Parameters

The parent key for all of the following parameters is appuio_cloud.

namespace

type

string

default

appuio-cloud

The namespace in which to deploy this component.

namespaceLabels

type

dict

default
network-policies.syn.tools/no-defaults: 'true'
network-policies.syn.tools/purge-defaults: 'true'

The labels of the namespace in which this component is deployed.

namespaceAnnotations

type

dict

default

{}

The annotations of the namespace in which this component is deployed.

images

type

dict

default

See class/defaults.yml

This parameter allows selecting the Docker images to us. Each image is specified using keys registry, repository and tag. This structure allows easily injecting a registry mirror, if required.

monitoring.enabled

type

boolean

default

true

Controls if ServiceMonitor object is created to scrape the APPUiO Cloud Agent metrics.

agent.replicas

type

int

default

3

With how many replicas the APPUiO Cloud Agent should run.

agent.resources

type

dict

default
limits:
  memory: 1Gi

Resource requests and limits for the APPUiO Cloud Agent deployment.

The contents of this parameter are merged over the default resource requests and limits of the Agent’s base configuration.

agent.resourceRatio.memoryPerCore

type

string

default

4Gi

The "fair-use" limit of memory to CPU request. That means, if a namespace requests less than 4Gi of memory per requested CPU core, the APPUiO Cloud Agent will warn the user that they exceed the "fair-use" limit and will potentially generate additional costs.

agent.webhook.tls

This key configures encryption of traffic to the controller’s admission webhook server. The Kubernetes API server only communicates with admission webhooks over HTTPS. Therefore, the component requires that both agent.webhook.tls.certificate and agent.webhook.tls.key are configured.

agent.webhook.tls.certSecretName

type

string

default

webhook-service-tls

The name of the secret containing the TLS certificate and key for the agent’s webhook server.

agent.webhook.tls.caCertificate

type

string

default

""

The CA certificate used to sign the webhook service certificate. If left empty, the component assumes that the provided certificate can be verified using the cluster’s default CA bundle.

If you deploy a self-signed certificate, set this parameter to ${appuio_cloud:agent:webhook:tls:certificate}.

agent.webhook.tls.certificate

type

string

default

""

The certificate to use for the agent’s admission webhook server. Users must provide this parameter, since Kubernetes doesn’t support admission webhooks which aren’t secured with TLS.

agent.webhook.tls.key

type

string

default

?{vaultkv:${cluster:tenant}/${cluster:name}/${_instance}/webhook-key}

The private key to use for the agent’s admission webhook server.

agent.webhook.namespaceSelector

type

dict

NamespaceSelector that’s applied to every webhook installed by the APPUiO Cloud Agent The namespaceSelector decides whether to run the webhook on a request for a namespaced resource (or a Namespace object), based on whether the namespace’s labels match the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is a cluster scoped resource other than a Namespace, namespaceSelector has no effect.

See the upstream documentation on these selectors.

agent.config

type

dict

default

See class/defaults.yml

This parameter allows configuring the APPUiO Cloud Agent. See the Agent repository for an overview of the available configuration options.

agent.config._subjects

type

dict

default

${appuio_cloud:bypassNamespaceRestrictions:subjects}

example
_subjects:
  argocd:
    kind: ServiceAccount
    name: argocd-application-controller
    namespace: argocd
  admin:
    kind: User
    name: admin
  admins:
    kind: Group
    name: admins

A special key to map between the Kyverno way of specifying subjects and the APPUiO Cloud Agent way. The key is omitted from the final configuration.

clusterRoles

type

dict

example
clusterRoles:
  namespace-owner:
    rules:
      - apiGroups: ['']
        resources: [namespaces]
        verbs:
          - get
          - watch
          - edit
          - patch
          - delete

The clusterRoles parameter can be used to create a list of arbitrary ClusterRoles. The key is used as the name of the ClusterRole and the value is transformed into the ClusterRole resource.

reservedNamespaces

type

dict

example
reservedNamespaces:
  monitoring: ['monitoring-*', 'test-monitoring-*']
  logging: logging

Creating and editing namespaces matching any of the entries is disallowed. The list must consist of entries like custom: ['custom-', 'test-custom-'] or custom: 'custom-*'.

allowedNamespaceLabels

type

dict

example
allowedNamespaceLabels:
  kubernetesGenerated:
    - kubernetes.io/metadata.name
  custom: custom.io/*

Creating and editing namespace labels is disallowed except for labels explicitly approved using this parameter. The list must consist of entries like custom: ['custom-', 'test-custom-'] or custom: 'custom-*'.

allowedNamespaceAnnotations

type

dict

example
allowedNamespaceAnnotations:
  kubernetesGenerated:
    - kubectl.kubernetes.io/last-applied-configuration
  custom: custom.io/*

Creating and editing namespace annotations is disallowed except for annotations explicitly approved using this parameter. The list must consist of entries like custom: ['custom-', 'test-custom-'] or custom: 'custom-*'.

bypassNamespaceRestrictions.roles

type

dict

example
roles:
  my-admin: ['my-admin', 'test-admin']
  special-role: special-role

Roles in the same namespace excluded from all namespace policies. Must consist of entries like my-admin: ['my-admin', 'test-admin'] or my-admin: 'my-admin'.

bypassNamespaceRestrictions.clusterRoles

type

dict

example
clusterRoles:
  my-admin: ['my-admin', 'test-admin']
  special-role: special-role

ClusterRoles excluded from all namespace policies. Must consist of entries like my-admin: ['my-admin', 'test-admin'] or my-admin: 'my-admin'.

bypassNamespaceRestrictions.subjects

type

dict

example
subjects:
  argocd:
    kind: ServiceAccount
    name: argocd-application-controller
    namespace: syn-argocd

ServiceAccount, User or Group (chosen by kind:) excluded from all namespace policies.

generatedResourceQuota

type

dict

A key-value map defining ResourceQuota objects. Each entry will generate a ResourceQuota with the key as its name.

generatedResourceQuota[name].synchronize

type

bool

default

true

Whether the created ResourceQuota is kept in sync. If set to false the created ResourceQuota can be modified.

There is a bug in kyverno up until v1.4.2. The bug has been fixed, but as of writing this the fix hasn’t been released. The bug will cause the ResourceQuota to be updated if the Namespace or ClusterPolicy changes, even if synchronize has been disabled.

generatedResourceQuota[name].spec

type

dict

default

See class/defaults.yml

The desired contents of field spec of the ResourceQuota that should be generated. The component doesn’t validate the contents of this field. See the Kubernetes Resource Quota documentation for supported configurations.

You can override these default quotas on a namespace level, by setting an annotation resourcequota.appuio.io/<name>.<resource> on the namespace.

For example resourcequota.appuio.io/organization-compute.limits.cpu: "1337" will increase the limit of used vCPUs to 1337.

For resources containing a forward slash, you will need to substitute it for an underline. For example: resourcequota.appuio.io/organization-objects.openshift.io_imagestreams: "40".

The exception is that for customizing storage class quotas you need to set annotation resourcequota.appuio.io/<name>.storageclasses. This is because the regular annotations for storageclass-specific resources are generally too long to be accepted as annotation keys by Kubernetes. The value of the resourcequota.appuio.io/<name>.storageclasses annotation is parsed as JSON by Kyverno. The policy expects that the parsed JSON is a single object. For quota keys of the resource quota <name> which match the prefix <storageclass>.storageclass.storage.k8s.io the policy checks that JSON object instead of a plain annotation for overrides.

generatedLimitRange

type

dict

This parameter defines a LimitRange object.

generatedLimitRange.name

type

string

default

organization

The metadata.name of the LimitRange that gets generated in the new Namespace created by the user.

generatedLimitRange.synchronize

type

bool

default

true

Whether the created LimitRange is kept in sync. If set to false the created LimitRange can be modified.

There is a bug in kyverno up until v1.4.2. The bug has been fixed, but as of writing this the fix hasn’t been released. The bug will cause the LimitRange to be updated if the Namespace or ClusterPolicy changes, even if synchronize has been disabled.

generatedLimitRange.limits

type

dict

example
limits:
  "Container":
    max:
      memory: "4G"
    min:
      memory: "4Mi"
  "PersistentVolumeClaim":
    max:
      storage: 2Gi
    min:
      storage: 1Gi

A key-value map defining limits for different Types.

The example above will reject any PVC smaller than 1Gi or larger than 2Gi. It will also reject any container requesting more than 4G of memory or less than 4Mi.

Consult the official Kubernetes documentation on how to configure these limits.

disallowDockerBuildStrategy

type

boolean

default

true

Creating build strategies using Docker is disallowed.

maxNamespaceQuota

type

int

default

25

Set the number of namespaces an organization can create.

It’s recommended that this quota is applied per zone. For example, with a quota of 25 in Zone A and a quota of 10 in Zone B, any organization can have 25 namespaces in Zone A, but only 10 namespaces in Zone B.

namespaceQuotaOverrides

type

dict

Override maxNamespaceQuota for a specific organization.

namespaceQuotaOverrides:
  exampleCompany: 50 (1)
1 The organization exampleCompany can now have 50 namespaces
  • You can also set an override that’s lower than the default quota.

  • It’s recommended that this override is applied per zone.

projectTemplate

Configuration options for the OpenShift default project template.

projectTemplate.enabled

type

boolean

default

false

This parameter controls whether the component deploys and enables a custom default project template.

projectTemplate.objects

type

dict

default
project:
  apiVersion: project.openshift.io/v1
  kind: Project
  metadata:
    annotations:
      openshift.io/description: '\${PROJECT_DESCRIPTION}'
      openshift.io/display-name: '\${PROJECT_DISPLAYNAME}'
      openshift.io/requester: '\${PROJECT_REQUESTING_USER}'
    name: '\${PROJECT_NAME}'

The contents of this dict are used to populate field objects of the OpenShift template object. The keys in the dict are ignored, but can be used in the configuration hierarchy to change existing template objects. Setting a key to value null removes the object from the resulting template.

To avoid Commodore trying to interpret template parameters, escape them with \${PARAM} as shown in the default value. Any parameters used in the template objects must be defined in component parameter projectTemplate.parameters.

OpenShift requires that the default template contains at least one object of type Project.

projectTemplate.parameters

type

dict

default
PROJECT_NAME: {}
PROJECT_DISPLAYNAME: {}
PROJECT_DESCRIPTION: {}
PROJECT_ADMIN_USER: {}
PROJECT_REQUESTING_USER: {}

The contents of this dict are used to populate field parameters of the OpenShift template object.

The field parameters in the template object is a list of objects, see the OpenShift documentation. The component transforms the entries of this component parameter into objects by using the key as field name of the resulting object and merging it with the provided value. Users can remove parameters by setting value null.

runOnceActiveDeadlineSeconds

Configuration for the cluster policy which ensures that .spec.activeDeadlineSeconds is set for all "runonce" pods. "Runonce" pods are pods which have .spec.restartPolicy set to OnFailure or Never.

runOnceActiveDeadlineSeconds.defaultActiveDeadlineSeconds

type

int

default

1800

This parameter gives the default value for .spec.activeDeadlineSeconds which is added to "runonce" pods which don’t have the field set already.

runOnceActiveDeadlineSeconds.overrideAnnotationKey

type

string

default

appuio.io/active-deadline-seconds-override

The key of the namespace annotation which users can use to override the global default value for .spec.activeDeadlineSeconds.

runOnceActiveDeadlineSeconds.podMatchExpressions

type

dict

default

{}

example
podMatchExpressions:
  # Don't set activeDeadlineSeconds for pods which have
  # label `acme.cert-manager.io/http01-solver`
  acme.cert-manager.io/http01-solver:
    operator: DoesNotExist

The entries of the dict are expected to be of form labelKey: <partial matchExpression>. Each entry is transformed to a Kubernetes matchExpression entry by taking the key as value for field key of the resulting match expression.

See the matchExpressions section in the Kubernetes LabelSelector documentation for supported fields in a matchExpressions element.

The field activeDeadlineSeconds will only be set for pods which match the provided expressions.

Generally, we recommend adjusting the value for activeDeadlineSeconds by annotating namespaces as documented above or by setting activeDeadlineSeconds in the Pod spec, but in some cases it may be necessary to exclude pods from the policy.