#KubeadmControlPlane [controlplane.cluster.x-k8s.io/v1beta1]

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.

spec is the desired state of KubeadmControlPlane.

status is the observed state of KubeadmControlPlane.

kubeadmConfigSpec is a KubeadmConfigSpec to use for initializing and joining machines to the control plane.

machineNamingStrategy allows changing the naming pattern used when creating Machines. InfraMachines & KubeadmConfigs will use the same name as the corresponding Machines.

machineTemplate contains information about how machines should be shaped when creating or updating a control plane.

remediationStrategy is the RemediationStrategy that controls how control plane machine remediation happens.

replicas is the number of desired machines. Defaults to 1. When stacked etcd is used only odd numbers are permitted, as per etcd best practice. This is a pointer to distinguish between explicit zero and not specified.

rolloutAfter is a field to indicate a rollout should be performed after the specified time even if no changes have been made to the KubeadmControlPlane. Example: In the YAML the time can be specified in the RFC3339 format. To specify the rolloutAfter target as March 9, 2023, at 9 am UTC use "2023-03-09T09:00:00Z".

rolloutBefore is a field to indicate a rollout should be performed if the specified criteria is met.

rolloutStrategy is the RolloutStrategy to use to replace control plane machines with new ones.

version defines the desired Kubernetes version. Please note that if kubeadmConfigSpec.ClusterConfiguration.imageRepository is not set we don't allow upgrades to versions >= v1.22.0 for which kubeadm uses the old registry (k8s.gcr.io). Please use a newer patch version with the new registry instead. The default registries of kubeadm are:

• registry.k8s.io (new registry): >= v1.22.17, >= v1.23.15, >= v1.24.9, >= v1.25.0
• k8s.gcr.io (old registry): all older versions

bootCommands specifies extra commands to run very early in the boot process via the cloud-init bootcmd module. bootcmd will run on every boot, 'cloud-init-per' command can be used to make bootcmd run exactly once. This is typically run in the cloud-init.service systemd unit. This has no effect in Ignition.

clusterConfiguration along with InitConfiguration are the configurations necessary for the init command

diskSetup specifies options for the creation of partition tables and file systems on devices.

files specifies extra files to be passed to user_data upon creation.

format specifies the output format of the bootstrap data

ignition contains Ignition specific configuration.

initConfiguration along with ClusterConfiguration are the configurations necessary for the init command

joinConfiguration is the kubeadm configuration for the join command

mounts specifies a list of mount points to be setup.

ntp specifies NTP configuration

postKubeadmCommands specifies extra commands to run after kubeadm runs. With cloud-init, this is appended to the runcmd module configuration, and is typically executed in the cloud-final.service systemd unit. In Ignition, this is appended to /etc/kubeadm.sh.

preKubeadmCommands specifies extra commands to run before kubeadm runs. With cloud-init, this is prepended to the runcmd module configuration, and is typically executed in the cloud-final.service systemd unit. In Ignition, this is prepended to /etc/kubeadm.sh.

useExperimentalRetryJoin replaces a basic kubeadm command with a shell script with retries for joins.

This is meant to be an experimental temporary workaround on some environments where joins fail due to timing (and other issues). The long term goal is to add retries to kubeadm proper and use that functionality.

This will add about 40KB to userdata

For more information, refer to https://github.com/kubernetes-sigs/cluster-api/pull/2763#discussion_r397306055.

Deprecated: This experimental fix is no longer needed and this field will be removed in a future release. When removing also remove from staticcheck exclude-rules for SA1019 in golangci.yml

users specifies extra users to add

verbosity is the number for the kubeadm log level verbosity. It overrides the --v flag in kubeadm commands.

apiServer contains extra settings for the API server control plane component

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

certificatesDir specifies where to store or look for all required certificates. NB: if not provided, this will default to /etc/kubernetes/pki

clusterName is the cluster name

controlPlaneEndpoint sets a stable IP address or DNS name for the control plane; it can be a valid IP address or a RFC-1123 DNS subdomain, both with optional TCP port. In case the ControlPlaneEndpoint is not specified, the AdvertiseAddress + BindPort are used; in case the ControlPlaneEndpoint is specified but without a TCP port, the BindPort is used. Possible usages are: e.g. In a cluster with more than one control plane instances, this field should be assigned the address of the external load balancer in front of the control plane instances. e.g. in environments with enforced node recycling, the ControlPlaneEndpoint could be used for assigning a stable DNS to the control plane. NB: This value defaults to the first value in the Cluster object status.apiEndpoints array.

controllerManager contains extra settings for the controller manager control plane component

dns defines the options for the DNS add-on installed in the cluster.

etcd holds configuration for etcd. NB: This value defaults to a Local (stacked) etcd

featureGates enabled by the user.

imageRepository sets the container registry to pull images from.

• If not set, the default registry of kubeadm will be used, i.e.
  • registry.k8s.io (new registry): >= v1.22.17, >= v1.23.15, >= v1.24.9, >= v1.25.0
  • k8s.gcr.io (old registry): all older versions Please note that when imageRepository is not set we don't allow upgrades to versions >= v1.22.0 which use the old registry (k8s.gcr.io). Please use a newer patch version with the new registry instead (i.e. >= v1.22.17,

  = v1.23.15, >= v1.24.9, >= v1.25.0).

• If the version is a CI build (kubernetes version starts with ci/ or ci-cross/) gcr.io/k8s-staging-ci-images will be used as a default for control plane components and for kube-proxy, while registry.k8s.io will be used for all the other images.

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

kubernetesVersion is the target version of the control plane. NB: This value defaults to the Machine object spec.version

networking holds configuration for the networking topology of the cluster. NB: This value defaults to the Cluster object spec.clusterNetwork.

scheduler contains extra settings for the scheduler control plane component

certSANs sets extra Subject Alternative Names for the API Server signing cert.

extraArgs is an extra set of flags to pass to the control plane component.

extraEnvs is an extra set of environment variables to pass to the control plane component. Environment variables passed using ExtraEnvs will override any existing environment variables, or *_proxy environment variables that kubeadm adds by default. This option takes effect only on Kubernetes >=1.31.0.

extraVolumes is an extra set of host volumes, mounted to the control plane component.

timeoutForControlPlane controls the timeout that we use for API server to appear

Name of the environment variable. Must be a C_IDENTIFIER.

Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".

Source for the environment variable's value. Cannot be used if value is not empty.

Selects a key of a ConfigMap.

Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels['<KEY>'], metadata.annotations['<KEY>'], spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.

Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.

Selects a key of a secret in the pod's namespace

The key to select.

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

Specify whether the ConfigMap or its key must be defined

Version of the schema the FieldPath is written in terms of, defaults to "v1".

Path of the field to select in the specified API version.

Container name: required for volumes, optional for env vars

Specifies the output format of the exposed resources, defaults to "1"

Required: resource to select

The key of the secret to select from. Must be a valid secret key.

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

Specify whether the Secret or its key must be defined

hostPath is the path in the host that will be mounted inside the pod.

mountPath is the path inside the pod where hostPath will be mounted.

name of the volume inside the pod template.

pathType is the type of the HostPath.

readOnly controls write access to the volume

extraArgs is an extra set of flags to pass to the control plane component.

extraEnvs is an extra set of environment variables to pass to the control plane component. Environment variables passed using ExtraEnvs will override any existing environment variables, or *_proxy environment variables that kubeadm adds by default. This option takes effect only on Kubernetes >=1.31.0.

extraVolumes is an extra set of host volumes, mounted to the control plane component.

Name of the environment variable. Must be a C_IDENTIFIER.

Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".

Source for the environment variable's value. Cannot be used if value is not empty.

Selects a key of a ConfigMap.

Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels['<KEY>'], metadata.annotations['<KEY>'], spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.

Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.

Selects a key of a secret in the pod's namespace

The key to select.

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

Specify whether the ConfigMap or its key must be defined

Version of the schema the FieldPath is written in terms of, defaults to "v1".

Path of the field to select in the specified API version.

Container name: required for volumes, optional for env vars

Specifies the output format of the exposed resources, defaults to "1"

Required: resource to select

The key of the secret to select from. Must be a valid secret key.

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

Specify whether the Secret or its key must be defined

hostPath is the path in the host that will be mounted inside the pod.

mountPath is the path inside the pod where hostPath will be mounted.

name of the volume inside the pod template.

pathType is the type of the HostPath.

readOnly controls write access to the volume

imageRepository sets the container registry to pull images from. if not set, the ImageRepository defined in ClusterConfiguration will be used instead.

imageTag allows to specify a tag for the image. In case this value is set, kubeadm does not change automatically the version of the above components during upgrades.

external describes how to connect to an external etcd cluster Local and External are mutually exclusive

local provides configuration knobs for configuring the local etcd instance Local and External are mutually exclusive

caFile is an SSL Certificate Authority file used to secure etcd communication. Required if using a TLS connection.

certFile is an SSL certification file used to secure etcd communication. Required if using a TLS connection.

endpoints of etcd members. Required for ExternalEtcd.

keyFile is an SSL key file used to secure etcd communication. Required if using a TLS connection.

dataDir is the directory etcd will place its data. Defaults to "/var/lib/etcd".

extraArgs are extra arguments provided to the etcd binary when run inside a static pod.

extraEnvs is an extra set of environment variables to pass to the control plane component. Environment variables passed using ExtraEnvs will override any existing environment variables, or *_proxy environment variables that kubeadm adds by default. This option takes effect only on Kubernetes >=1.31.0.

imageRepository sets the container registry to pull images from. if not set, the ImageRepository defined in ClusterConfiguration will be used instead.

imageTag allows to specify a tag for the image. In case this value is set, kubeadm does not change automatically the version of the above components during upgrades.

peerCertSANs sets extra Subject Alternative Names for the etcd peer signing cert.

serverCertSANs sets extra Subject Alternative Names for the etcd server signing cert.

Name of the environment variable. Must be a C_IDENTIFIER.

Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".

Source for the environment variable's value. Cannot be used if value is not empty.

Selects a key of a ConfigMap.

Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels['<KEY>'], metadata.annotations['<KEY>'], spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.

Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.

Selects a key of a secret in the pod's namespace

The key to select.

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

Specify whether the ConfigMap or its key must be defined

Version of the schema the FieldPath is written in terms of, defaults to "v1".

Path of the field to select in the specified API version.

Container name: required for volumes, optional for env vars

Specifies the output format of the exposed resources, defaults to "1"

Required: resource to select

The key of the secret to select from. Must be a valid secret key.

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

Specify whether the Secret or its key must be defined

dnsDomain is the dns domain used by k8s services. Defaults to "cluster.local".

podSubnet is the subnet used by pods. If unset, the API server will not allocate CIDR ranges for every node. Defaults to a comma-delimited string of the Cluster object's spec.clusterNetwork.services.cidrBlocks if that is set

serviceSubnet is the subnet used by k8s services. Defaults to a comma-delimited string of the Cluster object's spec.clusterNetwork.pods.cidrBlocks, or to "10.96.0.0/12" if that's unset.

extraArgs is an extra set of flags to pass to the control plane component.

extraEnvs is an extra set of environment variables to pass to the control plane component. Environment variables passed using ExtraEnvs will override any existing environment variables, or *_proxy environment variables that kubeadm adds by default. This option takes effect only on Kubernetes >=1.31.0.

extraVolumes is an extra set of host volumes, mounted to the control plane component.

Name of the environment variable. Must be a C_IDENTIFIER.

Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".

Source for the environment variable's value. Cannot be used if value is not empty.

Selects a key of a ConfigMap.

Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels['<KEY>'], metadata.annotations['<KEY>'], spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.

Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.

Selects a key of a secret in the pod's namespace

The key to select.

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

Specify whether the ConfigMap or its key must be defined

Version of the schema the FieldPath is written in terms of, defaults to "v1".

Path of the field to select in the specified API version.

Container name: required for volumes, optional for env vars

Specifies the output format of the exposed resources, defaults to "1"

Required: resource to select

The key of the secret to select from. Must be a valid secret key.

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

Specify whether the Secret or its key must be defined

hostPath is the path in the host that will be mounted inside the pod.

mountPath is the path inside the pod where hostPath will be mounted.

name of the volume inside the pod template.

pathType is the type of the HostPath.

readOnly controls write access to the volume

filesystems specifies the list of file systems to setup.

partitions specifies the list of the partitions to setup.

device specifies the device name

extraOpts defined extra options to add to the command for creating the file system.

filesystem specifies the file system type.

label specifies the file system label to be used. If set to None, no label is used.

overwrite defines whether or not to overwrite any existing filesystem. If true, any pre-existing file system will be destroyed. Use with Caution.

partition specifies the partition to use. The valid options are: "auto|any", "auto", "any", "none", and , where NUM is the actual partition number.

replaceFS is a special directive, used for Microsoft Azure that instructs cloud-init to replace a file system of <FS_TYPE>. NOTE: unless you define a label, this requires the use of the 'any' partition directive.

device is the name of the device.

layout specifies the device layout. If it is true, a single partition will be created for the entire device. When layout is false, it means don't partition or ignore existing partitioning.

overwrite describes whether to skip checks and create the partition if a partition or filesystem is found on the device. Use with caution. Default is 'false'.

tableType specifies the tupe of partition table. The following are supported: 'mbr': default and setups a MS-DOS partition table 'gpt': setups a GPT partition table

append specifies whether to append Content to existing file if Path exists.

content is the actual content of the file.

contentFrom is a referenced source of content to populate the file.

encoding specifies the encoding of the file contents.

owner specifies the ownership of the file, e.g. "root:root".

path specifies the full path on disk where to store the file.

permissions specifies the permissions to assign to the file, e.g. "0640".

secret represents a secret that should populate this file.

key is the key in the secret's data map for this value.

name of the secret in the KubeadmBootstrapConfig's namespace to use.

containerLinuxConfig contains CLC specific configuration.

additionalConfig contains additional configuration to be merged with the Ignition configuration generated by the bootstrapper controller. More info: https://coreos.github.io/ignition/operator-notes/#config-merging

The data format is documented here: https://kinvolk.io/docs/flatcar-container-linux/latest/provisioning/cl-config/

strict controls if AdditionalConfig should be strictly parsed. If so, warnings are treated as errors.

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

bootstrapTokens is respected at kubeadm init time and describes a set of Bootstrap Tokens to create. This information IS NOT uploaded to the kubeadm cluster configmap, partly because of its sensitive nature

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

localAPIEndpoint represents the endpoint of the API server instance that's deployed on this control plane node In HA setups, this differs from ClusterConfiguration.ControlPlaneEndpoint in the sense that ControlPlaneEndpoint is the global endpoint for the cluster, which then loadbalances the requests to each individual API server. This configuration object lets you customize what IP/DNS name and port the local API server advertises it's accessible on. By default, kubeadm tries to auto-detect the IP of the default interface and use that, but in case that process fails you may set the desired value here.

nodeRegistration holds fields that relate to registering the new control-plane node to the cluster. When used in the context of control plane nodes, NodeRegistration should remain consistent across both InitConfiguration and JoinConfiguration

patches contains options related to applying patches to components deployed by kubeadm during "kubeadm init". The minimum kubernetes version needed to support Patches is v1.22

skipPhases is a list of phases to skip during command execution. The list of phases can be obtained with the "kubeadm init --help" command. This option takes effect only on Kubernetes >=1.22.0.

description sets a human-friendly message why this token exists and what it's used for, so other administrators can know its purpose.

expires specifies the timestamp when this token expires. Defaults to being set dynamically at runtime based on the TTL. Expires and TTL are mutually exclusive.

groups specifies the extra groups that this token will authenticate as when/if used for authentication

token is used for establishing bidirectional trust between nodes and control-planes. Used for joining nodes in the cluster.

ttl defines the time to live for this token. Defaults to 24h. Expires and TTL are mutually exclusive.

usages describes the ways in which this token can be used. Can by default be used for establishing bidirectional trust, but that can be changed here.

advertiseAddress sets the IP address for the API server to advertise.

bindPort sets the secure port for the API Server to bind to. Defaults to 6443.

criSocket is used to retrieve container runtime info. This information will be annotated to the Node API object, for later re-use

ignorePreflightErrors provides a slice of pre-flight errors to be ignored when the current node is registered.

imagePullPolicy specifies the policy for image pulling during kubeadm "init" and "join" operations. The value of this field must be one of "Always", "IfNotPresent" or "Never". Defaults to "IfNotPresent". This can be used only with Kubernetes version equal to 1.22 and later.

imagePullSerial specifies if image pulling performed by kubeadm must be done serially or in parallel. This option takes effect only on Kubernetes >=1.31.0. Default: true (defaulted in kubeadm)

kubeletExtraArgs passes through extra arguments to the kubelet. The arguments here are passed to the kubelet command line via the environment file kubeadm writes at runtime for the kubelet to source. This overrides the generic base-level configuration in the kubelet-config-1.X ConfigMap Flags have higher priority when parsing. These values are local and specific to the node kubeadm is executing on.

name is the .Metadata.Name field of the Node API object that will be created in this kubeadm init or kubeadm join operation. This field is also used in the CommonName field of the kubelet's client certificate to the API server. Defaults to the hostname of the node if not provided.

taints specifies the taints the Node API object should be registered with. If this field is unset, i.e. nil, in the kubeadm init process it will be defaulted to []v1.Taint{'node-role.kubernetes.io/master=""'}. If you don't want to taint your control-plane node, set this field to an empty slice, i.e. taints: [] in the YAML file. This field is solely used for Node registration.

Required. The effect of the taint on pods that do not tolerate the taint. Valid effects are NoSchedule, PreferNoSchedule and NoExecute.

Required. The taint key to be applied to a node.

TimeAdded represents the time at which the taint was added. It is only written for NoExecute taints.

The taint value corresponding to the taint key.

directory is a path to a directory that contains files named "target[suffix][+patchtype].extension". For example, "kube-apiserver0+merge.yaml" or just "etcd.json". "target" can be one of "kube-apiserver", "kube-controller-manager", "kube-scheduler", "etcd". "patchtype" can be one of "strategic" "merge" or "json" and they match the patch formats supported by kubectl. The default "patchtype" is "strategic". "extension" must be either "json" or "yaml". "suffix" is an optional string that can be used to determine which patches are applied first alpha-numerically. These files can be written into the target directory via KubeadmConfig.Files which specifies additional files to be created on the machine, either with content inline or by referencing a secret.

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

caCertPath is the path to the SSL certificate authority used to secure comunications between node and control-plane. Defaults to "/etc/kubernetes/pki/ca.crt".

controlPlane defines the additional control plane instance to be deployed on the joining node. If nil, no additional control plane instance will be deployed.

discovery specifies the options for the kubelet to use during the TLS Bootstrap process

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

nodeRegistration holds fields that relate to registering the new control-plane node to the cluster. When used in the context of control plane nodes, NodeRegistration should remain consistent across both InitConfiguration and JoinConfiguration

patches contains options related to applying patches to components deployed by kubeadm during "kubeadm join". The minimum kubernetes version needed to support Patches is v1.22

skipPhases is a list of phases to skip during command execution. The list of phases can be obtained with the "kubeadm init --help" command. This option takes effect only on Kubernetes >=1.22.0.

localAPIEndpoint represents the endpoint of the API server instance to be deployed on this node.

advertiseAddress sets the IP address for the API server to advertise.

bindPort sets the secure port for the API Server to bind to. Defaults to 6443.

bootstrapToken is used to set the options for bootstrap token based discovery BootstrapToken and File are mutually exclusive

file is used to specify a file or URL to a kubeconfig file from which to load cluster information BootstrapToken and File are mutually exclusive

timeout modifies the discovery timeout

tlsBootstrapToken is a token used for TLS bootstrapping. If .BootstrapToken is set, this field is defaulted to .BootstrapToken.Token, but can be overridden. If .File is set, this field must be set in case the KubeConfigFile does not contain any other authentication information

apiServerEndpoint is an IP or domain name to the API server from which info will be fetched.

caCertHashes specifies a set of public key pins to verify when token-based discovery is used. The root CA found during discovery must match one of these values. Specifying an empty set disables root CA pinning, which can be unsafe. Each hash is specified as ":", where the only currently supported type is "sha256". This is a hex-encoded SHA-256 hash of the Subject Public Key Info (SPKI) object in DER-encoded ASN.1. These hashes can be calculated using, for example, OpenSSL: openssl x509 -pubkey -in ca.crt openssl rsa -pubin -outform der 2>&/dev/null | openssl dgst -sha256 -hex

token is a token used to validate cluster information fetched from the control-plane.

unsafeSkipCAVerification allows token-based discovery without CA verification via CACertHashes. This can weaken the security of kubeadm since other nodes can impersonate the control-plane.

kubeConfig is used (optionally) to generate a KubeConfig based on the KubeadmConfig's information. The file is generated at the path specified in KubeConfigPath.

Host address (server field) information is automatically populated based on the Cluster's ControlPlaneEndpoint. Certificate Authority (certificate-authority-data field) is gathered from the cluster's CA secret.

kubeConfigPath is used to specify the actual file path or URL to the kubeconfig file from which to load cluster information

cluster contains information about how to communicate with the kubernetes cluster.

By default the following fields are automatically populated:

• Server with the Cluster's ControlPlaneEndpoint.
• CertificateAuthorityData with the Cluster's CA certificate.

user contains information that describes identity information. This is used to tell the kubernetes cluster who you are.

certificateAuthorityData contains PEM-encoded certificate authority certificates.

Defaults to the Cluster's CA certificate if empty.

insecureSkipTLSVerify skips the validity check for the server's certificate. This will make your HTTPS connections insecure.

proxyURL is the URL to the proxy to be used for all requests made by this client. URLs with "http", "https", and "socks5" schemes are supported. If this configuration is not provided or the empty string, the client attempts to construct a proxy configuration from http_proxy and https_proxy environment variables. If these environment variables are not set, the client does not attempt to proxy requests.

socks5 proxying does not currently support spdy streaming endpoints (exec, attach, port forward).

server is the address of the kubernetes cluster (https://hostname:port).

Defaults to https:// + Cluster.Spec.ControlPlaneEndpoint.

tlsServerName is used to check server certificate. If TLSServerName is empty, the hostname used to contact the server is used.

authProvider specifies a custom authentication plugin for the kubernetes cluster.

exec specifies a custom exec-based authentication plugin for the kubernetes cluster.

config holds the parameters for the authentication plugin.

name is the name of the authentication plugin.

apiVersion is preferred input version of the ExecInfo. The returned ExecCredentials MUST use the same encoding version as the input. Defaults to client.authentication.k8s.io/v1 if not set.

args is the arguments to pass to the command when executing it.

command to execute.

env defines additional environment variables to expose to the process. These are unioned with the host's environment, as well as variables client-go uses to pass argument to the plugin.

provideClusterInfo determines whether or not to provide cluster information, which could potentially contain very large CA data, to this exec plugin as a part of the KUBERNETES_EXEC_INFO environment variable. By default, it is set to false. Package k8s.io/client-go/tools/auth/exec provides helper methods for reading this environment variable.

name of the environment variable

value of the environment variable

criSocket is used to retrieve container runtime info. This information will be annotated to the Node API object, for later re-use

ignorePreflightErrors provides a slice of pre-flight errors to be ignored when the current node is registered.

imagePullPolicy specifies the policy for image pulling during kubeadm "init" and "join" operations. The value of this field must be one of "Always", "IfNotPresent" or "Never". Defaults to "IfNotPresent". This can be used only with Kubernetes version equal to 1.22 and later.

imagePullSerial specifies if image pulling performed by kubeadm must be done serially or in parallel. This option takes effect only on Kubernetes >=1.31.0. Default: true (defaulted in kubeadm)

kubeletExtraArgs passes through extra arguments to the kubelet. The arguments here are passed to the kubelet command line via the environment file kubeadm writes at runtime for the kubelet to source. This overrides the generic base-level configuration in the kubelet-config-1.X ConfigMap Flags have higher priority when parsing. These values are local and specific to the node kubeadm is executing on.

name is the .Metadata.Name field of the Node API object that will be created in this kubeadm init or kubeadm join operation. This field is also used in the CommonName field of the kubelet's client certificate to the API server. Defaults to the hostname of the node if not provided.

taints specifies the taints the Node API object should be registered with. If this field is unset, i.e. nil, in the kubeadm init process it will be defaulted to []v1.Taint{'node-role.kubernetes.io/master=""'}. If you don't want to taint your control-plane node, set this field to an empty slice, i.e. taints: [] in the YAML file. This field is solely used for Node registration.

Required. The effect of the taint on pods that do not tolerate the taint. Valid effects are NoSchedule, PreferNoSchedule and NoExecute.

Required. The taint key to be applied to a node.

TimeAdded represents the time at which the taint was added. It is only written for NoExecute taints.

The taint value corresponding to the taint key.

directory is a path to a directory that contains files named "target[suffix][+patchtype].extension". For example, "kube-apiserver0+merge.yaml" or just "etcd.json". "target" can be one of "kube-apiserver", "kube-controller-manager", "kube-scheduler", "etcd". "patchtype" can be one of "strategic" "merge" or "json" and they match the patch formats supported by kubectl. The default "patchtype" is "strategic". "extension" must be either "json" or "yaml". "suffix" is an optional string that can be used to determine which patches are applied first alpha-numerically. These files can be written into the target directory via KubeadmConfig.Files which specifies additional files to be created on the machine, either with content inline or by referencing a secret.

enabled specifies whether NTP should be enabled

servers specifies which NTP servers to use

gecos specifies the gecos to use for the user

groups specifies the additional groups for the user

homeDir specifies the home directory to use for the user

inactive specifies whether to mark the user as inactive

lockPassword specifies if password login should be disabled

name specifies the user name

passwd specifies a hashed password for the user

passwdFrom is a referenced source of passwd to populate the passwd.

primaryGroup specifies the primary group for the user

shell specifies the user's shell

sshAuthorizedKeys specifies a list of ssh authorized keys for the user

sudo specifies a sudo role for the user

secret represents a secret that should populate this password.

key is the key in the secret's data map for this value.

name of the secret in the KubeadmBootstrapConfig's namespace to use.

template defines the template to use for generating the names of the Machine objects. If not defined, it will fallback to {{ .kubeadmControlPlane.name }}-{{ .random }}. If the generated name string exceeds 63 characters, it will be trimmed to 58 characters and will get concatenated with a random suffix of length 5. Length of the template string must not exceed 256 characters. The template allows the following variables .cluster.name, .kubeadmControlPlane.name and .random. The variable .cluster.name retrieves the name of the cluster object that owns the Machines being created. The variable .kubeadmControlPlane.name retrieves the name of the KubeadmControlPlane object that owns the Machines being created. The variable .random is substituted with random alphanumeric string, without vowels, of length 5. This variable is required part of the template. If not provided, validation will fail.

infrastructureRef is a required reference to a custom resource offered by an infrastructure provider.

metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata

nodeDeletionTimeout defines how long the machine controller will attempt to delete the Node that the Machine hosts after the Machine is marked for deletion. A duration of 0 will retry deletion indefinitely. If no value is provided, the default value for this property of the Machine resource will be used.

nodeDrainTimeout is the total amount of time that the controller will spend on draining a controlplane node The default value is 0, meaning that the node can be drained without any time limitations. NOTE: NodeDrainTimeout is different from kubectl drain --timeout

nodeVolumeDetachTimeout is the total amount of time that the controller will spend on waiting for all volumes to be detached. The default value is 0, meaning that the volumes can be detached without any time limitations.

readinessGates specifies additional conditions to include when evaluating Machine Ready condition; KubeadmControlPlane will always add readinessGates for the condition it is setting on the Machine: APIServerPodHealthy, SchedulerPodHealthy, ControllerManagerPodHealthy, and if etcd is managed by CKP also EtcdPodHealthy, EtcdMemberHealthy.

This field can be used e.g. to instruct the machine controller to include in the computation for Machine's ready computation a condition, managed by an external controllers, reporting the status of special software/hardware installed on the Machine.

NOTE: This field is considered only for computing v1beta2 conditions.

The list of the taints to be applied to the corresponding Node in additive manner. This list will not overwrite any other taints added to the Node on an ongoing basis by other entities. These taints should be actively reconciled e.g. if you ask the machine controller to apply a taint and then manually remove the taint the machine controller will put it back) but not have the machine controller remove any taints

API version of the referent.

If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object.

Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency

UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids

conditionType refers to a condition with matching type in the Machine's condition list. If the conditions doesn't exist, it will be treated as unknown. Note: Both Cluster API conditions or conditions added by 3rd party controllers can be used as readiness gates.

polarity of the conditionType specified in this readinessGate. Valid values are Positive, Negative and omitted. When omitted, the default behaviour will be Positive. A positive polarity means that the condition should report a true status under normal conditions. A negative polarity means that the condition should report a false status under normal conditions.

Required. The effect of the taint on pods that do not tolerate the taint. Valid effects are NoSchedule, PreferNoSchedule and NoExecute.

Required. The taint key to be applied to a node.

TimeAdded represents the time at which the taint was added. It is only written for NoExecute taints.

The taint value corresponding to the taint key.

maxRetry is the Max number of retries while attempting to remediate an unhealthy machine. A retry happens when a machine that was created as a replacement for an unhealthy machine also fails. For example, given a control plane with three machines M1, M2, M3:

M1 become unhealthy; remediation happens, and M1-1 is created as a replacement.
If M1-1 (replacement of M1) has problems while bootstrapping it will become unhealthy, and then be
remediated; such operation is considered a retry, remediation-retry #1.
If M1-2 (replacement of M1-1) becomes unhealthy, remediation-retry #2 will happen, etc.

A retry could happen only after RetryPeriod from the previous retry. If a machine is marked as unhealthy after MinHealthyPeriod from the previous remediation expired, this is not considered a retry anymore because the new issue is assumed unrelated from the previous one.

If not set, the remedation will be retried infinitely.

minHealthyPeriod defines the duration after which KCP will consider any failure to a machine unrelated from the previous one. In this case the remediation is not considered a retry anymore, and thus the retry counter restarts from 0. For example, assuming MinHealthyPeriod is set to 1h (default)

M1 become unhealthy; remediation happens, and M1-1 is created as a replacement.
If M1-1 (replacement of M1) has problems within the 1hr after the creation, also
this machine will be remediated and this operation is considered a retry - a problem related
to the original issue happened to M1 -.

If instead the problem on M1-1 is happening after MinHealthyPeriod expired, e.g. four days after
m1-1 has been created as a remediation of M1, the problem on M1-1 is considered unrelated to
the original issue happened to M1.

If not set, this value is defaulted to 1h.

retryPeriod is the duration that KCP should wait before remediating a machine being created as a replacement for an unhealthy machine (a retry).

If not set, a retry will happen immediately.

certificatesExpiryDays indicates a rollout needs to be performed if the certificates of the machine will expire within the specified days.

rollingUpdate is the rolling update config params. Present only if RolloutStrategyType = RollingUpdate.

type of rollout. Currently the only supported strategy is "RollingUpdate". Default is RollingUpdate.

maxSurge is the maximum number of control planes that can be scheduled above or under the desired number of control planes. Value can be an absolute number 1 or 0. Defaults to 1. Example: when this is set to 1, the control plane can be scaled up immediately when the rolling update starts.

conditions defines current service state of the KubeadmControlPlane.

failureMessage indicates that there is a terminal problem reconciling the state, and will be set to a descriptive error message.

Deprecated: This field is deprecated and is going to be removed in the next apiVersion. Please see https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/proposals/20240916-improve-status-in-CAPI-resources.md for more details.

failureReason indicates that there is a terminal problem reconciling the state, and will be set to a token value suitable for programmatic interpretation.

Deprecated: This field is deprecated and is going to be removed in the next apiVersion. Please see https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/proposals/20240916-improve-status-in-CAPI-resources.md for more details.

initialized denotes that the KubeadmControlPlane API Server is initialized and thus it can accept requests. NOTE: this field is part of the Cluster API contract and it is used to orchestrate provisioning. The value of this field is never updated after provisioning is completed. Please use conditions to check the operational state of the control plane.

lastRemediation stores info about last remediation performed.

observedGeneration is the latest generation observed by the controller.

ready denotes that the KubeadmControlPlane API Server became ready during initial provisioning to receive requests. NOTE: this field is part of the Cluster API contract and it is used to orchestrate provisioning. The value of this field is never updated after provisioning is completed. Please use conditions to check the operational state of the control plane.

readyReplicas is the total number of fully running and ready control plane machines.

replicas is the total number of non-terminated machines targeted by this control plane (their labels match the selector).

selector is the label selector in string format to avoid introspection by clients, and is used to provide the CRD-based integration for the scale subresource and additional integrations for things like kubectl describe.. The string will be in the same format as the query-param syntax. More info about label selectors: http://kubernetes.io/docs/user-guide/labels#label-selectors

unavailableReplicas is the total number of unavailable machines targeted by this control plane. This is the total number of machines that are still required for the deployment to have 100% available capacity. They may either be machines that are running but not yet ready or machines that still have not been created.

Deprecated: This field is deprecated and is going to be removed in the next apiVersion. Please see https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/proposals/20240916-improve-status-in-CAPI-resources.md for more details.

updatedReplicas is the total number of non-terminated machines targeted by this control plane that have the desired template spec.

v1beta2 groups all the fields that will be added or modified in KubeadmControlPlane's status with the V1Beta2 version.

version represents the minimum Kubernetes version for the control plane machines in the cluster.

lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.

message is a human readable message indicating details about the transition. This field may be empty.

reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty.

severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False.

status of the condition, one of True, False, Unknown.

type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important.

machine is the machine name of the latest machine being remediated.

retryCount used to keep track of remediation retry for the last remediated machine. A retry happens when a machine that was created as a replacement for an unhealthy machine also fails.

timestamp is when last remediation happened. It is represented in RFC3339 form and is in UTC.

availableReplicas is the number of available replicas targeted by this KubeadmControlPlane. A machine is considered available when Machine's Available condition is true.

conditions represents the observations of a KubeadmControlPlane's current state. Known condition types are Available, CertificatesAvailable, EtcdClusterAvailable, MachinesReady, MachinesUpToDate, ScalingUp, ScalingDown, Remediating, Deleting, Paused.

readyReplicas is the number of ready replicas for this KubeadmControlPlane. A machine is considered ready when Machine's Ready condition is true.

upToDateReplicas is the number of up-to-date replicas targeted by this KubeadmControlPlane. A machine is considered up-to-date when Machine's UpToDate condition is true.

lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.

message is a human readable message indicating details about the transition. This may be an empty string.

observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.

reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.

status of the condition, one of True, False, Unknown.

type of condition in CamelCase or in foo.example.com/CamelCase.