) WatchCacheSizes contains configuration of the API server's watch cache sizes. Configuring these flags might be useful for large-scale Garden clusters with a lot of parallel update requests and a lot of watching controllers (e.g. large ManagedSeed clusters). When the API server's watch cache's capacity is too small to cope with the amount of update requests and watchers for a particular resource, it might happen that controller watches are permanently stopped with `too old resource version` errors. Starting from kubernetes v1.19, the API server's watch cache size is adapted dynamically and setting the watch cache size flags will have no effect, except when setting it to 0 (which disables the watch cache).
encryptionConfig EncryptionConfig	(Optional) EncryptionConfig contains customizable encryption configuration of the Gardener API server.
goAwayChance float	(Optional) GoAwayChance can be used to prevent HTTP/2 clients from getting stuck on a single apiserver, randomly close a connection (GOAWAY). The client's other in-flight requests won't be affected, and the client will reconnect, likely landing on a different apiserver after going through the load balancer again. This field sets the fraction of requests that will be sent a GOAWAY. Min is 0 (off), Max is 0.02 (1/50 requests); 0.001 (1/1000) is a recommended starting point.
shootAdminKubeconfigMaxExpiration Duration	(Optional) ShootAdminKubeconfigMaxExpiration is the maximum validity duration of a credential requested to a Shoot by an AdminKubeconfigRequest. If an otherwise valid AdminKubeconfigRequest with a validity duration larger than this value is requested, a credential will be issued with a validity duration of this value.

GardenerAdmissionControllerConfig

(Appears on:Gardener)

GardenerAdmissionControllerConfig contains configuration settings for the gardener-admission-controller.

Field	Description
logLevel string	(Optional) LogLevel is the configured log level for the gardener-admission-controller. Must be one of [info,debug,error]. Defaults to info.
resourceAdmissionConfiguration ResourceAdmissionConfiguration	(Optional) ResourceAdmissionConfiguration is the configuration for resource size restrictions for arbitrary Group-Version-Kinds.

GardenerControllerManagerConfig

(Appears on:Gardener)

GardenerControllerManagerConfig contains configuration settings for the gardener-controller-manager.

Field	Description
featureGates object (keys:string, values:boolean)	(Optional) FeatureGates contains information about enabled feature gates.
defaultProjectQuotas ProjectQuotaConfiguration array	(Optional) DefaultProjectQuotas is the default configuration matching projects are set up with if a quota is not already specified.
logLevel string	(Optional) LogLevel is the configured log level for the gardener-controller-manager. Must be one of [info,debug,error]. Defaults to info.

GardenerDashboardConfig

(Appears on:Gardener)

GardenerDashboardConfig contains configuration settings for the gardener-dashboard.

Field	Description
enableTokenLogin boolean	(Optional) EnableTokenLogin specifies whether it is possible to log into the dashboard with a JWT token. If disabled, OIDC must be configured.
frontendConfigMapRef LocalObjectReference	(Optional) FrontendConfigMapRef is the reference to a ConfigMap in the garden namespace containing the frontend configuration.
assetsConfigMapRef LocalObjectReference	(Optional) AssetsConfigMapRef is the reference to a ConfigMap in the garden namespace containing the assets (logos/icons).
gitHub DashboardGitHub	(Optional) GitHub contains configuration for the GitHub ticketing feature.
logLevel string	(Optional) LogLevel is the configured log level. Must be one of [trace,debug,info,warn,error]. Defaults to info.
oidcConfig DashboardOIDC	(Optional) OIDCConfig contains configuration for the OIDC provider. This field must be provided when EnableTokenLogin is false.
terminal DashboardTerminal	(Optional) Terminal contains configuration for the terminal settings.
ingress DashboardIngress	(Optional) Ingress contains configuration for the ingress settings.

GardenerDiscoveryServerConfig

(Appears on:Gardener)

GardenerDiscoveryServerConfig contains configuration settings for the gardener-discovery-server.

Field	Description
domain DNSDomain	(Optional) Domain overrides the default ingress domain and optionally the DNS provider for the gardener-discovery-server. This field is optional, but once the gardener-discovery-server is enabled, its domain cannot be changed anymore. Defaults to "discovery.".
tlsSecretName string	(Optional) TLSSecretName is the name of a secret (in the garden namespace) containing a trusted TLS certificate for the domain. If not configured, Gardener falls back to a secret labelled with 'gardener.cloud/role=garden-cert', if in turn not configured it generates a self-signed certificate.

GardenerResourceManagerConfig

(Appears on:Gardener)

GardenerResourceManagerConfig contains configuration settings for the gardener-resource-manager.

Field	Description
additionalTargetNamespaces string array	(Optional) AdditionalTargetNamespaces allows specifying custom target namespaces for the gardener-resource-manager instance.

GardenerSchedulerConfig

(Appears on:Gardener)

GardenerSchedulerConfig contains configuration settings for the gardener-scheduler.

Field	Description
featureGates object (keys:string, values:boolean)	(Optional) FeatureGates contains information about enabled feature gates.
logLevel string	(Optional) LogLevel is the configured log level for the gardener-scheduler. Must be one of [info,debug,error]. Defaults to info.

GroupResource

(Appears on:KubeAPIServerConfig)

GroupResource contains a list of resources which should be stored in etcd-events instead of etcd-main.

Field	Description
group string	Group is the API group name.
resource string	Resource is the resource name.

HighAvailability

(Appears on:ControlPlane)

HighAvailability specifies the configuration settings for high availability for a resource.

Ingress

(Appears on:RuntimeCluster)

Ingress configures the Ingress specific settings of the runtime cluster.

Field	Description
domains DNSDomain array	Domains specify the ingress domains of the cluster pointing to the ingress controller endpoint. They will be used to construct ingress URLs for system applications running in runtime cluster.
controller IngressController	Controller configures a Gardener managed Ingress Controller listening on the ingressDomain.

KubeAPIServerConfig

(Appears on:Kubernetes)

KubeAPIServerConfig contains configuration settings for the kube-apiserver.

Field	Description
auditWebhook AuditWebhook	(Optional) AuditWebhook contains settings related to an audit webhook configuration.
authentication Authentication	(Optional) Authentication contains settings related to authentication.
resourcesToStoreInETCDEvents GroupResource array	(Optional) ResourcesToStoreInETCDEvents contains a list of resources which should be stored in etcd-events instead of etcd-main. The 'events' resource is always stored in etcd-events. Note that adding or removing resources from this list will not migrate them automatically from the etcd-main to etcd-events or vice versa.
sni SNI	(Optional) SNI contains configuration options for the TLS SNI settings.

KubeControllerManagerConfig

(Appears on:Kubernetes)

KubeControllerManagerConfig contains configuration settings for the kube-controller-manager.

Field	Description
certificateSigningDuration Duration	(Optional) CertificateSigningDuration is the maximum length of duration signed certificates will be given. Individual CSRs may request shorter certs by setting `spec.expirationSeconds`.

Kubernetes

(Appears on:VirtualCluster)

Kubernetes contains the version and configuration options for the Kubernetes components of the virtual garden cluster.

Field	Description
kubeAPIServer KubeAPIServerConfig	(Optional) KubeAPIServer contains configuration settings for the kube-apiserver.
kubeControllerManager KubeControllerManagerConfig	(Optional) KubeControllerManager contains configuration settings for the kube-controller-manager.
version string	Version is the semantic Kubernetes version to use for the virtual garden cluster.

LoadBalancerServicesProxyProtocol

(Appears on:SettingLoadBalancerServices)

LoadBalancerServicesProxyProtocol controls whether ProxyProtocol is (optionally) allowed for the load balancer services.

Field

Description

allowed boolean

Allowed controls whether the ProxyProtocol is optionally allowed for the load balancer services. This should only be enabled if the load balancer services are already using ProxyProtocol or will be reconfigured to use it soon. Until the load balancers are configured with ProxyProtocol, enabling this setting may allow clients to spoof their source IP addresses. The option allows a migration from non-ProxyProtocol to ProxyProtocol without downtime (depending on the infrastructure). Defaults to false.

Maintenance

(Appears on:VirtualCluster)

Maintenance contains information about the time window for maintenance operations.

Field	Description
timeWindow MaintenanceTimeWindow	TimeWindow contains information about the time window for maintenance operations.

Networking

(Appears on:VirtualCluster)

Networking defines networking parameters for the virtual garden cluster.

Field	Description
services string array	Services are the CIDRs of the service network. Elements can be appended to this list, but not removed.

ProjectQuotaConfiguration

(Appears on:GardenerControllerManagerConfig)

ProjectQuotaConfiguration defines quota configurations.

Field	Description
config ResourceQuota	Config is the corev1.ResourceQuota specification used for the project set-up.
projectSelector LabelSelector	(Optional) ProjectSelector is an optional setting to select the projects considered for quotas. Defaults to empty LabelSelector, which matches all projects.

Provider

(Appears on:RuntimeCluster)

Provider defines the provider-specific information for this cluster.

Field	Description
region string	(Optional) Region is the region the cluster is deployed to.
zones string array	(Optional) Zones is the list of availability zones the cluster is deployed to.

ResourceAdmissionConfiguration

(Appears on:GardenerAdmissionControllerConfig)

ResourceAdmissionConfiguration contains settings about arbitrary kinds and the size each resource should have at most.

Field	Description
limits ResourceLimit array	Limits contains configuration for resources which are subjected to size limitations.
unrestrictedSubjects Subject array	(Optional) UnrestrictedSubjects contains references to users, groups, or service accounts which aren't subjected to any resource size limit.
operationMode ResourceAdmissionWebhookMode	(Optional) OperationMode specifies the mode the webhooks operates in. Allowed values are "block" and "log". Defaults to "block".

ResourceAdmissionWebhookMode

Underlying type: string

(Appears on:ResourceAdmissionConfiguration)

ResourceAdmissionWebhookMode is an alias type for the resource admission webhook mode.

ResourceLimit

(Appears on:ResourceAdmissionConfiguration)

ResourceLimit contains settings about a kind and the size each resource should have at most.

Field	Description
apiGroups string array	(Optional) APIGroups is the name of the APIGroup that contains the limited resource. WildcardAll represents all groups.
apiVersions string array	(Optional) APIVersions is the version of the resource. WildcardAll represents all versions.
resources string array	Resources is the name of the resource this rule applies to. WildcardAll represents all resources.
size Quantity	(Optional) Size specifies the imposed limit.
count integer	(Optional) Count specifies the maximum number of resources of the given kind. Only cluster-scoped resources are considered.

RuntimeCluster

(Appears on:GardenSpec)

RuntimeCluster contains configuration for the runtime cluster.

Field	Description
ingress Ingress	Ingress configures Ingress specific settings for the Garden cluster.
networking RuntimeNetworking	Networking defines the networking configuration of the runtime cluster.
provider Provider	Provider defines the provider-specific information for this cluster.
settings Settings	(Optional) Settings contains certain settings for this cluster.
volume Volume	(Optional) Volume contains settings for persistent volumes created in the runtime cluster.

RuntimeNetworking

(Appears on:RuntimeCluster)

RuntimeNetworking defines the networking configuration of the runtime cluster.

Field	Description
ipFamilies IPFamily array	(Optional) IPFamilies specifies the IP protocol versions to use for the runtime cluster's networking. This field is immutable. Defaults to ["IPv4"].
nodes string array	(Optional) Nodes are the CIDRs of the node network. Elements can be appended to this list, but not removed.
pods string array	Pods are the CIDRs of the pod network. Elements can be appended to this list, but not removed.
services string array	Services are the CIDRs of the service network. Elements can be appended to this list, but not removed.
blockCIDRs string array	(Optional) BlockCIDRs is a list of network addresses that should be blocked.

SNI

(Appears on:KubeAPIServerConfig)

SNI contains configuration options for the TLS SNI settings.

Field	Description
secretName string	(Optional) SecretName is the name of a secret containing the TLS certificate and private key. If not configured, Gardener falls back to a secret labelled with 'gardener.cloud/role=garden-cert'.
domainPatterns string array	(Optional) DomainPatterns is a list of fully qualified domain names, possibly with prefixed wildcard segments. The domain patterns also allow IP addresses, but IPs should only be used if the apiserver has visibility to the IP address requested by a client. If no domain patterns are provided, the names of the certificate are extracted. Non-wildcard matches trump over wildcard matches, explicit domain patterns trump over extracted names.

SettingLoadBalancerServices

(Appears on:Settings)

SettingLoadBalancerServices controls certain settings for services of type load balancer that are created in the runtime cluster.

Field	Description
annotations object (keys:string, values:string)	(Optional) Annotations is a map of annotations that will be injected/merged into every load balancer service object.
externalTrafficPolicy ServiceExternalTrafficPolicy	(Optional) ExternalTrafficPolicy specifies how nodes distribute service traffic they receive on one of the service's externally-facing addresses. Defaults to "Cluster". Can be set to "Local" when the load balancer is transparent (preserves client IP).
proxyProtocol LoadBalancerServicesProxyProtocol	(Optional) ProxyProtocol controls whether ProxyProtocol is (optionally) allowed for the load balancer services. Defaults to nil, which is equivalent to not allowing ProxyProtocol.

SettingTopologyAwareRouting

(Appears on:Settings)

SettingTopologyAwareRouting controls certain settings for topology-aware traffic routing in the cluster. See https://github.com/gardener/gardener/blob/master/docs/operations/topology_aware_routing.md.

Field

Description

enabled boolean

Enabled controls whether certain Services deployed in the cluster should be topology-aware. These Services are virtual-garden-etcd-main-client, virtual-garden-etcd-events-client and virtual-garden-kube-apiserver. Additionally, other components that are deployed to the runtime cluster via other means can read this field and according to its value enable/disable topology-aware routing for their Services.

SettingVerticalPodAutoscaler

(Appears on:Settings)

SettingVerticalPodAutoscaler controls certain settings for the vertical pod autoscaler components deployed in the cluster.

Field	Description
enabled boolean	(Optional) Enabled controls whether the VPA components shall be deployed into this cluster. It is true by default because the operator (and Gardener) heavily rely on a VPA being deployed. You should only disable this if your runtime cluster already has another, manually/custom managed VPA deployment. If this is not the case, but you still disable it, then reconciliation will fail.
featureGates object (keys:string, values:boolean)	(Optional) FeatureGates contains information about enabled feature gates.

Settings

(Appears on:RuntimeCluster)

Settings contains certain settings for this cluster.

Field	Description
loadBalancerServices SettingLoadBalancerServices	(Optional) LoadBalancerServices controls certain settings for services of type load balancer that are created in the runtime cluster.
verticalPodAutoscaler SettingVerticalPodAutoscaler	(Optional) VerticalPodAutoscaler controls certain settings for the vertical pod autoscaler components deployed in the cluster.
topologyAwareRouting SettingTopologyAwareRouting	(Optional) TopologyAwareRouting controls certain settings for topology-aware traffic routing in the cluster. See https://github.com/gardener/gardener/blob/master/docs/operations/topology_aware_routing.md.

Storage

(Appears on:ETCDEvents, ETCDMain)

Storage contains storage configuration.

Field	Description
capacity Quantity	(Optional) Capacity is the storage capacity for the volumes.
className string	(Optional) ClassName is the name of a storage class.

VirtualCluster

(Appears on:GardenSpec)

VirtualCluster contains configuration for the virtual cluster.

Field	Description
controlPlane ControlPlane	(Optional) ControlPlane holds information about the general settings for the control plane of the virtual cluster.
dns DNS	DNS holds information about DNS settings.
etcd ETCD	(Optional) ETCD contains configuration for the etcds of the virtual garden cluster.
gardener Gardener	Gardener contains the configuration options for the Gardener control plane components.
kubernetes Kubernetes	Kubernetes contains the version and configuration options for the Kubernetes components of the virtual garden cluster.
maintenance Maintenance	Maintenance contains information about the time window for maintenance operations.
networking Networking	Networking contains information about cluster networking such as CIDRs, etc.

Volume

(Appears on:RuntimeCluster)

Volume contains settings for persistent volumes created in the runtime cluster.

Field	Description
minimumSize Quantity	(Optional) MinimumSize defines the minimum size that should be used for PVCs in the runtime cluster.

WorkloadIdentityKeyRotation

(Appears on:CredentialsRotation)

WorkloadIdentityKeyRotation contains information about the workload identity key credential rotation.

Field	Description
phase CredentialsRotationPhase	Phase describes the phase of the workload identity key credential rotation.
lastCompletionTime Time	(Optional) LastCompletionTime is the most recent time when the workload identity key credential rotation was successfully completed.
lastInitiationTime Time	(Optional) LastInitiationTime is the most recent time when the workload identity key credential rotation was initiated.
lastInitiationFinishedTime Time	(Optional) LastInitiationFinishedTime is the recent time when the workload identity key credential rotation initiation was completed.
lastCompletionTriggeredTime Time	(Optional) LastCompletionTriggeredTime is the recent time when the workload identity key credential rotation completion was triggered.