#Configuration
This page explains how to think about Sandbox0Infra configuration and includes a generated field reference sourced from the operator CRD.
The goal is to keep the page readable for operators while still exposing the full supported config surface.
How to Read Sandbox0Infra#
A Sandbox0Infra spec is easier to reason about when you split it into five layers:
| Layer | Main fields | What it controls |
|---|---|---|
| Platform release | infra-operator chart / image version | Which sandbox0 component version to deploy |
| Core dependencies | spec.database, spec.juicefsDatabase, spec.storage, spec.registry | PostgreSQL, JuiceFS metadata, object storage, registry integration |
| Topology | spec.services.*, spec.controlPlane, spec.cluster, spec.region | Single-cluster vs multi-cluster shape and service placement |
| Public routing | spec.publicExposure, spec.internalAuth | Public sandbox URLs and inter-service trust |
| Runtime bootstrap | spec.builtinTemplates, spec.initUser | Default templates, warm pools, initial admin bootstrap |
Recommended Reading Order#
- Pick your topology with
spec.services.*. - Decide whether database/storage/registry stay
builtinor move external. - Configure public exposure and cluster identity.
- Seed templates and initial admin user.
- Only then tune per-service
configblocks.
Deployment Profiles#
| Profile | Typical fields | Use when |
|---|---|---|
| Minimal single-cluster | services.internalGateway, services.manager | Local eval, API validation, fast first install |
| Full single-cluster | Add storage, registry, services.storageProxy, services.netd | You need persistent volumes, snapshots, or network controls |
| Multi-cluster control plane | services.edgeGateway, services.scheduler | You coordinate multiple data-plane clusters in one region |
| Multi-cluster data plane | controlPlane, cluster, services.internalGateway, services.manager, optional storageProxy/netd | You attach a cluster to an external control plane |
Official sample manifests:
- single-cluster/minimal.yaml
- single-cluster/fullmode.yaml
- single-cluster/volumes.yaml
- single-cluster/network-policy.yaml
- multi-cluster/control-plane.yaml
- multi-cluster/data-plane.yaml
What Usually Changes First#
External PostgreSQL#
Move spec.database.type from builtin to external when you want managed PostgreSQL durability, backup policy, and operational separation.
yamlspec: database: type: external external: host: your-db.rds.amazonaws.com port: 5432 database: sandbox0 username: sandbox0 passwordSecret: name: db-credentials key: password
S3 or OSS Backing Storage#
If you need persistent volume features in production, configure spec.storage and enable services.storageProxy.
yamlspec: storage: type: s3 s3: bucket: sandbox0-prod region: us-east-1 endpoint: https://s3.amazonaws.com credentialsSecret: name: aws-credentials accessKeyKey: accessKeyId secretKeyKey: secretAccessKey services: storageProxy: enabled: true
Public Routing and Region Identity#
spec.publicExposure decides the public host pattern used for sandbox URLs. Keep it consistent with your region and DNS plan.
yamlspec: publicExposure: enabled: true rootDomain: sandbox0.example.com regionId: aws-us-east-1
Multi-Cluster Data Plane Registration#
Data-plane clusters need control-plane connection details and a stable cluster identity.
yamlspec: controlPlane: url: https://api.sandbox0.example.com internalAuthPublicKeySecret: name: control-plane-public-key key: public.key cluster: id: cluster-001 name: production-use1-a services: internalGateway: enabled: true config: authMode: internal manager: enabled: true
Service-Level Config#
spec.services.<service>.config is where you tune component-specific behavior after the topology is already correct.
Examples:
services.internalGateway.config.authModeswitches betweenpublic,internal, andbothservices.manager.config.autoscaler.*tunes pool scale behaviorservices.storageProxy.config.juicefs*tunes JuiceFS behavior and cache sizingservices.netd.config.*controls proxy ports, policy enforcement, and node-level networking behavior
Use spec.sandboxNodePlacement for the shared node placement consumed by sandbox template Pods, netd, and k8s-plugin. The older services.netd.nodeSelector and services.netd.tolerations fields remain as compatibility aliases when the shared placement is unset.
ℹ
Use the generated reference below for exact field names, defaults, enums, and required flags. Use the sample manifests for operator-friendly starting points.
ℹ
Not every operational rule is expressible in CRD schema. Some defaults are applied at runtime inside services, and some validations are conditional. Examples include service runtime defaults in netd and conditional checks such as storage-proxy encryption requiring a key path.
Full Reference#
The reference below is generated from the Sandbox0Infra CRD schema produced by controller-gen, not manually maintained MDX.
This reference is generated from the `Sandbox0Infra` CRD schema. It stays aligned with defaults, enums, and required fields exposed by the operator, while deployment guidance on this page remains curated.
Databasespec.database21 fieldsDatabase configures the main database for sandbox0
Database
spec.database
21 fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
spec.database | object | No | - | Database configures the main database for sandbox0 |
spec.database.builtin | object | No | - | Builtin configures the built-in single-node PostgreSQL |
spec.database.builtin.database | string | No | sandbox0 | Database specifies the database name |
spec.database.builtin.enabled | boolean | No | true | Enabled enables the built-in database |
spec.database.builtin.image | string | No | postgres:16-alpine | Image specifies the postgres image for the builtin database |
spec.database.builtin.persistence | object | No | - | Persistence configures database storage |
spec.database.builtin.persistence.enabled | boolean | No | true | Enabled enables persistence |
spec.database.builtin.persistence.size | integer|string | No | 20Gi | Size specifies the storage size |
spec.database.builtin.persistence.storageClass | string | No | - | StorageClass specifies the storage class (empty for default) |
spec.database.builtin.port | integer | No | 5432 | Port specifies the database port |
spec.database.builtin.sslMode | string | No | disable | SSLMode specifies the SSL mode for builtin DSN |
spec.database.builtin.username | string | No | sandbox0 | Username specifies the database username |
spec.database.external | object | No | - | External configures connection to external database |
spec.database.external.database | string | Yes | - | Database specifies the database name |
spec.database.external.host | string | Yes | - | Host specifies the database host |
spec.database.external.passwordSecret | object | Yes | - | PasswordSecret references the secret containing the password |
spec.database.external.passwordSecret.key | string | No | password | Key is the key in the secret |
spec.database.external.passwordSecret.name | string | No | - | Name is the name of the secret |
spec.database.external.port | integer | No | 5432 | Port specifies the database port |
spec.database.external.sslMode | string | No | require | SSLMode specifies the SSL mode for connection |
spec.database.external.username | string | Yes | - | Username specifies the database username |
spec.database.type | string | No | builtin | Type specifies the postgres database type: builtin, or external Allowed values: builtin, external. |
JuiceFS Metadata Databasespec.juicefsDatabase10 fieldsJuicefsDatabase configures the JuiceFS metadata database
JuiceFS Metadata Database
spec.juicefsDatabase
10 fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
spec.juicefsDatabase | object | No | - | JuicefsDatabase configures the JuiceFS metadata database |
spec.juicefsDatabase.external | object | No | - | External configures an independent database for JuiceFS |
spec.juicefsDatabase.external.database | string | Yes | - | Database specifies the database name |
spec.juicefsDatabase.external.host | string | Yes | - | Host specifies the database host |
spec.juicefsDatabase.external.passwordSecret | object | Yes | - | PasswordSecret references the secret containing the password |
spec.juicefsDatabase.external.passwordSecret.key | string | No | password | Key is the key in the secret |
spec.juicefsDatabase.external.passwordSecret.name | string | No | - | Name is the name of the secret |
spec.juicefsDatabase.external.port | integer | No | 5432 | Port specifies the database port |
spec.juicefsDatabase.external.sslMode | string | No | require | SSLMode specifies the SSL mode for connection |
spec.juicefsDatabase.external.username | string | Yes | - | Username specifies the database username |
spec.juicefsDatabase.shareWithMain | boolean | No | true | ShareWithMain uses the main database for JuiceFS metadata |
Storagespec.storage37 fieldsStorage configures the storage backend (JuiceFS S3 backend)
Storage
spec.storage
37 fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
spec.storage | object | No | - | Storage configures the storage backend (JuiceFS S3 backend) |
spec.storage.builtin | object | No | - | Builtin configures the built-in RustFS storage |
spec.storage.builtin.bucket | string | No | sandbox0 | Bucket specifies the default bucket name for builtin storage |
spec.storage.builtin.consoleEnabled | boolean | No | true | ConsoleEnabled enables the RustFS console |
spec.storage.builtin.consolePort | integer | No | 9001 | ConsolePort specifies the RustFS console port |
spec.storage.builtin.credentials | object | No | - | Credentials configures access credentials (auto-generated if not specified) |
spec.storage.builtin.credentials.accessKey | string | No | - | AccessKey is the access key |
spec.storage.builtin.credentials.secretKey | string | No | - | SecretKey is the secret key |
spec.storage.builtin.enabled | boolean | No | true | Enabled enables the built-in storage |
spec.storage.builtin.image | string | No | rustfs/rustfs:1.0.0-alpha.79 | Image specifies the RustFS image for builtin storage |
spec.storage.builtin.obsEnvironment | string | No | develop | ObsEnvironment specifies the RustFS environment label |
spec.storage.builtin.obsLogDirectory | string | No | /data/logs | ObsLogDirectory specifies the RustFS log directory |
spec.storage.builtin.obsLoggerLevel | string | No | debug | ObsLoggerLevel specifies the RustFS log level |
spec.storage.builtin.persistence | object | No | - | Persistence configures storage persistence |
spec.storage.builtin.persistence.enabled | boolean | No | true | Enabled enables persistence |
spec.storage.builtin.persistence.size | integer|string | No | 20Gi | Size specifies the storage size |
spec.storage.builtin.persistence.storageClass | string | No | - | StorageClass specifies the storage class (empty for default) |
spec.storage.builtin.port | integer | No | 9000 | Port specifies the RustFS API port |
spec.storage.builtin.region | string | No | us-east-1 | Region specifies the default region for builtin storage |
spec.storage.builtin.volumes | string | No | /data | Volumes specifies the RustFS data path |
spec.storage.oss | object | No | - | OSS configures Aliyun OSS storage |
spec.storage.oss.bucket | string | Yes | - | Bucket specifies the OSS bucket name |
spec.storage.oss.credentialsSecret | object | Yes | - | CredentialsSecret references the secret containing Aliyun credentials |
spec.storage.oss.credentialsSecret.accessKeyKey | string | No | accessKeyId | AccessKeyKey is the key for access key ID |
spec.storage.oss.credentialsSecret.name | string | Yes | - | Name is the name of the secret |
spec.storage.oss.credentialsSecret.secretKeyKey | string | No | accessKeySecret | SecretKeyKey is the key for access key secret |
spec.storage.oss.endpoint | string | Yes | - | Endpoint specifies the OSS endpoint |
spec.storage.oss.region | string | Yes | - | Region specifies the Aliyun region |
spec.storage.s3 | object | No | - | S3 configures S3 or S3-compatible storage |
spec.storage.s3.bucket | string | Yes | - | Bucket specifies the S3 bucket name |
spec.storage.s3.credentialsSecret | object | Yes | - | CredentialsSecret references the secret containing AWS credentials |
spec.storage.s3.credentialsSecret.accessKeyKey | string | No | accessKeyId | AccessKeyKey is the key for access key ID |
spec.storage.s3.credentialsSecret.name | string | Yes | - | Name is the name of the secret |
spec.storage.s3.credentialsSecret.secretKeyKey | string | No | secretAccessKey | SecretKeyKey is the key for secret access key |
spec.storage.s3.endpoint | string | No | - | Endpoint specifies the S3 endpoint (optional for AWS) |
spec.storage.s3.region | string | Yes | - | Region specifies the AWS region |
spec.storage.s3.sessionTokenKey | string | No | - | SessionTokenKey is the key for session token in the secret (optional) |
spec.storage.type | string | No | builtin | Type specifies the storage type: builtin, s3, or oss Allowed values: builtin, s3, oss. |
Registryspec.registry73 fieldsRegistry configures the container registry
Registry
spec.registry
73 fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
spec.registry | object | No | - | Registry configures the container registry |
spec.registry.aliyun | object | No | - | Aliyun configures Aliyun registry integration. |
spec.registry.aliyun.credentialsSecret | object | Yes | - | CredentialsSecret references Aliyun credentials for short-lived tokens. |
spec.registry.aliyun.credentialsSecret.accessKeyKey | string | No | accessKeyId | AccessKeyKey is the key for access key ID. |
spec.registry.aliyun.credentialsSecret.name | string | Yes | - | Name is the name of the secret. |
spec.registry.aliyun.credentialsSecret.secretKeyKey | string | No | accessKeySecret | SecretKeyKey is the key for secret access key. |
spec.registry.aliyun.instanceId | string | Yes | - | InstanceID specifies the ACR instance ID. |
spec.registry.aliyun.pullSecret | object | Yes | - | PullSecret references the dockerconfigjson secret to use for image pulls. |
spec.registry.aliyun.pullSecret.key | string | No | .dockerconfigjson | Key is the key in the secret. |
spec.registry.aliyun.pullSecret.name | string | Yes | - | Name is the name of the secret. |
spec.registry.aliyun.region | string | Yes | - | Region specifies the Aliyun region. |
spec.registry.aliyun.registry | string | Yes | - | Registry specifies the registry hostname. |
spec.registry.aws | object | No | - | AWS configures AWS registry integration. |
spec.registry.aws.credentialsSecret | object | Yes | - | CredentialsSecret references AWS credentials for short-lived tokens. |
spec.registry.aws.credentialsSecret.accessKeyKey | string | No | accessKeyId | AccessKeyKey is the key for access key ID. |
spec.registry.aws.credentialsSecret.name | string | Yes | - | Name is the name of the secret. |
spec.registry.aws.credentialsSecret.secretKeyKey | string | No | secretAccessKey | SecretKeyKey is the key for secret access key. |
spec.registry.aws.credentialsSecret.sessionTokenKey | string | No | - | SessionTokenKey is the key for session token (optional). |
spec.registry.aws.pullSecret | object | Yes | - | PullSecret references the dockerconfigjson secret to use for image pulls. |
spec.registry.aws.pullSecret.key | string | No | .dockerconfigjson | Key is the key in the secret. |
spec.registry.aws.pullSecret.name | string | Yes | - | Name is the name of the secret. |
spec.registry.aws.region | string | Yes | - | Region specifies the AWS region. |
spec.registry.aws.registry | string | No | - | Registry specifies the registry hostname. |
spec.registry.aws.registryId | string | No | - | RegistryID specifies the AWS account ID (optional). |
spec.registry.azure | object | No | - | Azure configures Azure registry integration. |
spec.registry.azure.credentialsSecret | object | Yes | - | CredentialsSecret references the client credentials for ACR. |
spec.registry.azure.credentialsSecret.clientIdKey | string | No | clientId | ClientIDKey is the key for client ID. |
spec.registry.azure.credentialsSecret.clientSecretKey | string | No | clientSecret | ClientSecretKey is the key for client secret. |
spec.registry.azure.credentialsSecret.name | string | Yes | - | Name is the name of the secret. |
spec.registry.azure.credentialsSecret.tenantIdKey | string | No | tenantId | TenantIDKey is the key for tenant ID. |
spec.registry.azure.pullSecret | object | Yes | - | PullSecret references the dockerconfigjson secret to use for image pulls. |
spec.registry.azure.pullSecret.key | string | No | .dockerconfigjson | Key is the key in the secret. |
spec.registry.azure.pullSecret.name | string | Yes | - | Name is the name of the secret. |
spec.registry.azure.registry | string | Yes | - | Registry specifies the registry hostname. |
spec.registry.builtin | object | No | - | Builtin configures the built-in registry. |
spec.registry.builtin.credentialsSecret | object | No | - | CredentialsSecret references the secret containing registry credentials. If omitted, the operator will generate a secret named "<infra-name>-registry-credentials". |
spec.registry.builtin.credentialsSecret.name | string | Yes | - | Name is the name of the secret. |
spec.registry.builtin.credentialsSecret.passwordKey | string | No | password | PasswordKey is the key for password. |
spec.registry.builtin.credentialsSecret.usernameKey | string | No | username | UsernameKey is the key for username. |
spec.registry.builtin.enabled | boolean | No | true | Enabled enables the built-in registry. |
spec.registry.builtin.image | string | No | registry:2.8.3 | Image specifies the registry image. |
spec.registry.builtin.ingress | object | No | - | Ingress configures ingress settings for external registry access. |
spec.registry.builtin.ingress.className | string | No | - | ClassName specifies the ingress class name |
spec.registry.builtin.ingress.enabled | boolean | No | false | Enabled enables ingress |
spec.registry.builtin.ingress.host | string | No | - | Host specifies the ingress host |
spec.registry.builtin.ingress.tlsSecret | string | No | - | TLSSecret specifies the TLS secret name |
spec.registry.builtin.persistence | object | No | - | Persistence configures registry persistence. |
spec.registry.builtin.persistence.enabled | boolean | No | true | Enabled enables persistence |
spec.registry.builtin.persistence.size | integer|string | No | 20Gi | Size specifies the storage size |
spec.registry.builtin.persistence.storageClass | string | No | - | StorageClass specifies the storage class (empty for default) |
spec.registry.builtin.port | integer | No | 5000 | Port specifies the registry port. |
spec.registry.builtin.pushEndpoint | string | No | - | PushEndpoint overrides the external registry endpoint used for image push credentials. Use host[:port] format, without scheme. |
spec.registry.builtin.service | object | No | - | Service configures the registry service exposure. |
spec.registry.builtin.service.port | integer | No | 80 | Port specifies the service port |
spec.registry.builtin.service.type | string | No | ClusterIP | Type specifies the service type |
spec.registry.gcp | object | No | - | GCP configures GCP registry integration. |
spec.registry.gcp.pullSecret | object | Yes | - | PullSecret references the dockerconfigjson secret to use for image pulls. |
spec.registry.gcp.pullSecret.key | string | No | .dockerconfigjson | Key is the key in the secret. |
spec.registry.gcp.pullSecret.name | string | Yes | - | Name is the name of the secret. |
spec.registry.gcp.registry | string | Yes | - | Registry specifies the registry hostname. |
spec.registry.gcp.serviceAccountSecret | object | Yes | - | ServiceAccountSecret references the service account JSON key. |
spec.registry.gcp.serviceAccountSecret.key | string | No | serviceAccount.json | Key is the key in the secret. |
spec.registry.gcp.serviceAccountSecret.name | string | Yes | - | Name is the name of the secret. |
spec.registry.harbor | object | No | - | Harbor configures Harbor registry integration. |
spec.registry.harbor.credentialsSecret | object | Yes | - | CredentialsSecret references Harbor credentials for push authentication. |
spec.registry.harbor.credentialsSecret.name | string | Yes | - | Name is the name of the secret. |
spec.registry.harbor.credentialsSecret.passwordKey | string | No | password | PasswordKey is the key for password. |
spec.registry.harbor.credentialsSecret.usernameKey | string | No | username | UsernameKey is the key for username. |
spec.registry.harbor.pullSecret | object | Yes | - | PullSecret references the dockerconfigjson secret to use for image pulls. |
spec.registry.harbor.pullSecret.key | string | No | .dockerconfigjson | Key is the key in the secret. |
spec.registry.harbor.pullSecret.name | string | Yes | - | Name is the name of the secret. |
spec.registry.harbor.registry | string | Yes | - | Registry specifies the registry hostname. |
spec.registry.imagePullSecretName | string | No | sandbox0-registry-pull | ImagePullSecretName is the secret name to create in template namespaces. |
spec.registry.provider | string | No | builtin | Provider specifies the registry provider: builtin, aws, gcp, azure, aliyun, or harbor. |
Control Planespec.controlPlane4 fieldsControlPlane configures external control plane connection.
Control Plane
spec.controlPlane
4 fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
spec.controlPlane | object | No | - | ControlPlane configures external control plane connection. |
spec.controlPlane.internalAuthPublicKeySecret | object | Yes | - | InternalAuthPublicKeySecret references the secret containing control plane's public key |
spec.controlPlane.internalAuthPublicKeySecret.key | string | No | password | Key is the key in the secret |
spec.controlPlane.internalAuthPublicKeySecret.name | string | No | - | Name is the name of the secret |
spec.controlPlane.url | string | Yes | - | URL is the control plane edge-gateway URL |
Internal Authspec.internalAuth12 fieldsInternalAuth configures internal authentication keys
Internal Auth
spec.internalAuth
12 fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
spec.internalAuth | object | No | - | InternalAuth configures internal authentication keys |
spec.internalAuth.controlPlane | object | No | - | ControlPlane configures control plane key pair |
spec.internalAuth.controlPlane.generate | boolean | No | true | Generate enables automatic key generation |
spec.internalAuth.controlPlane.secretRef | object | No | - | SecretRef references an existing secret containing the key pair |
spec.internalAuth.controlPlane.secretRef.name | string | Yes | - | Name is the name of the secret |
spec.internalAuth.controlPlane.secretRef.privateKeyKey | string | No | private.key | PrivateKeyKey is the key for private key |
spec.internalAuth.controlPlane.secretRef.publicKeyKey | string | No | public.key | PublicKeyKey is the key for public key |
spec.internalAuth.dataPlane | object | No | - | DataPlane configures data plane key pair |
spec.internalAuth.dataPlane.generate | boolean | No | true | Generate enables automatic key generation |
spec.internalAuth.dataPlane.secretRef | object | No | - | SecretRef references an existing secret containing the key pair |
spec.internalAuth.dataPlane.secretRef.name | string | Yes | - | Name is the name of the secret |
spec.internalAuth.dataPlane.secretRef.privateKeyKey | string | No | private.key | PrivateKeyKey is the key for private key |
spec.internalAuth.dataPlane.secretRef.publicKeyKey | string | No | public.key | PublicKeyKey is the key for public key |
Public Exposurespec.publicExposure3 fieldsPublicExposure configures public URL exposure for sandboxes
Public Exposure
spec.publicExposure
3 fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
spec.publicExposure | object | No | - | PublicExposure configures public URL exposure for sandboxes |
spec.publicExposure.enabled | boolean | No | true | Enabled enables public exposure routing |
spec.publicExposure.regionId | string | No | aws-us-east-1 | RegionID is the DNS-safe region label used in public URLs. It is not the canonical multi-region tenancy identifier. |
spec.publicExposure.rootDomain | string | No | sandbox0.app | RootDomain is the root domain for public exposure URLs |
Clusterspec.cluster10 fieldsCluster configures cluster identification and capacity
Cluster
spec.cluster
10 fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
spec.cluster | object | No | - | Cluster configures cluster identification and capacity |
spec.cluster.capacity | object | No | - | Capacity specifies cluster resource capacity |
spec.cluster.capacity.cpu | object | No | - | CPU specifies CPU capacity |
spec.cluster.capacity.cpu.available | string | No | - | Available is the available capacity |
spec.cluster.capacity.cpu.total | string | No | - | Total is the total capacity |
spec.cluster.capacity.maxSandboxes | integer | No | - | MaxSandboxes is the maximum number of sandboxes |
spec.cluster.capacity.memory | object | No | - | Memory specifies memory capacity |
spec.cluster.capacity.memory.available | string | No | - | Available is the available capacity |
spec.cluster.capacity.memory.total | string | No | - | Total is the total capacity |
spec.cluster.id | string | Yes | - | ID is the unique cluster identifier |
spec.cluster.name | string | No | - | Name is the human-readable cluster name |
Initial Admin Userspec.initUser5 fieldsInitUser configures the initial admin user
Initial Admin User
spec.initUser
5 fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
spec.initUser | object | No | - | InitUser configures the initial admin user |
spec.initUser.email | string | No | - | Email is the admin user's email |
spec.initUser.name | string | No | - | Name is the admin user's display name |
spec.initUser.passwordSecret | object | No | - | PasswordSecret references the secret containing the password |
spec.initUser.passwordSecret.key | string | No | password | Key is the key in the secret |
spec.initUser.passwordSecret.name | string | No | - | Name is the name of the secret |
Builtin Templatesspec.builtinTemplates8 fieldsBuiltinTemplates defines system builtin templates to seed the template store
Builtin Templates
spec.builtinTemplates
8 fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
spec.builtinTemplates | array<object> | No | [] | BuiltinTemplates defines system builtin templates to seed the template store |
spec.builtinTemplates[] | object | No | - | BuiltinTemplateConfig defines a system builtin template. |
spec.builtinTemplates[].description | string | No | - | - |
spec.builtinTemplates[].displayName | string | No | - | - |
spec.builtinTemplates[].image | string | No | - | - |
spec.builtinTemplates[].pool | object | No | - | BuiltinTemplatePoolConfig holds pool defaults for builtin templates. |
spec.builtinTemplates[].pool.maxIdle | integer | No | 5 | - |
spec.builtinTemplates[].pool.minIdle | integer | No | 1 | - |
spec.builtinTemplates[].templateId | string | Yes | - | - |
Sandbox Node Placementspec.sandboxNodePlacement8 fieldsSandboxNodePlacement configures the shared node placement used by
sandbox workloads and node-local sandbox services.
Sandbox Node Placement
spec.sandboxNodePlacement
8 fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
spec.sandboxNodePlacement | object | No | - | SandboxNodePlacement configures the shared node placement used by sandbox workloads and node-local sandbox services. |
spec.sandboxNodePlacement.nodeSelector | object | No | - | NodeSelector constrains sandbox workloads and node-local sandbox services onto a specific node set. |
spec.sandboxNodePlacement.tolerations | array<object> | No | - | Tolerations allow sandbox workloads and node-local sandbox services to run on tainted sandbox nodes. |
spec.sandboxNodePlacement.tolerations[] | object | No | - | The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>. |
spec.sandboxNodePlacement.tolerations[].effect | string | No | - | Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. |
spec.sandboxNodePlacement.tolerations[].key | string | No | - | Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. |
spec.sandboxNodePlacement.tolerations[].operator | string | No | - | Operator represents a key's relationship to the value. Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators). |
spec.sandboxNodePlacement.tolerations[].tolerationSeconds | integer | No | - | TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. |
spec.sandboxNodePlacement.tolerations[].value | string | No | - | Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. |
Service: edgeGatewayspec.services.edgeGateway65 fieldsEdgeGateway configures the edge-gateway service (control plane)
Service: edgeGateway
spec.services.edgeGateway
65 fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
spec.services.edgeGateway | object | No | - | EdgeGateway configures the edge-gateway service (control plane) |
spec.services.edgeGateway.config | object | No | - | Config contains edge-gateway specific configuration |
spec.services.edgeGateway.config.authMode | string | No | self_hosted | AuthMode controls how human-facing authentication is handled. Allowed values: "self_hosted", "federated_global". Allowed values: self_hosted, federated_global. |
spec.services.edgeGateway.config.baseUrl | string | No | http://localhost:8080 | Base URL for OIDC callbacks |
spec.services.edgeGateway.config.builtInAuth | object | No | - | Built-in Authentication |
spec.services.edgeGateway.config.builtInAuth.adminOnly | boolean | No | - | AdminOnly restricts built-in auth to admin accounts only |
spec.services.edgeGateway.config.builtInAuth.allowRegistration | boolean | No | - | AllowRegistration allows new users to register |
spec.services.edgeGateway.config.builtInAuth.emailVerificationRequired | boolean | No | - | EmailVerificationRequired requires email verification |
spec.services.edgeGateway.config.builtInAuth.enabled | boolean | No | true | Enabled enables built-in email/password authentication |
spec.services.edgeGateway.config.clusterCacheTTL | string | No | 30s | Cache configuration |
spec.services.edgeGateway.config.databaseMaxConns | integer | No | 30 | - |
spec.services.edgeGateway.config.databaseMinConns | integer | No | 8 | - |
spec.services.edgeGateway.config.defaultTeamName | string | No | Personal Team | Identity and Teams |
spec.services.edgeGateway.config.edition | string | No | self-hosted | Edition: "saas" or "self-hosted" |
spec.services.edgeGateway.config.httpPort | integer | No | 8080 | Server configuration |
spec.services.edgeGateway.config.internalAuthCaller | string | No | edge-gateway | - |
spec.services.edgeGateway.config.internalAuthTTL | string | No | 30s | Internal Authentication |
spec.services.edgeGateway.config.jwtAccessTokenTTL | string | No | 15m | - |
spec.services.edgeGateway.config.jwtIssuer | string | No | - | - |
spec.services.edgeGateway.config.jwtRefreshTokenTTL | string | No | 168h | - |
spec.services.edgeGateway.config.logLevel | string | No | info | - |
spec.services.edgeGateway.config.oidcProviders | array<object> | No | - | OIDC Providers |
spec.services.edgeGateway.config.oidcProviders[] | object | No | - | OIDCProviderConfig configures an OIDC provider. |
spec.services.edgeGateway.config.oidcProviders[].autoProvision | boolean | No | - | AutoProvision automatically creates users on first login |
spec.services.edgeGateway.config.oidcProviders[].clientId | string | No | - | ClientID is the OAuth client ID |
spec.services.edgeGateway.config.oidcProviders[].clientSecret | string | No | - | ClientSecret is the OAuth client secret |
spec.services.edgeGateway.config.oidcProviders[].discoveryUrl | string | No | - | DiscoveryURL is the OIDC discovery URL (.well-known/openid-configuration) |
spec.services.edgeGateway.config.oidcProviders[].enabled | boolean | No | - | Enabled toggles the provider |
spec.services.edgeGateway.config.oidcProviders[].id | string | No | - | ID is the unique identifier for the provider (e.g., "github", "google") |
spec.services.edgeGateway.config.oidcProviders[].name | string | No | - | Name is the display name |
spec.services.edgeGateway.config.oidcProviders[].scopes | array<string> | No | [openid, email, profile] | Scopes are the OAuth scopes to request |
spec.services.edgeGateway.config.oidcProviders[].scopes[] | string | No | - | - |
spec.services.edgeGateway.config.oidcProviders[].teamMapping | object | No | - | TeamMapping configures automatic team assignment |
spec.services.edgeGateway.config.oidcProviders[].teamMapping.defaultRole | string | No | - | DefaultRole is the role assigned to new users |
spec.services.edgeGateway.config.oidcProviders[].teamMapping.defaultTeamId | string | No | - | DefaultTeamID is the team to add users to |
spec.services.edgeGateway.config.oidcProviders[].teamMapping.domain | string | No | - | Domain filters users by email domain |
spec.services.edgeGateway.config.oidcStateCleanupInterval | string | No | 5m | - |
spec.services.edgeGateway.config.oidcStateTTL | string | No | 10m | - |
spec.services.edgeGateway.config.proxyTimeout | string | No | 30s | Timeouts |
spec.services.edgeGateway.config.rateLimitBurst | integer | No | 200 | - |
spec.services.edgeGateway.config.rateLimitCleanupInterval | string | No | 10m | - |
spec.services.edgeGateway.config.rateLimitRPS | integer | No | 100 | Rate limiting |
spec.services.edgeGateway.config.regionId | string | No | - | RegionID is the canonical region identifier used by tenancy and routing contracts, for example "aws/us-east-1". |
spec.services.edgeGateway.config.schedulerEnabled | boolean | No | - | Scheduler configuration (optional, for multi-cluster mode) |
spec.services.edgeGateway.config.schedulerUrl | string | No | - | - |
spec.services.edgeGateway.config.serverIdleTimeout | string | No | 120s | - |
spec.services.edgeGateway.config.serverReadTimeout | string | No | 30s | - |
spec.services.edgeGateway.config.serverWriteTimeout | string | No | 60s | - |
spec.services.edgeGateway.config.shutdownTimeout | string | No | 30s | - |
spec.services.edgeGateway.enabled | boolean | No | false | Enabled enables or disables the service |
spec.services.edgeGateway.ingress | object | No | - | Ingress configures ingress settings |
spec.services.edgeGateway.ingress.className | string | No | - | ClassName specifies the ingress class name |
spec.services.edgeGateway.ingress.enabled | boolean | No | false | Enabled enables ingress |
spec.services.edgeGateway.ingress.host | string | No | - | Host specifies the ingress host |
spec.services.edgeGateway.ingress.tlsSecret | string | No | - | TLSSecret specifies the TLS secret name |
spec.services.edgeGateway.replicas | integer | No | 1 | Replicas specifies the number of replicas |
spec.services.edgeGateway.resources | object | No | - | Resources specifies resource requirements |
spec.services.edgeGateway.resources.claims | array<object> | No | - | Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. This field depends on the DynamicResourceAllocation feature gate. This field is immutable. It can only be set for containers. |
spec.services.edgeGateway.resources.claims[] | object | No | - | ResourceClaim references one entry in PodSpec.ResourceClaims. |
spec.services.edgeGateway.resources.claims[].name | string | Yes | - | Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container. |
spec.services.edgeGateway.resources.claims[].request | string | No | - | Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request. |
spec.services.edgeGateway.resources.limits | object | No | - | Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
spec.services.edgeGateway.resources.requests | object | No | - | Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
spec.services.edgeGateway.service | object | No | - | Service configures the Kubernetes service |
spec.services.edgeGateway.service.port | integer | No | 80 | Port specifies the service port |
spec.services.edgeGateway.service.type | string | No | ClusterIP | Type specifies the service type |
Service: schedulerspec.services.scheduler32 fieldsScheduler configures the scheduler service (control plane)
Service: scheduler
spec.services.scheduler
32 fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
spec.services.scheduler | object | No | - | Scheduler configures the scheduler service (control plane) |
spec.services.scheduler.config | object | No | - | Config contains scheduler specific configuration |
spec.services.scheduler.config.databasePool | object | No | - | Database Pool configuration |
spec.services.scheduler.config.databasePool.maxConnIdleTime | string | No | 5m | - |
spec.services.scheduler.config.databasePool.maxConnLifetime | string | No | 30m | - |
spec.services.scheduler.config.databasePool.maxConns | integer | No | 10 | - |
spec.services.scheduler.config.databasePool.minConns | integer | No | 2 | - |
spec.services.scheduler.config.httpPort | integer | No | 8080 | Server configuration |
spec.services.scheduler.config.idleTimeout | string | No | 120s | - |
spec.services.scheduler.config.logLevel | string | No | info | - |
spec.services.scheduler.config.podsPerNode | integer | No | 50 | - |
spec.services.scheduler.config.proxyTimeout | string | No | 10s | - |
spec.services.scheduler.config.readTimeout | string | No | 30s | - |
spec.services.scheduler.config.reconcileInterval | string | No | 30s | Reconciler configuration |
spec.services.scheduler.config.shutdownTimeout | string | No | 30s | Timeouts |
spec.services.scheduler.config.writeTimeout | string | No | 60s | - |
spec.services.scheduler.enabled | boolean | No | false | Enabled enables or disables the service |
spec.services.scheduler.ingress | object | No | - | Ingress configures ingress settings |
spec.services.scheduler.ingress.className | string | No | - | ClassName specifies the ingress class name |
spec.services.scheduler.ingress.enabled | boolean | No | false | Enabled enables ingress |
spec.services.scheduler.ingress.host | string | No | - | Host specifies the ingress host |
spec.services.scheduler.ingress.tlsSecret | string | No | - | TLSSecret specifies the TLS secret name |
spec.services.scheduler.replicas | integer | No | 1 | Replicas specifies the number of replicas |
spec.services.scheduler.resources | object | No | - | Resources specifies resource requirements |
spec.services.scheduler.resources.claims | array<object> | No | - | Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. This field depends on the DynamicResourceAllocation feature gate. This field is immutable. It can only be set for containers. |
spec.services.scheduler.resources.claims[] | object | No | - | ResourceClaim references one entry in PodSpec.ResourceClaims. |
spec.services.scheduler.resources.claims[].name | string | Yes | - | Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container. |
spec.services.scheduler.resources.claims[].request | string | No | - | Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request. |
spec.services.scheduler.resources.limits | object | No | - | Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
spec.services.scheduler.resources.requests | object | No | - | Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
spec.services.scheduler.service | object | No | - | Service configures the Kubernetes service |
spec.services.scheduler.service.port | integer | No | 80 | Port specifies the service port |
spec.services.scheduler.service.type | string | No | ClusterIP | Type specifies the service type |
Service: internalGatewayspec.services.internalGateway63 fieldsInternalGateway configures the internal-gateway service (data plane)
Service: internalGateway
spec.services.internalGateway
63 fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
spec.services.internalGateway | object | No | - | InternalGateway configures the internal-gateway service (data plane) |
spec.services.internalGateway.config | object | No | - | Config contains internal-gateway specific configuration |
spec.services.internalGateway.config.allowedCallers | array<string> | No | [edge-gateway, scheduler] | AllowedCallers is the list of services allowed to call internal-gateway Default: ["edge-gateway"], can include "scheduler" for multi-cluster mode |
spec.services.internalGateway.config.allowedCallers[] | string | No | - | - |
spec.services.internalGateway.config.authMode | string | No | internal | Internal authentication (for validating requests from edge-gateway and generating tokens for downstream services) AuthMode controls which authentication modes are accepted on /api/v1. Allowed values: "internal", "public", "both". Allowed values: internal, public, both. |
spec.services.internalGateway.config.baseUrl | string | No | http://localhost:8080 | Base URL for OIDC callbacks |
spec.services.internalGateway.config.builtInAuth | object | No | - | Built-in Authentication |
spec.services.internalGateway.config.builtInAuth.adminOnly | boolean | No | - | AdminOnly restricts built-in auth to admin accounts only |
spec.services.internalGateway.config.builtInAuth.allowRegistration | boolean | No | - | AllowRegistration allows new users to register |
spec.services.internalGateway.config.builtInAuth.emailVerificationRequired | boolean | No | - | EmailVerificationRequired requires email verification |
spec.services.internalGateway.config.builtInAuth.enabled | boolean | No | true | Enabled enables built-in email/password authentication |
spec.services.internalGateway.config.databaseMaxConns | integer | No | 30 | - |
spec.services.internalGateway.config.databaseMinConns | integer | No | 8 | - |
spec.services.internalGateway.config.defaultTeamName | string | No | Personal Team | Identity and Teams |
spec.services.internalGateway.config.healthCheckPeriod | string | No | 10s | - |
spec.services.internalGateway.config.httpPort | integer | No | 8443 | Server configuration |
spec.services.internalGateway.config.jwtAccessTokenTTL | string | No | 15m | - |
spec.services.internalGateway.config.jwtIssuer | string | No | - | - |
spec.services.internalGateway.config.jwtRefreshTokenTTL | string | No | 168h | - |
spec.services.internalGateway.config.logLevel | string | No | info | - |
spec.services.internalGateway.config.oidcProviders | array<object> | No | - | OIDC Providers |
spec.services.internalGateway.config.oidcProviders[] | object | No | - | OIDCProviderConfig configures an OIDC provider. |
spec.services.internalGateway.config.oidcProviders[].autoProvision | boolean | No | - | AutoProvision automatically creates users on first login |
spec.services.internalGateway.config.oidcProviders[].clientId | string | No | - | ClientID is the OAuth client ID |
spec.services.internalGateway.config.oidcProviders[].clientSecret | string | No | - | ClientSecret is the OAuth client secret |
spec.services.internalGateway.config.oidcProviders[].discoveryUrl | string | No | - | DiscoveryURL is the OIDC discovery URL (.well-known/openid-configuration) |
spec.services.internalGateway.config.oidcProviders[].enabled | boolean | No | - | Enabled toggles the provider |
spec.services.internalGateway.config.oidcProviders[].id | string | No | - | ID is the unique identifier for the provider (e.g., "github", "google") |
spec.services.internalGateway.config.oidcProviders[].name | string | No | - | Name is the display name |
spec.services.internalGateway.config.oidcProviders[].scopes | array<string> | No | [openid, email, profile] | Scopes are the OAuth scopes to request |
spec.services.internalGateway.config.oidcProviders[].scopes[] | string | No | - | - |
spec.services.internalGateway.config.oidcProviders[].teamMapping | object | No | - | TeamMapping configures automatic team assignment |
spec.services.internalGateway.config.oidcProviders[].teamMapping.defaultRole | string | No | - | DefaultRole is the role assigned to new users |
spec.services.internalGateway.config.oidcProviders[].teamMapping.defaultTeamId | string | No | - | DefaultTeamID is the team to add users to |
spec.services.internalGateway.config.oidcProviders[].teamMapping.domain | string | No | - | Domain filters users by email domain |
spec.services.internalGateway.config.oidcStateCleanupInterval | string | No | 5m | - |
spec.services.internalGateway.config.oidcStateTTL | string | No | 10m | - |
spec.services.internalGateway.config.procdStoragePermissions | array<string> | No | [sandboxvolume:read, sandboxvolume:write] | - |
spec.services.internalGateway.config.procdStoragePermissions[] | string | No | - | - |
spec.services.internalGateway.config.proxyTimeout | string | No | 10s | Proxy configuration |
spec.services.internalGateway.config.rateLimitBurst | integer | No | 200 | - |
spec.services.internalGateway.config.rateLimitCleanupInterval | string | No | 10m | - |
spec.services.internalGateway.config.rateLimitRPS | integer | No | 100 | Rate limiting |
spec.services.internalGateway.config.regionId | string | No | - | RegionID is the canonical region identifier used by tenancy and routing contracts, for example "aws/us-east-1". |
spec.services.internalGateway.config.schedulerPermissions | array<string> | No | [*:*] | Permissions |
spec.services.internalGateway.config.schedulerPermissions[] | string | No | - | - |
spec.services.internalGateway.config.shutdownTimeout | string | No | 30s | Timeouts |
spec.services.internalGateway.enabled | boolean | No | false | Enabled enables or disables the service |
spec.services.internalGateway.ingress | object | No | - | Ingress configures ingress settings |
spec.services.internalGateway.ingress.className | string | No | - | ClassName specifies the ingress class name |
spec.services.internalGateway.ingress.enabled | boolean | No | false | Enabled enables ingress |
spec.services.internalGateway.ingress.host | string | No | - | Host specifies the ingress host |
spec.services.internalGateway.ingress.tlsSecret | string | No | - | TLSSecret specifies the TLS secret name |
spec.services.internalGateway.replicas | integer | No | 1 | Replicas specifies the number of replicas |
spec.services.internalGateway.resources | object | No | - | Resources specifies resource requirements |
spec.services.internalGateway.resources.claims | array<object> | No | - | Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. This field depends on the DynamicResourceAllocation feature gate. This field is immutable. It can only be set for containers. |
spec.services.internalGateway.resources.claims[] | object | No | - | ResourceClaim references one entry in PodSpec.ResourceClaims. |
spec.services.internalGateway.resources.claims[].name | string | Yes | - | Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container. |
spec.services.internalGateway.resources.claims[].request | string | No | - | Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request. |
spec.services.internalGateway.resources.limits | object | No | - | Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
spec.services.internalGateway.resources.requests | object | No | - | Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
spec.services.internalGateway.service | object | No | - | Service configures the Kubernetes service |
spec.services.internalGateway.service.port | integer | No | 80 | Port specifies the service port |
spec.services.internalGateway.service.type | string | No | ClusterIP | Type specifies the service type |
Service: managerspec.services.manager66 fieldsManager configures the manager service (data plane)
Service: manager
spec.services.manager
66 fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
spec.services.manager | object | No | - | Manager configures the manager service (data plane) |
spec.services.manager.config | object | No | - | Config contains manager specific configuration |
spec.services.manager.config.autoscaler | object | No | - | Autoscaler config for pool scaling behavior |
spec.services.manager.config.autoscaler.maxScaleStep | integer | No | 10 | MaxScaleStep caps the maximum pods to add in a single scale operation. |
spec.services.manager.config.autoscaler.minIdleBuffer | integer | No | 2 | MinIdleBuffer is the minimum number of idle pods to maintain above minIdle. When idle count drops to minIdle + MinIdleBuffer, proactive scaling kicks in. |
spec.services.manager.config.autoscaler.minScaleInterval | string | No | 100ms | MinScaleInterval is the minimum time between scale operations for a template. This prevents thundering herd when multiple cold claims arrive simultaneously. |
spec.services.manager.config.autoscaler.noTrafficScaleDownAfter | string | No | 10m | NoTrafficScaleDownAfter is the duration without any claims before scaling down. Scale down is still async and happens in the background reconcile loop. |
spec.services.manager.config.autoscaler.scaleDownPercent | string | No | 0.1 | ScaleDownPercent is the percentage to reduce replicas during scale down. |
spec.services.manager.config.autoscaler.scaleUpFactor | string | No | 1.5 | ScaleUpFactor determines how aggressively to scale up. When cold claim occurs, newReplicas = current * ScaleUpFactor. |
spec.services.manager.config.autoscaler.targetIdleRatio | string | No | 0.2 | TargetIdleRatio is the target ratio of idle pods to active pods. Formula: desiredIdle = active * TargetIdleRatio |
spec.services.manager.config.cleanupInterval | string | No | 60s | Cleanup Controller |
spec.services.manager.config.databaseMaxConns | integer | No | 10 | - |
spec.services.manager.config.databaseMinConns | integer | No | 2 | - |
spec.services.manager.config.defaultSandboxTTL | string | No | 0s | Sandbox |
spec.services.manager.config.httpPort | integer | No | 8080 | HTTP Server |
spec.services.manager.config.kubeConfig | string | No | - | Kubernetes |
spec.services.manager.config.leaderElection | boolean | No | true | - |
spec.services.manager.config.logLevel | string | No | info | Logging |
spec.services.manager.config.metricsPort | integer | No | 9090 | Metrics |
spec.services.manager.config.netdPolicyApplyPollInterval | string | No | 500ms | - |
spec.services.manager.config.netdPolicyApplyTimeout | string | No | 30s | Netd apply wait |
spec.services.manager.config.pauseMemoryBufferRatio | string | No | 1.1 | - |
spec.services.manager.config.pauseMinCPU | string | No | 10m | - |
spec.services.manager.config.pauseMinMemoryLimit | string | No | 32Mi | - |
spec.services.manager.config.pauseMinMemoryRequest | string | No | 10Mi | Pause/Resume |
spec.services.manager.config.procdClientTimeout | string | No | 30s | Timeouts |
spec.services.manager.config.procdConfig | object | No | - | Procd config injected into sandbox pods |
spec.services.manager.config.procdConfig.cacheMaxBytes | integer | No | 104857600 | Cache configuration |
spec.services.manager.config.procdConfig.cacheTTL | string | No | 30s | - |
spec.services.manager.config.procdConfig.contextCleanupInterval | string | No | 30s | Context cleanup configuration |
spec.services.manager.config.procdConfig.contextFinishedTTL | string | No | 0s | - |
spec.services.manager.config.procdConfig.contextIdleTimeout | string | No | 0s | - |
spec.services.manager.config.procdConfig.contextMaxLifetime | string | No | 0s | - |
spec.services.manager.config.procdConfig.httpPort | integer | No | 49983 | Server configuration |
spec.services.manager.config.procdConfig.juicefsBufferSize | string | No | 300 | - |
spec.services.manager.config.procdConfig.juicefsCacheSize | string | No | 100 | JuiceFS Mount Defaults |
spec.services.manager.config.procdConfig.juicefsPrefetch | integer | No | 3 | - |
spec.services.manager.config.procdConfig.juicefsWriteback | boolean | No | true | - |
spec.services.manager.config.procdConfig.logLevel | string | No | info | - |
spec.services.manager.config.procdConfig.rootPath | string | No | /workspace | File manager configuration |
spec.services.manager.config.procdConfig.webhookBaseBackoff | string | No | 500ms | - |
spec.services.manager.config.procdConfig.webhookMaxRetries | integer | No | 3 | - |
spec.services.manager.config.procdConfig.webhookQueueSize | integer | No | 256 | - |
spec.services.manager.config.procdConfig.webhookRequestTimeout | string | No | 5s | - |
spec.services.manager.config.procdInitTimeout | string | No | 6s | - |
spec.services.manager.config.resyncPeriod | string | No | 30s | - |
spec.services.manager.config.shutdownTimeout | string | No | 30s | - |
spec.services.manager.config.webhookCertPath | string | No | /tmp/k8s-webhook-server/serving-certs/tls.crt | - |
spec.services.manager.config.webhookKeyPath | string | No | /tmp/k8s-webhook-server/serving-certs/tls.key | - |
spec.services.manager.config.webhookPort | integer | No | 9443 | Webhook |
spec.services.manager.enabled | boolean | No | false | Enabled enables or disables the service |
spec.services.manager.ingress | object | No | - | Ingress configures ingress settings |
spec.services.manager.ingress.className | string | No | - | ClassName specifies the ingress class name |
spec.services.manager.ingress.enabled | boolean | No | false | Enabled enables ingress |
spec.services.manager.ingress.host | string | No | - | Host specifies the ingress host |
spec.services.manager.ingress.tlsSecret | string | No | - | TLSSecret specifies the TLS secret name |
spec.services.manager.replicas | integer | No | 1 | Replicas specifies the number of replicas |
spec.services.manager.resources | object | No | - | Resources specifies resource requirements |
spec.services.manager.resources.claims | array<object> | No | - | Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. This field depends on the DynamicResourceAllocation feature gate. This field is immutable. It can only be set for containers. |
spec.services.manager.resources.claims[] | object | No | - | ResourceClaim references one entry in PodSpec.ResourceClaims. |
spec.services.manager.resources.claims[].name | string | Yes | - | Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container. |
spec.services.manager.resources.claims[].request | string | No | - | Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request. |
spec.services.manager.resources.limits | object | No | - | Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
spec.services.manager.resources.requests | object | No | - | Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
spec.services.manager.service | object | No | - | Service configures the Kubernetes service |
spec.services.manager.service.port | integer | No | 80 | Port specifies the service port |
spec.services.manager.service.type | string | No | ClusterIP | Type specifies the service type |
Service: storageProxyspec.services.storageProxy58 fieldsStorageProxy configures the storage-proxy service (data plane)
Service: storageProxy
spec.services.storageProxy
58 fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
spec.services.storageProxy | object | No | - | StorageProxy configures the storage-proxy service (data plane) |
spec.services.storageProxy.config | object | No | - | Config contains storage-proxy specific configuration |
spec.services.storageProxy.config.auditFile | string | No | /var/log/storage-proxy/audit.log | - |
spec.services.storageProxy.config.auditLog | boolean | No | true | - |
spec.services.storageProxy.config.cacheDir | string | No | /var/lib/storage-proxy/cache | - |
spec.services.storageProxy.config.cleanupInterval | string | No | 60s | - |
spec.services.storageProxy.config.databaseMaxConns | integer | No | 30 | - |
spec.services.storageProxy.config.databaseMinConns | integer | No | 5 | - |
spec.services.storageProxy.config.databaseSchema | string | No | sp | - |
spec.services.storageProxy.config.defaultCacheSize | string | No | 1G | - |
spec.services.storageProxy.config.flushTimeout | string | No | 30s | - |
spec.services.storageProxy.config.grpcAddr | string | No | 0.0.0.0 | gRPC Server |
spec.services.storageProxy.config.grpcPort | integer | No | 8080 | - |
spec.services.storageProxy.config.heartbeatInterval | string | No | 5s | Coordination |
spec.services.storageProxy.config.heartbeatTimeout | integer | No | 15 | - |
spec.services.storageProxy.config.httpAddr | string | No | 0.0.0.0 | HTTP Management API |
spec.services.storageProxy.config.httpIdleTimeout | string | No | 60s | - |
spec.services.storageProxy.config.httpPort | integer | No | 8081 | - |
spec.services.storageProxy.config.httpReadTimeout | string | No | 15s | Timeouts |
spec.services.storageProxy.config.httpWriteTimeout | string | No | 15s | - |
spec.services.storageProxy.config.juicefsAttrTimeout | string | No | 1s | - |
spec.services.storageProxy.config.juicefsBlockSize | integer | No | 4096 | - |
spec.services.storageProxy.config.juicefsCompression | string | No | lz4 | - |
spec.services.storageProxy.config.juicefsDirEntryTimeout | string | No | 1s | - |
spec.services.storageProxy.config.juicefsEncryptionAlgo | string | No | aes256gcm-rsa | - |
spec.services.storageProxy.config.juicefsEncryptionEnabled | boolean | No | false | - |
spec.services.storageProxy.config.juicefsEncryptionKeyPath | string | No | - | - |
spec.services.storageProxy.config.juicefsEncryptionPassphrase | string | No | - | - |
spec.services.storageProxy.config.juicefsEntryTimeout | string | No | 1s | - |
spec.services.storageProxy.config.juicefsMaxUpload | integer | No | 20 | - |
spec.services.storageProxy.config.juicefsMetaRetries | integer | No | 10 | - |
spec.services.storageProxy.config.juicefsName | string | No | sandbox0 | - |
spec.services.storageProxy.config.juicefsTrashDays | integer | No | 1 | - |
spec.services.storageProxy.config.kubeconfigPath | string | No | - | Kubernetes |
spec.services.storageProxy.config.logLevel | string | No | info | Logging |
spec.services.storageProxy.config.maxBytesPerSecond | integer | No | 1073741824 | - |
spec.services.storageProxy.config.maxOpsPerSecond | integer | No | 10000 | Rate limiting |
spec.services.storageProxy.config.metricsEnabled | boolean | No | true | Monitoring |
spec.services.storageProxy.config.metricsPort | integer | No | 9090 | - |
spec.services.storageProxy.config.restoreRemountTimeout | string | No | 30s | Snapshot restore |
spec.services.storageProxy.config.watchEventQueueSize | integer | No | 256 | - |
spec.services.storageProxy.config.watchEventsEnabled | boolean | No | true | Watch events |
spec.services.storageProxy.enabled | boolean | No | false | Enabled enables or disables the service |
spec.services.storageProxy.ingress | object | No | - | Ingress configures ingress settings |
spec.services.storageProxy.ingress.className | string | No | - | ClassName specifies the ingress class name |
spec.services.storageProxy.ingress.enabled | boolean | No | false | Enabled enables ingress |
spec.services.storageProxy.ingress.host | string | No | - | Host specifies the ingress host |
spec.services.storageProxy.ingress.tlsSecret | string | No | - | TLSSecret specifies the TLS secret name |
spec.services.storageProxy.replicas | integer | No | 1 | Replicas specifies the number of replicas |
spec.services.storageProxy.resources | object | No | - | Resources specifies resource requirements |
spec.services.storageProxy.resources.claims | array<object> | No | - | Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. This field depends on the DynamicResourceAllocation feature gate. This field is immutable. It can only be set for containers. |
spec.services.storageProxy.resources.claims[] | object | No | - | ResourceClaim references one entry in PodSpec.ResourceClaims. |
spec.services.storageProxy.resources.claims[].name | string | Yes | - | Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container. |
spec.services.storageProxy.resources.claims[].request | string | No | - | Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request. |
spec.services.storageProxy.resources.limits | object | No | - | Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
spec.services.storageProxy.resources.requests | object | No | - | Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
spec.services.storageProxy.service | object | No | - | Service configures the Kubernetes service |
spec.services.storageProxy.service.port | integer | No | 80 | Port specifies the service port |
spec.services.storageProxy.service.type | string | No | ClusterIP | Type specifies the service type |
Service: netdspec.services.netd69 fieldsNetd configures the netd service (data plane)
Service: netd
spec.services.netd
69 fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
spec.services.netd | object | No | - | Netd configures the netd service (data plane) |
spec.services.netd.config | object | No | - | Config contains netd specific configuration |
spec.services.netd.config.auditLogMaxBackups | integer | No | 5 | - |
spec.services.netd.config.auditLogMaxBytes | integer | No | 104857600 | - |
spec.services.netd.config.auditLogPath | string | No | - | - |
spec.services.netd.config.bpfFsPath | string | No | - | - |
spec.services.netd.config.bpfPinPath | string | No | - | - |
spec.services.netd.config.burstRatio | string | No | 0.125 | - |
spec.services.netd.config.dnsPort | integer | No | 53 | - |
spec.services.netd.config.edtHorizon | string | No | 200ms | - |
spec.services.netd.config.egressAuthEnabled | boolean | No | false | - |
spec.services.netd.config.egressAuthFailurePolicy | string | No | fail-closed | - |
spec.services.netd.config.egressAuthResolverTimeout | string | No | 2s | EgressAuthResolverTimeout is the timeout for runtime egress auth resolve calls. |
spec.services.netd.config.egressAuthResolverUrl | string | No | - | EgressAuthResolverURL is the base URL for the runtime egress auth resolver. |
spec.services.netd.config.failClosed | boolean | No | true | - |
spec.services.netd.config.healthPort | integer | No | 8081 | - |
spec.services.netd.config.logLevel | string | No | info | - |
spec.services.netd.config.meteringReportInterval | string | No | 10s | - |
spec.services.netd.config.metricsPort | integer | No | 9091 | - |
spec.services.netd.config.metricsReportInterval | string | No | 10s | - |
spec.services.netd.config.mitmCaCertPath | string | No | - | - |
spec.services.netd.config.mitmCaKeyPath | string | No | - | - |
spec.services.netd.config.mitmLeafTtl | string | No | 1h | - |
spec.services.netd.config.nodeName | string | No | - | - |
spec.services.netd.config.platformAllowedCidrs | array<string> | No | - | Platform allow/deny lists (override user policy) |
spec.services.netd.config.platformAllowedCidrs[] | string | No | - | - |
spec.services.netd.config.platformAllowedDomains | array<string> | No | - | - |
spec.services.netd.config.platformAllowedDomains[] | string | No | - | - |
spec.services.netd.config.platformDeniedCidrs | array<string> | No | - | - |
spec.services.netd.config.platformDeniedCidrs[] | string | No | - | - |
spec.services.netd.config.platformDeniedDomains | array<string> | No | - | - |
spec.services.netd.config.platformDeniedDomains[] | string | No | - | - |
spec.services.netd.config.preferNft | boolean | No | true | - |
spec.services.netd.config.proxyHeaderLimit | integer | No | - | - |
spec.services.netd.config.proxyHttpPort | integer | No | 18080 | - |
spec.services.netd.config.proxyHttpsPort | integer | No | 18443 | - |
spec.services.netd.config.proxyListenAddr | string | No | 0.0.0.0 | Proxy settings |
spec.services.netd.config.proxyUpstreamTimeout | string | No | 30s | - |
spec.services.netd.config.resyncPeriod | string | No | 30s | - |
spec.services.netd.config.shutdownDelay | string | No | 2s | - |
spec.services.netd.config.useEbpf | boolean | No | - | eBPF and tc |
spec.services.netd.config.useEdt | boolean | No | - | - |
spec.services.netd.config.vethPrefix | string | No | - | - |
spec.services.netd.enabled | boolean | No | false | Enabled enables or disables the service |
spec.services.netd.ingress | object | No | - | Ingress configures ingress settings |
spec.services.netd.ingress.className | string | No | - | ClassName specifies the ingress class name |
spec.services.netd.ingress.enabled | boolean | No | false | Enabled enables ingress |
spec.services.netd.ingress.host | string | No | - | Host specifies the ingress host |
spec.services.netd.ingress.tlsSecret | string | No | - | TLSSecret specifies the TLS secret name |
spec.services.netd.mitmCaSecretName | string | No | - | MITMCASecretName overrides the operator-managed cluster-local MITM CA secret for HTTPS interception. Expected keys are ca.crt and ca.key. When unset, infra-operator generates and reuses a managed secret. |
spec.services.netd.nodeSelector | object | No | - | NodeSelector constrains netd onto a specific node set. Deprecated: use spec.sandboxNodePlacement.nodeSelector instead. This field remains as a backward-compatible alias when the shared placement is unset. |
spec.services.netd.replicas | integer | No | 1 | Replicas specifies the number of replicas |
spec.services.netd.resources | object | No | - | Resources specifies resource requirements |
spec.services.netd.resources.claims | array<object> | No | - | Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. This field depends on the DynamicResourceAllocation feature gate. This field is immutable. It can only be set for containers. |
spec.services.netd.resources.claims[] | object | No | - | ResourceClaim references one entry in PodSpec.ResourceClaims. |
spec.services.netd.resources.claims[].name | string | Yes | - | Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container. |
spec.services.netd.resources.claims[].request | string | No | - | Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request. |
spec.services.netd.resources.limits | object | No | - | Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
spec.services.netd.resources.requests | object | No | - | Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
spec.services.netd.runtimeClassName | string | No | - | RuntimeClassName specifies the Kubernetes runtime class for the netd daemonset. Use a host-compatible runtime such as runc. Do not run netd on gVisor or Kata. |
spec.services.netd.service | object | No | - | Service configures the Kubernetes service |
spec.services.netd.service.port | integer | No | 80 | Port specifies the service port |
spec.services.netd.service.type | string | No | ClusterIP | Type specifies the service type |
spec.services.netd.tolerations | array<object> | No | - | Tolerations allow netd to run on tainted sandbox nodes. Deprecated: use spec.sandboxNodePlacement.tolerations instead. This field remains as a backward-compatible alias when the shared placement is unset. |
spec.services.netd.tolerations[] | object | No | - | The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>. |
spec.services.netd.tolerations[].effect | string | No | - | Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. |
spec.services.netd.tolerations[].key | string | No | - | Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. |
spec.services.netd.tolerations[].operator | string | No | - | Operator represents a key's relationship to the value. Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators). |
spec.services.netd.tolerations[].tolerationSeconds | integer | No | - | TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. |
spec.services.netd.tolerations[].value | string | No | - | Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. |
Practical Rules#
- Pin the
infra-operatorchart version in production instead of relying on floating tags. - Prefer external PostgreSQL and external object storage for serious deployments.
- Enable
storageProxyonly when you need volume and snapshot features. - Enable
netdonly on Linux nodes and only when you need network policy enforcement. - Use
sandboxNodePlacementto keep sandbox workloads and node-local sandbox services on the same node set. - If sandbox workloads use
gvisororkata, keepservices.netd.runtimeClassNameon a host-compatible runtime such as the cluster default runtime. - Keep control-plane and data-plane components in the same storage and latency domain for a given region.